PDF(1.3 MB) View with Adobe Reader on a variety of devices
ePub(1.4 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(1.4 MB) View on Kindle device or Kindle app on multiple devices
Updated:January 3, 2019
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The objective of this document is to create a site-to-site
VPN on the RV160 and RV260 series routers.
A virtual private network (VPN) is a great way to connect
remote workers to a secured network. A VPN allows a remote host to act as if
they were connected to the onsite secured network. In a site-to-site VPN, the
local router at one location connects to a remote router through a VPN tunnel. This
tunnel encapsulates data securely by using industry-standard encryption and
authentication techniques to secure data sent.
Note that when you are configuring site-to-site VPN, the
Local Area Network (LAN) subnets on either side of the tunnel cannot be on the
same network. For example, if the Site A LAN uses the 192.168.1.x/24 subnet, Site B
cannot use the same subnet. Site B have to use a different subnet like 192.168.2.x/24.
To configure a tunnel properly, enter corresponding settings
(reversing local and remote) when configuring the two routers. Assume that this
router is identified as Router A. Enter its settings in the Local Group Setup
section while entering the settings for the other router (Router B) in the
Remote Group Setup section. When you configure the other router (Router B),
enter its settings in the Local Group Setup section, and enter the Router A
settings in the Remote Group Setup.
Below is a table of the configuration for both Router A and
Router B, highlighted in bold are parameters that are the inverse of the
opposite router. All other parameters remain are configured the same. In this
document, we will be configuring the local router using Router A.
Router A (Local)
WAN IP address: 140.x.x.x
Local IP address: 192.168.2.0/24
Router B (Remote)
WAN IP address: 145.x.x.x
Local IP address: 10.1.1.0/24
HomeOffice (Has the same configuration as RemoteOffice)
RemoteOffice (Has the same configuration as HomeOffice)
Configuring Site-to-Site VPN
Connection – Router A
Step 1. Log into the web configuration page of your router A.
Note: We will be using
RV160 for both router.
Step 2. Navigate to VPN
> IPSec VPN > Site-to-Site.
Step 3. Click the add button
to add a new Site-to-Site VPN connection.
Step 4. Check Enable to
enable the configuration. This is enabled by default.
Step 5. Enter a connection name for the VPN tunnel. This
description is for reference purposes and does not have to match the name used
at the other end of the tunnel.
In this example, we will be entering VPNTest as our connection name.
Step 6. If you have created a new IPsec profile or want to
use a premade one (Amazon_Web_Services, Microsoft_Azure), select the IPsec
profile that you want to use for the VPN. The Default – Auto Profile is
chosen by default. IPsec profile is the central configuration in IPsec that
defines the algorithms such as encryption, authentication, and Diffie-Hellman
(DH) group for Phase I and Phase II negotiation.
For this example, we will be selecting HomeOffice as our IPsec profile.
Step 7. In the Interface field,
select the interface used for the tunnel. In this example, we will be using WAN as our interface.
Step 8. Select either Static
IP, Fully Qualified Domain Name
(FQDN), or Dynamic IP for
the Remote Endpoint. Enter in the
IP address or FQDN of the remote endpoint based on your selection.
We have selected Static IP and
entered in our remote endpoint IP address.
Step 1. Select either Pre-shared
Key or Certificate. For
this demonstration, we will be selecting Pre-shared
Key as our IKE authentication method.
IKE peers authenticate each other by computing and sending keyed
hash of data that includes the pre-shared key. If the receiving peer is able to
create the same hash independently using its pre-shared key, it knows that both
peers must share the same secret, thus authenticating the other peer.
Pre-shared keys do not scale well because each IPsec peer must be configured
with the pre-shared key of every other peer with which it establishes a
The digital certificate is a package that contains
information such as a certificate bearer’s identify: name or IP address, the
certificate’s serial number, the certificate’s expiration date, and a copy of
certificate bearer’s public key. The standard digital certificate format is
defined in the X.509 specification. X.509 version 3 defines the data structure
for certificates. If you have selected Certificate,
make sure your signed certificate is imported in Administration > Certificate. Select the certificate from
the drop-down list for both local and remote.
Step 2. In the Pre-shared
Key field, enter in a pre-shared key.
Note: Make sure the remote
router uses the same pre-shared key.
Step 3. Check the Enable
checkbox if you would like to display the pre-shared key. The Preshared Key Strength Meter shows the
strength of the pre-shared key through colored bars. Check Enable to enable the minimum pre-shared key
complexity. Then, skip to For Local Group
For Local Group Setup
Step 1. Select Local WAN IP,
IP Address, Local FQDN, or Local User FQDN from the drop-down list. Enter the identifier
name or IP Address based on your selection. If you have selected Local WAN IP, the WAN IP address of your
router should automatically be entered.
Step 2. For the Local IP Type,
Select Subnet, Single, Any,
IP Group, or GRE Interface from the drop-down list.
In this example, Subnet was
Step 3. Enter the IP address of the device that can use this
tunnel. Then enter the subnet mask.
For this demonstration, we will be entering 192.168.2.0 as our local IP address and 255.255.255.0 for the subnet mask.
Remote Group Setup
Step 1. Select Remote WAN
IP, Remote FQDN, or Remote User FQDN from the drop-down list.
Enter the identifier name or IP Address based on your selection.
We have selected Remote WAN
IP as our Remote Identifier Type
and entered in the IP address of the remote router.
Step 2. Select Subnet,
Single, Any, IP Group
from the Remote IP Type drop-down
In this example, we will be selecting Subnet.
Note: If you have selected
IP Group as your remote IP type, a popup window to create a new IP group will
Step 3. Enter the remote local IP address and subnet mask of
the device that can use this tunnel.
We have entered 10.1.1.0
for the remote local IP address that can use this tunnel and the subnet mask of
Step 4. Check the box to enable aggressive mode. Aggressive
mode is when the negotiation for IKE SA is compressed into three packets with
all the SA required data to be passed by the initiator. The negotiation is
quicker but they have a vulnerability of exchange identities in clear text.
Step 5. Click Apply to
create a new Site-to-Site VPN connection.
You should now have successfully added a new Site-to-Site VPN
connection for your local router. You would need to configure your remote
router (Router B) using the reverse information.
All configuration that the router is currently using are in
the Running Configuration file which is volatile in the sense that it is not
retained between reboots.
Step 1. At the top of the page, click the Save button to navigate to the Configuration Management to save your
running configuration to the startup configuration. This is to retain the
configuration between reboots.
Step 2. In the Configuration
Management, make sure the Source
is Running Configuration and the Destination is Startup Configuration. Then press Apply to save your running configuration to the startup
configuration. All configuration that the router is currently using are in the
Running Configuration file which is volatile and is not retained between
reboots. Copying the Running Configuration file to the Startup Configuration
file will retain all the configuration between reboots.