01-05-2021



Objective

The objective of this article is to guide you through setting up a Site-to-Site VPN between Cisco RV Series routers and Amazon Web Services.

Applicable Devices | Software Version

  • RV160| 1.0.00.17

  • RV260|1.0.00.17

  • RV340| 1.0.03.18

  • RV345| 1.0.03.18

The MX will then map the client's IP to the equivalent IP in the translated subnet. When the example client's traffic egresses the site-to-site VPN, it will have an IP address of 10.15.30.44. If VPN subnet translation is configured, the translated subnet will automatically be advertised to all remote site-to-site VPN participants. For the remote site-to-site reachable office, the VPN router needs to have the VPN client pool marked as a VPN-interesting destination network across the VPN. Lastly, for client VPNs configuration on the head office ASA you need to make sure the client VPN configuration allows the client pool network access to the site-to-site VPN reachable.

Introduction

A Site-to-Site VPN allows a connection to two or more networks, which gives businesses and general users the ability to connect to different networks. Amazon Web Services (AWS) provides many on demand cloud computing platforms including site to site VPNS that allow you to access your AWS platforms. This guide will help you configure the site to site VPN on both the RV16X, RV26X, RV34X router to the Amazon Web Services.

The two parts are as follows:


Setting up a Site-to-Site VPN on Amazon Web Services

Step 1

Create a new VPC, defining an IPv4 CIDR block, in which we will later define the LAN used as our AWS LAN. Select Create.

Step 2

When creating the subnet, ensure that you have selected the VPC created previously. Define a subnet within the existing /16 network created previously. In this example, 172.16.10.0/24 is used.

Step 3

Create a Customer Gateway, defining the IP Address as the Public IP Address of your Cisco RV Router.

Step 4

Create a Virtual Private Gateway – creating a Name tag to help identify later.

Step 5

Attach the Virtual Private Gateway to the VPC created previously.

step 6

Create a new VPN Connection, selecting the Target Gateway TypeVirtual Private Gateway. Associate the VPN Connection with the Virtual Private Gateway created previously.

Step 7

Select ExistingCustomer Gateway. Select the Customer Gateway created previously.

Step 8

For Routing Options, ensure to select Static. Enter any IP Prefixes including CIDR notation for any remote networks you expect to traverse the VPN. [These are the networks that exist on your Cisco Router.]

Step 9

We will not cover any of the Tunnel Options in this guide - select Create VPN Connection.

Step 10

Create a Route Table and associate the VPC created previously. Press Create.

Step 11

Select the Route Table created previously. From the Subnet Associations tab, choose Edit subnet associations.

Step 12

From the Edit subnet associations page, select the subnet created previously. Select the Route Table created previously. Then select save.

Step 13

From the Route Propagation tab, choose Edit route propagation.

Step 14

Select the Virtual Private Gateway created previously.

Step 15

From VPC > Security Groups, ensure that you have a policy created to allow the desired traffic.

Note: In this example, we are using a source of 10.0.10.0/24 – which corresponds to the subnet in use on our example RV router.

Step 16

Select the VPN Connection that you have created previously and choose Download Configuration.

Setting up Site-to-Site on an RV16X/RV26X, RV34X Router

Step 1

Log in to the router using valid credentials.

Step 2

Navigate to VPN > Ipsec Profiles. This will take you to the Ipsec profile page, press the add icon (+).

Step 3

We will now create our IPSEC profile. When creating the IPsec Profile on your Small Business router, ensure that DH Group 2 is selected for Phase 1.

Note: AWS will support lower levels of encryption and authentication – in this example, AES-256 and SHA2-256 are used.

Step 4

Ensure that your Phase two options match those made in phase one. For AWS DH Group 2 must be used.

Step 5

Press Apply and you will be navigated to the IPSEC page, be sure to press Apply once again.

Step 6

Navigate to VPN< Client to site and on the client to site page press the plus icon (+).

Step 7

When creating the IPsec Site-to-Site Connection, ensure to select the IPsec Profile created in the previous steps. Use the Remote Endpoint type of Static IP and enter the address provided in the exported AWS configuration. Enter the Pre-Shared Key provided in the exported configuration from AWS.

Step 8

Enter the Local Identifier for your Small Business router – this entry should match the Customer Gateway created in AWS. Enter the IP Address and Subnet Mask for your Small Business router – this entry should match the Static IP Prefix added to the VPN Connection in AWS. Enter the IP Address and Subnet Mask for your Small Business router – this entry should match the Static IP Prefix added to the VPN Connection in AWS.

Step 9

Cisco Client To Site Vpn

Enter the Remote Identifier for your AWS connection – this will be listed under Tunnel Details of the AWS Site-to-Site VPN Connection . Enter the IP Address and Subnet Mask for your AWS connection – which was defined during the AWS configuration. Then press Apply .

Cisco Client To Site Vpn Remote Identifier

Step 10

Once on the Ip Site to Site page press Apply.

Conclusion

You have now successfully created a Site to Site VPN between your RV series router and your AWS. For community discussions on Site-to-Site VPN, go to the Cisco Small Business Support Community page and do a search for Site-to-Site VPN.

Objective

In a Client-to-Site Virtual Private Network (VPN) connection, clients from the Internet can connect to the server to access the corporate network or Local Area Network (LAN) behind the server but still maintains the security of the network and its resources. This feature is very useful since it creates a new VPN tunnel that would allow teleworkers and business travelers to access your network by using a VPN client software without compromising privacy and security.

Cisco Vpn Client Windows

The objective of this document is to show you how to configure Client-to-Site VPN connection on the RV34x Series Router.

