Skip

VPN tunnel is up but nothing shows up
April 2, 2012 11:38 AM   Subscribe

Using two Cisco RVS4000 routers to create a VPN between two offices. A tunnel is supposedly set up successfully, because the router says it's "up" and I can access the admin interfaces of both routers from both locations by using their internal IPs (192.168.1.1 and 192.168.2.1). Trouble is, I can't reach any of the workstations or peripherals behind the routers.

I've tried turning off the router firewall, and what ever else I could think of, but nothing seems to help... I am at a loss as to where to start figuring out where the problem lies.

Any ideas? :(
posted by Unhyper to Computers & Internet (17 answers total) 1 user marked this as a favorite
 
What is the error, is there a destination host unreachable, are you using the workstation name, or its IP address, do you have a trace between the two hosts, is the error the same in both directions?
posted by kellyblah at 11:54 AM on April 2, 2012


does turning on debug give you any useful information? (from the exec prompt, "debug ?", and some likely candidates are "debug crypto ipsec" and "debug crypto isa")

Is this cisco page helpful?
posted by rmd1023 at 11:59 AM on April 2, 2012 [1 favorite]


Just mentioning it because sometimes I overlook the obvious, but do you have the right subnet mask?
posted by Freon at 12:12 PM on April 2, 2012


Start with routing, always start with routing.

1) Do the routers each have the subnets for the far side in their routing tables?
2) Do the machines at either side know to go to the routers to reach the other sides subnets?
3) Can the routers ping hosts on the other side of the tunnel from their local interface attached to the local lan?

If the routing looks ok, make sure you're set up to have desirable traffic match the tunnel, often this is done with a basic ACL, but can vary depending on the vpn type you're going with.

I wouldn't bother with running a debug on the cypto at this point because (assuming ipsec) phase 1 and 2 sounds like it's working fine. Your next steps need to be checking the routing and then making sure the traffic is matched as desirable.
posted by iamabot at 12:22 PM on April 2, 2012 [3 favorites]


First step is to check the routing. The tunnel is up, as you can see the 'directly attached' remote end of the tunnel, but do the routers know to send any other traffic down the tunnel? do a show route and see what it says.
posted by anti social order at 12:22 PM on April 2, 2012 [1 favorite]


you need to route the traffic.

on the router hosting 192.168.1.1 you'll need something like this in your config:

router eigrp1
network 192.168.1.1
eigrp stub connected summary

on the router hosting 192.168.2.1 you'll need something like this in your config:

router eigrp1
network 192.168.2.1
eigrp stub connected summary

do a "show ip eigrp neighbors" from the CLI, you should see a neighbor come up on the tunnel interface.
posted by roboton666 at 1:26 PM on April 2, 2012 [1 favorite]


If you get errors, you might need to specify the network addresses and wildcard masks in the routing instance:

router 192.168.1.1:

router eigrp1
network 192.168.1.0 0.0.0.255
eigrp stub connected summary

router 191.168.2.1:

router eigrp1
network 192.168.2.0 0.0.0.255
eigrp stub connected summary

Doing this stuff from memory, so I'm forgettin
posted by roboton666 at 1:30 PM on April 2, 2012 [1 favorite]


and put a space between "eigrp" and the number 1! (sorry, I should've proofread all this better!)
posted by roboton666 at 1:31 PM on April 2, 2012 [1 favorite]


Routing is probably going to be the issue, but also make sure the inside interface of each router is "up and up".

Can machines inside each network ping their own router?
posted by gjc at 3:54 PM on April 2, 2012


@kellyblah - I have set up a folder to be shared for Everyone on one of the machines on the "other" network. I have tried adding it as a network resource (mapped to a drive letter) both via IP and workstation name, both result in Windows thinking for a while and then reporting it cannot use (the Windows is in Finnish so the translation may not be exact) the target and to check spelling. Error code 0x80070035.

@rmd1023 - I'm not sure how to access the router CLI. Based on my Googling I need a commercial software product called Diagnostic Conf Tool from Cisco... Trying to avoid pouring more money into this project at this point.

@Freon - Good question. DHCP settings on both networks/routers had the same subnet mask for the networks (255.255.255.0). In case that's a problem I've changed it for the second router to be 255.255.255.128. I didn't do this before because I thought 192.168.1.x/192.168.2.x was enough. I'm pretty new to the nitty-gritty of networking..

@iamabot - 3) Interestingly, no. I tried to a ping the IP of a workstation on network2 from the interface of the network1 router and it had 100% packet loss. This confuses me since pinging a host on the other network from a workstation command prompt does work... 1&2) I think you may be on to the issue right there, with the routing tables. I have been trying to figure out what I need to add into the routing tables via Static Route page, but no matter what I add, it reports either IP/subnet mask conflict, or network unreachable. I can't add anything to the routing table.

