Basic gateway to gateway VPN tutorial: Part 2 – “Cisco RV042”

In this Article i will guide you through a Gateway to Gateway VPN Tunnel configuration using two Cisco RV042. Our goal is just like in the first part of the article, to create an sql DB link between two MS SQL DB server.

Even tough there are some major differences in the topology, compared to the previous scenario. This time the security gateway is not just a software installed on the DB server itself, but a physical independent network device, and behind each of those devices lies a DB Server.

The basic configuration is as followed:

  • DB_Server_1
    • LAN IP: 192.168.1.2
  • Gateway_1
    • LAN IP: 192.168.1.1
    • WAN IP: 1.2.3.4
    • WAN DNS: site.one.com
  • Gateway_2
    • LAN IP: 192.168.2.1
    • WAN IP: 5.6.7.8
    • WAN DNS: site.two.com
  • DB_Server_2
    • LAN IP: 192.168.2.2

1. Cabling

The Cisco RV042 has got 2 WAN and 4 LAN ports (second WAN Port can also be used to create a DMZ). Let’s say both the DB Severs have got a dedicated NIC for this VPN connection. In that case, the DB Server is connected to LAN port 1, and the internet is connected to WAN port 1. All other ports on the gateway can be disabled. In the WAN section of the VPN router we can configure our internet connection (this is not part of this topic, but i can tell, that it does not differs from the configuration of any other small business, or home purpose routers). Default IP of the router is 192.168.1.1. Default user and passwords are: “admin”. All the configurations can be done through a well known web GUI (Java is needed)

2. Routing

On the VPN routers is no routing configuration needed. There are needed some on the DB servers on the other hand. We have to configure, that all traffic destined to the foreign DB Server has to travel through the dedicated NIC, and the VPN router as a security gateway. In Windows OS you can easily configure the default gateway and the metric to each NICs in its IPv4/IPv6 Properties through the Network adapters GUI. The metric is also very important. Because only the traffic of the SQL link should be directed against the security gateway, first we hae to tell the os, that he should basically send everything through the first default gateway (let’s say Gateway_0 192.168.3.1). that rule (and NIC) should operate with a metric something like 1. Exception is, if the destination is the foreign DB Server. Then the default gateway should be the security gateway, the metric should be something like 20, and the traffic should be sent through the dedicated VPN NIC interface. The routing rules should be something like this (on DB server_1).

route add -p 0.0.0.0 mask 255.255.255.255 192.168.3.1 metric 1 if 1
route add -p 0.0.0.0 mask 255.255.255.0 192.168.3.1 metric 1 if 1
route add -p 192.168.2.2 mask 255.255.255.255 192.168.1.1 metric 20 if 2

That should do the trick.

3. Gateway to Gateway IPSec IKE VPN tunnel configuration on the two Cisco RV042

After you have already configured the internet connection, the ports, the admin authentication (never leave on default!) the LAN ip, logging and everything else you wanted besides the VPN, you should do some more preparation:

  • configure a pptp vpn for administration purposes.
  • forget about connecting the router from outside (internet) through the management port, once and for all (i was overwhelmed with attacks on that port in a minute)
  • configure the firewall as you feel, but dont forget about letting the needed ports through, like 1433 for the sql link. I would suggest disabling the firewall, until the VPN tunnel is properly configured, and tested (not that a missing firewall rule is giving you unnecessary headaches.)
  • In the Setup menu you will find a Forwarding option.There we have to create a forwarding rule for TCP port 1433 to be forwarded to our local DB_Server, so that the sql link can work properly.

4. After these preparations navigate to the VPN menu, and hit Gateway to Gateway

Add a New Tunnel

  • Tunnel Name: give a name! There are no obligatory conventions, it doesn’t even has to be the same as the Tunnel name on the foreign VPN router.
  • Interface: select your configured WAN interface (WAN1 in our example)!
  • Enable: check in the check box

Local Group Setup

  • Local Security Gateway Type: you can choose from several types, like IP, e-mail, Domain name… most commonly is IP used, and that is what we will use now too.
  • IP Address: this is the WAN IP of the router. That comes from the wan settings and cannot changed here. Our would be: 1.2.3.4
  • Local Security Group Type: here you can choose IP, subnet, or IP range, as the “entrance” of the tunnel. Here we choose IP, and in the next field we type the IP of the DB_Server_1 that is 192.168.1.2 in our case

Remote group setup

  • Remote Security Gateway Type, the same as by the local properties, we choose “IP Only
  • IP Address: here we have to give the WAN address of the remote VPN router: 5.6.7.8
  • Remote Security Group Type: same as above, we choose IP and give the LAN IP address of the foreign DB_Server_2. 192.168.2.2

IPSec Setup – here we can use whatever we want, the only thing matters, is to use the same configuration on both VPN gateways. An example follows:

  • keying Mode. IKE with preshared key
  • Phase 1 DH Group: Group 1 – 768 bit
  • Phase 1 Encryption: AES-256
  • Phase 1 Authentication: SHA1
  • Phase 1 SA Life Time 28800
  • Perfect Forward Secrecy: check in (it was mentioned in the first part of the article, what it is used for)
  • Phase 1 DH Group: Group 1 – 768 bit
  • Phase 1 Encryption: AES-256
  • Phase 1 Authentication: SHA1
  • Phase 1 SA Life Time 3600
  • Preshared Key: here you give a key what you like
  • minimum Preshared Key Complexity. you can check it, if you don’t want to let using a too simple PK

Advanced field

  • In the advanced field, there are a lot of interesting, but not necessary configuration possibilities, like Aggressive Mode (discussed in part one), Keep-Alive (the GW is trying to rebuild the tunnel every time it breaks down. The issue would be logged. This function is a must), NAT Traversal, dead Peer Detection Interval (10 by default)…etc.  Now we only check Keep-Alive, Dead Peer Detection by 10, and Aggressive mode as optional.
  • Now we can save our new VPN Tunnel, and create the same on the other VPN router. if we did everything right, than we don’t even have to hit “connect” in the summary window, because due the “Keep-Alive” option, the connection will be opened automatically at once.

Finish

Now our VPN tunnel, and our SQL link should work properly, and should never break down.

Thank you for reading my post, i hope it was helpful to you. If you should find any failures in it please write it to me, so i can correct it.

Thank You again, and goodbye until next time!

Advertisements

1 thought on “Basic gateway to gateway VPN tutorial: Part 2 – “Cisco RV042””

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s