# Solved: Gateway to Gateway VPN



## foneguy9 (Sep 19, 2006)

Hi all,
I have been seaching for some posts on this topic but mostly find info on VPN clients only. I am trying to connect with VPN to my office from my SOHO. I work a couple of days a week from home.
I can connect without a hitch with either a PPTP VPN connection or a Cisco client to my office. This is fine for my data apps and database info. 
However, I will now be connecting an NEC IP phone which has a network outlet on the phone itself, from home. This requires a VPN connection to my office so that it can register with the PBX and once done it will give me an extension number from my office PBX.

This is primarily the reason for setup of the Gateway to Gateway VPN. The following is what I have to work with:

At the office is an Linksys RV08 Dual Wan Router with PPTP VPN capabilites as well as Gateway to Gateway VPN. It has both WAN ports in use by a PRI(T1) on one port and a DSL on the other. Both have static IPs assigned to the WAN Ports.
WAN IP address (1): XXX.XXX.XXX.226
WAN IP address (2): XXX.XXX.XXX.8
LAN IP address: 192.168.120.254
DHCP range: 192.168.120.1 ~ 100
LAN IP address of PBX: 192.168.120.223

At home is a Linksys BEFVP41 Router. This router is used because it was 'retired' from the office.   
The Linksys is setup as a router not a gateway. I have a Xincom dual wan router at home with DSL and Cable modem, both with dynamic IP addresses. I use this router for redundancy. The Linksys router LAN port is connected to a LAN port of the Xincom router and I can access the internet on all LAN ports. I can access the Linksys router Setup Page from a browser and the Xincom as well.
WAN IP address (1): PPOE ASSIGNED
WAN IP address (2): DHCP ASSIGNED
LAN IP address: 192.168.1.1 (Xincom Router)
DHCP Range: 192.168.1.2 ~ 9 (Provided by Xincom router)
LAN IP address: 192.168.1.251 (Linksys BEFVP41 router-Static. DHCP is disabled)


Now, I have been trying to setup this connection on and off for a couple of days. It don't work! I've setup a gateway VPN connection from my office to a clients location before and it worked after some tweaking. Also, the other difference I see is that connection had static IP addresses on both VPN gateways. This, books, and internet searches, are the extent of my knowledge on Gateway VPN. 

Can you give me any recommendations? :up:


----------



## O111111O (Aug 27, 2005)

Baah. Router behind router begat dual connection begat NAT begat PAT.

Your Xincom router is doing Port Address Translation. By that nature, a device behind it is going to have a difficult time deploying an IPSEC tunnel.

Hook up your Linksys to the DSL connection, and use it just for VPN.


----------



## foneguy9 (Sep 19, 2006)

Hey thanks for the reply,
I had already setup port 'forwarding' from 500 to the Linksys 192.168.1.251. But no go. 

I will try connecting the Linksys directly to one of the broadband connections like the DSL and give it a try.


----------



## O111111O (Aug 27, 2005)

Yeah, port forwarding UDP 500 alone won't do you any good.

Part of standard IPSEC is IP protocol 50. It's not a TCP or UDP port. It's different part of the IP stack. You can't forward that to a port.

If the VPN is PPTP, part of the PPTP protocol is a GRE tunnel, that's IP protocol 41. Again. You can't forward a different protocol to a TCP/UDP port.


----------



## foneguy9 (Sep 19, 2006)

Great 01111110,

Thats good to know. Because of your post, you may have saved me some hours of tinkering with port forwarding and such nonsense. 

I am thinking of permanently setting up the Linksys to my cable modem since I am allowed 3 public connections on it. Then, I will install the NEC IP phone directly to the Linksys. 
Yes, this is what I will do.


----------



## foneguy9 (Sep 19, 2006)

Here is the latest...

The Linksys Gateway VPN at home is connected to a switch which in turn is 'fed' by the Cable modem. I have 2 public IP addresses, one for the Linksys and one for the Xincom. All is working OK. I have connected to my offices' Linksys RV082 router. 
Have a connection BUT I needed some further guidance. 
Under Remote Gateway on the Linksys RV082 in the office I entered the Dynamic IP address given by the Cable Router. I basically set it as if it was a static IP address. But once my connections' DHCP is refreshed my connection is DOWN. 
Is FQDN the answer? Could I use DDNS? How would I use FQDN authentication? The router has the option of Dynamic IP + FQDN authentication. How do I use this type of connection as opposed to setting the Remote gateway(Linksys at home) as a static IP address?
Here is what the Help says on the RV082:


"Local Security Gateway Type: There are five types. They are IP Only, IP + Domain Name(FQDN) Authentication, IP + E-mail Addr.(USER FQDN) Authentication, Dynamic IP + Domain Name(FQDN) Authentication, Dynamic IP + E-mail Addr.(USER FQDN) Authentication. The type of Local Security Gateway should match with the Remote Security Gateway Type of VPN devices in the other end of tunnel.

