A Tip From Kinetic Computer Services ...

Setting Up VPN Tunnels on Cisco Linksys RV042 and RV082 Routers

Description of the Problem

You have a pair of Cisco Linksys small business routers, such as the RV042 or RV082. You would like to set up a VPN tunnel between them.

In a common scenario, you may have a server in your main office, and a remote site where there are some client computers that need to connect to the server. While setting up VPN connections on each computer in the remote office is possible, it often isn't practical.

Cisco Linksys small business routers such as the RV042 and RV082 allow the creation of VPN tunnels between them. This allows you to join two private local area networks (LANs) over the internet.

Solution

In order for this solution to work, at least one of your RV042/RV082 routers must be configured with a public, static IP address on the WAN interface. This would typically be done at the main office, but it makes no difference as far as the router configuration goes.

The following values are used in our sample configuration below:

• Main office public static IP address: 1.2.3.4
• Main office LAN subnet: 192.168.1.0
• Remote office LAN subnet: 192.168.2.0
• E-mail address used for authentication: yourname@yourcompany.com
• Preshared key used for security: YourPresharedKey!

Log on to the router configuration utility. Select the VPN tab, then click the button to Add a VPN tunnel. The type of tunnel you are adding is Gateway-to-Gateway. Enter the following values:

Main office router:
Tunnel name: tunnel1
Interface: WAN1 (probably)
 
Local Group Setup
Local Security Gateway Type: IP + Email Address
Email Address: yourname@yourcompany.com
IP Address: 1.2.3.4
Local Security Group Type: Subnet
IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
 
Remote Group Setup
Remote Security Gateway Type: Dynamic IP + Email Address
Email Address: yourname@yourcompany.com
Remote Security Group Type: Subnet
IP Address: 192.168.2.0
Subnet Mask: 255.255.255.0
 
IPSec Setup
Keying Mode: IKE with Preshared key
(Leave all other values at their defaults)
Preshared Key: YourPresharedKey!

Remote office router:
Tunnel name: tunnel1
Interface: WAN1 (probably)
 
Local Group Setup
Local Security Gateway Type: Dynamic IP + Email Address
Email Address: yourname@yourcompany.com
Local Security Group Type: Subnet
IP Address: 192.168.2.0
Subnet Mask: 255.255.255.0
 
Remote Group Setup
Remote Security Gateway Type: IP + Email Address
IP Address: 1.2.3.4
Email Address: yourname@yourcompany.com
Remote Security Group Type: Subnet
IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
 
IPSec Setup
Keying Mode: IKE with Preshared key
(Leave all other values at their defaults)
Preshared Key: YourPresharedKey!

After you add the above configuration to the routers, you can press the "Connect" button on the VPN Summary page of the remote office router. If all goes well, the tunnel status will change to "Connected". Your tunnel is now up, and your local area networks are now connected! The computers in your remote office should be able to ping and connect to the server in your home office, provided you don't have any policies or rules in the way. There is no need to add static routes or configure any additional routing between the two networks; the VPN tunnel does that for you.

If the tunnel doesn't connect, or doesn't stay connected, look at the router's system logs. One message you may see reads "Dynamic VPN client in Main Mode is only supported for Microsoft VPN client, please use Aggressive mode instead." To fix this error, edit your tunnel and click the Advanced button at the bottom of the IPSec Setup section. Make sure the "Aggressive Mode" checkbox is checked.

You may also see the following error message: "Initial Aggressive Mode message from x.x.x.x but no (wildcard) connection has been configured." Be aware that this error can have many causes. If you see it, first check your VPN tunnel configurations to make sure that you have entered the correct values. If they are correct and the error persists, simply delete the tunnel and add it back in. Believe me, this fixes the problem pretty often! If you've done that and the error still persists, update the firmware on both routers and try again. Note that it is not necessary for both routers to be of the same model, hardware version, or firmware version.

If both routers have static IP's, you can configure both ends of the tunnel to be static, if you wish.

This tip is a free service of Kinetic Computer Services - professional network consultants serving the Houston area since 1998.

Reproduction of this document without the author's consent is prohibited.