Applicable Devices

  • RV34x Series

Software Version

  • 1.0.01.16

Configure Client-to-Site VPN

Step 1. Log in to the router web-based utility and choose VPN > Client-to-Site.

Step 2. Click the Add button under IPSec Client-to-Site Tunnels section.

Step 3. In the Add a New Tunnel area, click the Cisco VPN Client radio button.

Step 4. Check the Enable check box to enable the configuration.

Step 5. Enter a group name in the field provided. This will serve as identifier for all the member of this group during the Internet Key Exchange (IKE) negotiations.

Note: Enter characters between A to Z or 0 to 9. Spaces and special characters are not allowed for the group name. In this example, TestGroup is used.

Step 6. Click on the drop-down list to choose the Interface. The options are:

  • WAN1
  • WAN2
  • USB1
  • USB2

Note: In this example, WAN1 is chosen. This is the default setting.

Step 7. In the IKE Authentication Method area, choose an authentication method to be used in IKE negotiations in IKE-based tunnel. The options are:

  • Pre-shared Key — IKE peers authenticate each other by computing and sending a keyed hash of data that includes the Pre-shared Key. If the receiving peer is able to create the same hash independently using its Pre-shared key, it knows that both peers must share the same secret, thus authenticating the other peer. Pre-shared keys do not scale well because each IPSec peer must be configured with the Pre-shared key of every other peer with which it establishes a session.
  • Certificate — The digital certificate is a package that contains information such as a certificate identity of the bearer: name or IP address, the serial number expiration date of the certificate, and a copy of the public key of the certificate bearer. The standard digital certificate format is defined in the X.509 specification. X.509 version 3 defines the data structure for certificates.

Note: In this example, Pre-shared Key is chosen. This is the default setting.

Step 8. Enter a pre-shared key in the field provided. This will be the authentication key among your group of IKE peers.

Step 9. (Optional) Check the Enable check box for the Minimum Pre-shared Key Complexity to view the Pre-shared Key Strength Meter and determine the strength of your key. The strength of your key are defined as follows:

  • Red— The password is weak.
  • Orange— The password is fairly strong.
  • Green — The password is strong.

Note: You can check the Enable check box in the Show Pre-shared Key field to check your password in plain text.

Step 10. (Optional) Click on the plus icon in the User Group table to add a group.

Step 11. (Optional) Choose from the drop-down list whether the user group is for admin or for guests. If you created your own user group with user accounts, you can select it. In this example, we will be selecting TestGroup.

Note: TestGroup is a user group that we have created in System Configuration >User Groups.

Note: In this example, TestGroup is chosen. You can also check the box beside the user group and then click the Delete button if you want to delete a user group.

Step 12. Click on a radio button to choose a Mode. The options are:

  • Client — This option allows the client to request for an IP address and the server supplies the IP addresses from the configured address range.
  • Network Extension Mode (NEM) — This option allows clients to propose their subnet for which VPN services need to be applied on traffic between LAN behind server and subnet proposed by client.

Note: In this example, Client is chosen.

Step 13. Enter the starting IP address in the Start IP field. This will be the first IP address in the pool that can be assigned to a client.

Note: In this example, 192.168.100.1 is used.

Step 14. Enter the ending IP address in the End IP field. This will be the last IP address in the pool that can be assigned to a client.

Note: In this example, 192.168.100.100 is used.

Step 15. (Optional) Under the Mode Configuration area, enter the IP address of the primary DNS server in the field provided.

Note: In this example, 192.168.1.1 is used.

Step 16. (Optional) Enter the IP address of the secondary DNS server in the field provided.

Note: In this example, 192.168.1.2 is used.

Step 17. (Optional) Enter the IP address of the primary WINS server in the field provided.

Note: In this example, 192.168.1.1 is used.

Step 18. (Optional) Enter the IP address of the secondary WINS server in the field provided.

Cisco Vpn Client Download

Note: In this example, 192.168.1.2 is used.

Cisco Client To Site Vpn Login

Step 19. (Optional) Enter the default domain to be used in the remote network in the field provided.

Cisco Anyconnect Vpn Client Download

Note: In this example, sample.com is used.

Step 20. (Optional) In the Backup Server 1 field, enter the IP address or the domain name of the backup server. This will be where the device can start the VPN connection in case the primary IPSec VPN server fails. You can enter up to three backup servers in the fields provided. The Backup Server 1 has the highest priority among the three servers and the Backup Server 3 has the lowest.

Note: In this example, Example.com is used for Backup Server 1.

Step 21. (Optional) Check the Split Tunnel check box to enable split tunnel. Split Tunneling allows you to access the resources of a private network and the Internet at the same time.

Step 22. (Optional) Under the Split Tunnel Table, click the plus icon to add an IP address for split tunnel.

Step 23. (Optional) Enter the IP address and netmask of the split tunnel in the fields provided.

Note: In this example, 192.168.1.0 and 255.255.255.0 are used. You can also check the box and click on the Add, Edit, and Delete buttons to add, edit, or delete a split tunnel, respectively.

Step 24. (Optional) Check the Split DNS check box to enable split DNS. Split DNS allows you to create separate DNS servers for internal and external networks to maintain security and privacy of network resources.

Step 25. (Optional) Click the plus icon under the Split DNS Table to add a domain name for split DNS.

Step 26. (Optional) Enter the domain name of the split DNS in the field provided.

Note: In this example, labsample.com is used. You can also check the box and click on the Add, Edit, and Delete buttons to add, edit, or delete a split DNS, respectively.

Step 27. Click Apply.

Conclusion

Cisco Client To Site Vpn Download

You should now have successfully configured Client-to-Site connection on the RV34x Series Router.

Click on the following articles to learn more on the following topics:

View a video related to this article...