IP Only: If you select IP Only, only the specific IP Address will be able to access the tunnel. The WAN IP of RV082 will come out in this filed automatically, and you don&#8217;t need to enter.
IP + Domain Name(FQDN) Authentication: If you select this type, enter the FQDN (Fully Qualified Domain Name), and IP address will come out automatically. The FQDN is the host name and domain name for a specific computer on the Internet, for example, vpn.myvpnserver.com. The IP and FQDN must be same with the Remote Security Gateway type of the remote VPN device, and the same IP and FQDN can be only for one tunnel connection. 
IP + E-mail Addr.(USER FQDN) Authentication: If you select this type, enter the E-mail address, and IP address will come out automatically.
Dynamic IP + Domain Name(FQDN) Authentication: If you select this type, the Local Security Gateway will be a dynamic IP, so you don&#8217;t need to enter the IP address. When the Remote Security Gateway requests to create a tunnel with RV082, and the RV082 will work as a responder. If you select this type, just enter the Domain Name for Authentication, and the Domain Name must be same with the Remote Security Gateway of the remote VPN device. The same Domain Name can be only for one tunnel connection, and users can&#8217;t use the same Domain Name to create a new tunnel connection. 
Dynamic IP + E-mail Addr.(USER FQDN) Authentication: If you select this type, the Local Security Gateway will be a dynamic IP, so you don&#8217;t need to enter the IP address. When the Remote Security Gateway requests to create a tunnel with RV082, and the RV082 will work as a responder. If you select this type, just enter the E-mail address for Authentication. "

Hopefully, you can push me in the right direction....


----------



## O111111O (Aug 27, 2005)

Very interesting, it's amazing how a "lower end" Cisco product that uses GPL code can provide more functionality than a ISR twice it's cost. Not exactly DOD material, but dynDNS sure is easy.  (I have 6 figure certificate & RSA servers at work that essentially do this job for distributed VPN - it's amazing that the same concept of functionality is rolled out in a $300 product)

Onto the config; dynamic DNS can do the trick for you. 
Your home router will need it's IP address register with DYNDNS. 
Create yourself an account with dyndns, or tzo.
Hit admin page of your home linksys, configure it to login with your username/pass to dyndns.org. This will give you a hostname (i.e. fonguy9vpn.dyndns.org)
Configure your RV082 to use IP+DOMAIN NAME(FQDN), give it your created FQDN for your home Linksys (i.e. foneguy9vpn.dyndns.org)

At this point, only the resiliency of dyndns, and the length of ll of the VPN gear I work with is carrier/transport that uses MPLS/IPSEC/GRE rules. Oddly enough, the more money you spend on gear

I would imaging the only potential downtime from incongruity is if your ISAKMP key times out / your DHCP times out / and the TTL of your dyndns record hasn't expired yet.


Please let me know how this turns out. I'm very interested.


----------



## foneguy9 (Sep 19, 2006)

Hmmm, I peaked your interest, interesting... 

I'm currently waiting for my flight at LAX and found something else thats' interesting...OR it may be that I am easily surprised in my VPN ignorance...

I am logged in with a VPN PPTP to the Linksys RV082 router. I log into the router and find that the VPN Gateway to my home is still connected, it hasn't dropped off. But, from where I am at, I cannot Ping the Linksys BEFVP41 router. I couldn't find any way to easily allow this on the router config or could it be that I would need to establish a static route? 
If I VNC or PCAnywhere to a workstation or server in the office, this device can ping the BEFVP41 router and for that matter log into the BEFVP41 Web Page...

I have setup the Dynamic DNS with the instructions provided and am going to try it out on the routers. Post when I get results...


----------



## O111111O (Aug 27, 2005)

foneguy9 said:


> I'm currently waiting for my flight at LAX and found something else thats' interesting...OR it may be that I am easily surprised in my VPN ignorance...


Hope you're not flying BAE to London... Safe travels.
VPN can be very obscure. IPV4 was never designed for it. Encapsulating a payload in a payload can produce some unexpected results.



foneguy9 said:


> I am logged in with a VPN PPTP to the Linksys RV082 router. I log into the router and find that the VPN Gateway to my home is still connected, it hasn't dropped off. But, from where I am at, I cannot Ping the Linksys BEFVP41 router.


I think you're going to have a very difficult time accomplishing that with your hardware/config. What you're trying to do is what's called hairpin routing. The nature of IPSEC itself doesn't support this (that's a security feature - the initial IPSEC SA created is just for the source/destination of your LANs)- nowadays routers use reverse route injection, or dynamic multipoint VPN to effect this. I'm thinking that the feature set of your RV082 isn't going to make this happen.



foneguy9 said:


> I have setup the Dynamic DNS with the instructions provided and am going to try it out on the routers. Post when I get results...


Yes, please let me know. I was doing something simliar to this with Linux & OpenVPN for a while. I canned it when my work offered to run Ethernet to my house.


----------



## foneguy9 (Sep 19, 2006)

Alright! Here it is... My VPN Gateway to VPN Gateway is working!

I did get the dyndns.org and setup the dynamic DNS to my domain. For example, hiho.homeip.net

I have setup the Phase 1 Aggressive Mode on both VPN Gateways. On the Linksys BEFVP41, I have setup in addition to the Aggressive Mode the Username checkbox with an email address. (By the way, if you look into the help files in the BEFVP41 about this username and box, it tells you it is used for SonicWall VPN connectivity,  Right)

On the Linksys in the office, the Rv082, I have setup the Remote Gateway as : Setup IP + Email ADDR (User FQDN). 
The IP by DNS Resolved field I entered the hiho.homeip.net that I had setup for free on the www.dyndns.org web site. As to the email address that follows, I entered the email address that was setup on the BEFVP41, the email address above.

Thanks all, especially, O111111O!!! I could not have done it without your support :>

Works fast to connect and the NEC IP phone is working perfect on this setup!


----------



## O111111O (Aug 27, 2005)

It's nice to see things work properly.

Cheers.


----------

