Help with Cisco RV016 VPN

Discussion in 'Networks' started by Dazzo, Feb 26, 2014.

  1. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    Hi Guys,

    I am putting a cisco RV016 into our network for use as primarily a VPN server.

    I have set it all up, it works as a gateway and as a PPTP server I can access it and ping the test server with the correct IP address assigned. The place where I am stuck is when using the IPSEC VPN, which connects ok when tested but I am unable to ping the test server on the network.

    We have a draytek router acting as gateway/vpn currently on the ip 172.16.4.254 which has had some problems recently and the Cisco will be the backup and when fully operational the replacement. Our network uses 172.16.xx.xx for the servers and workstations. I have set the Cisco router up as 192.164.124.254 and assigned additional IP's to a test workstations and a server for use in testing the VPN. (we hope to move to a 192.168.xx.xx network at some point).

    I have set the access rules to allow both PPTP / IPSEC on the router and all passthroughs are enabled.

    Are you guys aware on something I may have missed or whether I could be doing something wrong in this process? If you need more details let me know.

    Thanks,
    Darren
     
    Last edited: Feb 26, 2014
    Certifications: A+, MOS: Master 2010, Network +
  2. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    Got a diagram? Will help me in troubleshooting!
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  3. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    Will try draw one up for you.

    [​IMG]

    I've edited out full Ip addresses fow now but if you guys need more info let me know.

    I'm going to try set it up using my dynamic IP at home and see if I have luck elsewhere.
     
    Last edited: Feb 26, 2014
    Certifications: A+, MOS: Master 2010, Network +
  4. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    Bumping this up, can't figure out why pptp works fine but IPsec won't. Anyone got any ideas?
     
    Certifications: A+, MOS: Master 2010, Network +
  5. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    Sorry i never realised you had added a diagram! Was looking out for the post to update but cause you edited the post i never saw it!

    Ok.....what is the user static IP you are using when connected to the Cisco using IPsec? Have you done a traceroute? what are the results? What kind of logging can you do on the RV016? What about at the server end? Can you see whether you can trace to the IPsec client IP?
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  6. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    Thanks Daniel I will look at what you have posted tomorrow and see if I can get that information.
    The users static ip is 80.229.xx.xx assigned via plusnet. The RV016 logging seems very vague to me so far but again will enable the logging server and see what results I get when I try the ipsec vpn from my home.

    I'll try set up a trace then, do you know of a handy guide for performing a traceroute?
     
    Certifications: A+, MOS: Master 2010, Network +
  7. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    Sorry, I mean what is the IP address the user is being issued by the Cisco RV016? It is this IP the traffic will should be sourced by the client when attempting to communicate with test server.

    when connected to the IPsec VPN, from the client that is connected, you should run the following commands:

    tracert -d "IP of test server"

    route print

    Let me see the outputs of those commands. Disguise any IP's you need to first from those outputs.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  8. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    Thanks, I see what you mean now and that could be the issue here. With the PPTP server IP's are assigned as 192.168.124.200-209 which matches the 192.168.124.10 I assigned to the test server.

    Not sure how IPsec IP assignment works but you have given me alot to look into this weekend when I test it from home. I will try do this Sunday morning and post my results for you.
    Really appreciate you taking a look at this.
     
    Last edited: Feb 28, 2014
    Certifications: A+, MOS: Master 2010, Network +
  9. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    I have installed the router in my house turning the super hub to modem only mode and using a TP link router.

    I have the IPsec connection to the ciswco router up and connected. I'm a bit stuck on where to go from here though as when I ran the tracert command with the test server ip I got Tracing route to 192.168.124.10 over a maximum of 30 hops

    1 <1 ms <1 ms <1 ms 192.168.1.1
    2 * * * Request timed out.
    3 * * * Request timed out.

    And it goes to the 30 and finishes. I'm getting the feeling I'm missing an important step!

    route print.PNG

    I can ping the internal IP of the router 192.168.124.254.
     
