4

I purchased two Cisco RV110W routers to create a site-to-site VPN between two offices. At the main office we have a static IP connected directly to the RV110W. The other office is an executive suite, so our internet is provided by the people who own the building. They only provide us with an internal LAN address. Is it possible to setup the RV110W in my main office as a "host" and let the RV110W in my executive suite connect to that?

chicks
  • 3,793
  • 10
  • 27
  • 36
just.another.programmer
  • 409
  • 2
  • 6
  • 23

3 Answers3

3

Yes you can do this.

Evidence? I have an IPSec connection from our office in Albania to our office in Norway. The Albania office is behind CGNAT (the ISP provides only 10. addresses to its customers). The Norway office has a public static IP address. The connection is initiated from the Albania office and configured with keep-alive so that even when the link is idle it's not torn down.

I've also done similar things (and considerably more easily) with OpenVPN. Again, one end is behind a NAT gateway and the other is on a public static IP address. With OpenVPN the public end could even be on a dynamic IP address provided that a DDNS service was able to map a fixed known domain name back to the then-current IP address.

I use a mix of Draytek and Cisco/Linksys routers so I expect the specifics would be different for your situation.

roaima
  • 1,591
  • 14
  • 28
  • Did you setup the keep-alive connection initiated from the Albania side in the VPN policies or is it a special setting onyour hardware? – just.another.programmer Mar 17 '15 at 03:29
  • @just keep-alive is a toggle on both Draytek and Linksys. NAT is a toggle on the Linksys but inferred by the Draytek. Because one end is unknown the connection requires aggressive mode. – roaima Mar 17 '15 at 07:59
  • @roaima Why do you need aggressive mode for the unknown end? – just.another.programmer Mar 17 '15 at 17:47
  • @just.another.programmer the connection (both ends) needs to Aggressive mode because otherwise it doesn't work. I never bothered to find out the detailed "why". That would be a good new Question – roaima Mar 17 '15 at 19:04
1

Not required if the unknown IP side is doing the initiating, but it would make things easier if you had:

1) The IP address of the building, and permission to use a port for port forwarding of your VPN

2) Use dynamic DNS for the side of the router that you have no control over in regards to IP address.

http://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/rv110w/administration/guide/rv110w_admin.pdf

MDMoore313
  • 5,581
  • 6
  • 36
  • 75
  • if I use dynamic DNS would the building's IT support still need to give me port forwarding? – just.another.programmer Mar 16 '15 at 19:20
  • @just.another.programmer good point, updated my answer. – MDMoore313 Mar 16 '15 at 19:28
  • If the building does not give permission for port forwarding, how would I set unknown IP side to initialize the VPN? – just.another.programmer Mar 16 '15 at 19:45
  • Either move buildings or use your own ISP, because it has to be routed through the Internet routable IP address. You might be able to initiate the connection from the unknown side as Daniel suggested, or talk to the building's IT and see if you can bum a separate IP address from their ISP for a small fee, that piggybacks on their connection. – MDMoore313 Mar 16 '15 at 19:56
0

Yes, it can be done. You need to configure the tunnel in Aggressive Mode and with NAT Traversal enabled.

shodanshok
  • 47,711
  • 7
  • 111
  • 180