Here are the current routing tables for network1 and network2, respectively (external IPs w/x/y/z'd out because I'm paranoid):

Network1 - router 192.168.1.1 - subnet 255.255.255.0:
Destination LAN IP / Subnet Mask / Gateway / Interface
192.168.1.0 / 255.255.255.0 / 192.168.1.1 / LAN
192.168.1.0 / 255.255.255.0 / 0.0.0.0 / LAN
XX.XXX.XXX.0 / 255.255.248.0 / YY.YYY.YYY.YYY / WAN
XX.XXX.XXX.0 / 255.255.248.0 / 0.0.0.0 / WAN
239.0.0.0 / 255.0.0.0 / 0.0.0.0 / LAN
0.0.0.0 / 0.0.0.0 / XX.XXX.XXX.1 / WAN

Network2 - router 192.168.2.1 - subnet 255.255.255.128:
Destination LAN IP / Subnet Mask / Gateway / Interface
192.168.2.0 / 255.255.255.128 / 192.168.2.1 / LAN
192.168.2.0 / 255.255.255.128 / 0.0.0.0 / LAN
ZZ.ZZZ.ZZ.0 / 255.255.252.0 / WW.WWW.WW.WWW / WAN
ZZ.ZZZ.ZZ.0 / 255.255.252.0 / 0.0.0.0 / WAN
239.0.0.0 / 255.0.0.0 / 0.0.0.0 / LAN
0.0.0.0 / 0.0.0.0 / ZZ.ZZZ.ZZ.1 / WAN

Something is probably missing from these tables but I don't know what. In order to add something to the routing table I need to input a destination IP address, a subnet mask, a gateway, and a hop count. I have tried lots of combinations but to no avail...
posted by Unhyper at 1:12 AM on April 3, 2012


@gjc Yes, machines can ping their own routers.
posted by Unhyper at 1:13 AM on April 3, 2012


>Here are the current routing tables for network1 and network2

Looks like you're missing a route to tell the machines in subnet one (192.168.1.x) how to get to subnet two (192.168.2.x) using the tunnel. Otherwise the traffic will be routed to the internet via default route and dropped.
posted by anti social order at 9:58 AM on April 3, 2012 [1 favorite]


@anti social order - Could you help me figure out how to add a route to subnet two using the tunnel? For Destination IP, Subnet Mask, and Gateway IP, nothing I put in seems to be accepted.
posted by Unhyper at 10:14 AM on April 3, 2012


Ah, my apologies. It looks like the RVS4000 is substantially less cli-managable than the bulk of cisco's produce lint.
posted by rmd1023 at 10:45 AM on April 3, 2012


Honestly I'm not sure. I found this link which has some info on those routers - "The RVs use IPSec with no tunneling protocol which would create some routable interface at either end." On the big cisco stuff I use you would have your router point at the tunnel as the next hop. This device apparently uses some ipsec policy based routing to determine what gets tunneled.

http://homecommunity.cisco.com/t5/Wired-Routers/Static-Routes-and-VPN-Tunnels-between-RV042-s/m-p/131638?view=by_date_ascending#M13404
posted by anti social order at 11:15 AM on April 3, 2012 [1 favorite]


I finally got it working, at least enough to get things done. I can't "see" the other network's machines in Windows Explorer, but I can map a drive letter to shared folders or print to a shared printer.

Basically, I had the tunnel configured using the external AND internal IPs of the routers/gateways. Keeping the external IPs intact, but replacing the internal with the IPs of the workstations I want to share resources with one another. I'll add the tunnel settings here in case someone has the same trouble I did:

Network1 Local Group Setup
Local security gateway type: IP Only
IP address: external IP of router of network1
Local security group type: subnet
IP address: internal IP of workstation of network1
Subnet mask: subnet mask of network1

Network1 Remote Group Setup
Remote security gateway type: IP Only
IP address: external IP of router of network2
Remote security group type: subnet
IP address: internal IP of workstation of network2
Subnet mask: subnet mask of network2

Then I configured the same tunnel on the other gateway using the opposite. I read somewhere that Windows Firewall has to be on for the RVS-4000 to connect, but my experience was the opposite...

There's probably a way to set up a tunnel between gateways that open up workstations of both networks to one another without workstation-specific tunnels, but for the time being this works great.

Thanks everyone for your help!
posted by Unhyper at 1:05 PM on April 3, 2012 [1 favorite]


Glad you got it working!
posted by roboton666 at 5:38 PM on April 3, 2012


« Older What are the best bluegrass an...   |  Interstate custody battle. Sho... Newer »
This thread is closed to new comments.


Post