    Last edited: Mar 2, 2014
    Certifications: A+, MOS: Master 2010, Network +
  10. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    What is 192.168.1.1? The TP link router? The trace route shows the packet that you are sending to the test server IP cannot get further than your default gateway.....i.e. your default gateway doesn't have a route to the test servers network. But the packet shouldn't be routed to your default gateway with a destination of the test server IP, as this is an internal address, and this packet should be encapsulated/encrypted by IPsec as it leaves your PC, with a new destination address of the public IP of the Cisco RV016. This doesn't seem to be happening. However, you say you can ping the internal IP of the Cisco RV016 which is strange given the output of the route print command (this route print doesn't show any new interfaces for VPN traffic). You were connected to the VPN I presume when you ran this command?

    What client are you using to connect to the IPsec vpn? Cisco's VPN client?

    Can you do another trace, this time showing the path to the 192.168.124.254 address you can ping......the ping to the test server IP SHOULD be taking this same path.

    tracert -d 192.168.124.254
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  11. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    rv016.jpg

    Added a diagram to make sure I am understanding your set up correctly.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  12. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    That diagram is spot on. I had to disassemble the new set up I put in as the speeds were not up to scratch for the other users in the house and hope to test it again this week or at latest next weekend.

    The VPN was set up like it was for the branches with an always on IPSec vpn (gateway to gateway) I replicated this with different IP's for the TP link at home and the connection was up when I ran the commands. IS the Cisco different to the Draytek and I am required to use a IPsec vpn client?

    Apologies if I don't quite grasp this yet.
     
    Certifications: A+, MOS: Master 2010, Network +
  13. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    Ok sounds like it is site-to-site VPN rather than a client VPN which is what i thought it was! This makes more sense based on your test results above. Below is a more accurate diagram.

    rv016 -1.jpg

    In this case....the issue may simply be the test servers IP configuration. As you can ping the internal Cisco RV016 ip address......the VPN looks to be established ok. I am presuming the Test server IP default gateway is NOT the Cisco RV016 IP (as you have two Ip addresses configured on the server). In which case, when you are pinging from your remote internal network (192.168.1.100), the test server needs to use its default gateway, which is not the Cisco RV016.

    Try adding a static route onto the test server for your remote internal subnet (192.168.1.100 in the above example) and point it to the Cisco internal interface (192.168.124.254). Below from a command prompt:

    route add 192.168.1.0 mask 255.255.255.0 192.168.124.254
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  14. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    You are correct as the server is still a production server although not mission critical it uses the draytek as the default gateway. When I gave it an additional IP I never thought about the gateway.

    I have added the route and I will see if I can test it tonight but I'm at the GF house so might need to wait for the weekend or get the boss to have a go.

    Thanks again for taking a look.
     
    Certifications: A+, MOS: Master 2010, Network +
  15. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    ok cool. Just run route print command on the server and make sure the route is in there.... Also if the server gets rebooted it will remove it unless you set it to persistent using -p switch.

    Also do a tracert to 192.168.100.1 just to make sure it hits the internal Cisco IP first (it will go no further of course until you reconfigure the VPN at the remote end.)
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  16. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    Major update!

    I set up the network last night again using the tplink router and set the IPsec vpn up.

    I added the route in the day and pinged the test server whilst connected to the vpn. Response time of 50ms........

    Ran the tracert and watched it hit the router then time out and hit the test server! Connected to the remote desktop and was let on with no problems!

    Thanks again for the assistance with this, official legend!
     
    Certifications: A+, MOS: Master 2010, Network +
  17. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    Good stuff glad you got it all working :)
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  18. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    Ran into a problem just before putting the router into production.

    IT ONLY HAS 10 PPTP ACCOUNTS! Missed this part and trying to think of a way for clients to connect to the VPN.

    I've tried the Quick VPN with cisco client but it doesn't work. Anyone have suggestions on what can be used?
     
    Certifications: A+, MOS: Master 2010, Network +
  19. Dazzo

    Dazzo Byte Poster

    196
    12
    37
    Looks like it's the router set up rather then the QuickVPN client. I have tested it on other machines and get a connection but it doesn't go anywhere again.

    Back to the drawing board as I can't put a subnet of 255.255.0.0 as per the current router.
     
    Certifications: A+, MOS: Master 2010, Network +

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.