Configuring a Site-to-Site Virtual Private Network (VPN) Connection on RV340 or RV345 Routers

Objective

A Virtual Private Network (VPN) connects a local network to a remote host, which can be a computer or another network. This connection allows both networks to access resources at either end. VPNs are commonly used to connect branch offices or enable remote employees to access the company's computer network securely, even when not physically connected to the network infrastructure. Remote employees typically connect using VPN client software such as AnyConnect, Shrew Soft, or GreenBow.

This document guides users through configuring a Site-to-Site VPN connection between RV340 and RV345 routers. The router initiating the connection is referred to as the local router, and the other router is the remote router. Ensure you have remote or physical access to the remote router.

Important Note: LAN networks must be on different subnets (e.g., 192.168.1.x and 192.168.2.x) or entirely different networks (e.g., 192.168.1.x and 10.10.1.x). If both networks share the same subnet, the router will not attempt to send traffic over the VPN.

Supported Devices

RV340
RV340W
RV345
RV345P

Software Version

1.0.03.15

Licensing Information

Special Note: For firmware version 1.0.3.15 and later, AnyConnect incurs client license fees. Client licenses must be purchased through CDW or other partners. Options include a one-year license for a single user (L-AC-PLS-3Y-S5) or a one-year license package for 25 users (AC-PLS-P-25-S). Perpetual licenses are also available. For more details on licensing, refer to the link provided in the licensing information section.

For more information on AnyConnect licensing for RV340 series routers, please refer to the article "AnyConnect Licensing for RV340 Series Routers" (link to article).

Configuring the VPN Connection

Local Router Configuration

Step 1: Log in to the web-based utility of the local router and navigate to VPN > Site-to-Site. (Example uses RV340).

Step 2: Click the plus icon [+] to add a new connection.

The Site to Site Table will display columns for Connection Name, Remote Endpoint, Interface, IPsec Profile, Local Traffic Selection, and Remote Traffic Selection.

Step 3: In the Basic Settings tab, ensure the Enable checkbox is selected. It is checked by default.

Connection Name: Enter a name for the VPN connection (e.g., TestVPN1).
IPsec Profile: Select the desired security settings. These options depend on the created IPsec profiles. For instructions on creating an IPsec profile, click here. (Example selects CiscoTestVPN).
Interface: Choose the interface the local router will use for the VPN connection. Options include:
- WAN1: Uses the IP address of the router's WAN1 interface.
- WAN2: Uses the IP address of the router's WAN2 interface. Not available on single-WAN routers.
- USB1: Uses the IP address of the router's USB1 interface.
- USB2: Uses the IP address of the router's USB2 interface. Not available on single-USB routers.
(Example selects WAN1).
Remote Endpoint: Select the identifier type for the remote router's WAN interface. Options include:
- Static IP: Uses the remote router's static IP address. If selected here, it must also be selected on the remote router.
- FQDN: Uses the fully qualified domain name (FQDN) of the remote router.
- Dynamic IP: Uses the dynamic IP address of the remote router.
(Example selects Static IP. The interface identifier on the remote router should match the local router's).

Step 4: Enter the IP address of the remote router's WAN interface. (Example: 124.123.122.123).

Step 5: Select the desired Internet Key Exchange (IKE) authentication method. Options are:

Pre-shared Key: Requires a pre-shared key for connection. The key must be identical on both ends of the VPN connection.
Certificate: Uses a certificate generated by the router for authentication instead of a password.

(Example selects Pre-shared Key).

Step 6: Enter the pre-shared key for the VPN connection in the Pre-shared Key field. (Example: A series of dots representing a password).

Step 7 (Optional): To use a simple password, uncheck the Minimum Pre-shared Key Complexity Enable checkbox. It is checked by default.

Step 8 (Optional): Check the Show plain text when edit Enable checkbox to display the pre-shared key in plain text. It is unchecked by default.

Step 9: Select the identifier type for the local network from the Local Identifier Type dropdown. Options include:

Local WAN IP: Identifies the local network by the WAN IP of the interface.
IP Address: Identifies the local network by its IP address.
Local FQDN: Identifies the local network by its FQDN.
Local User FQDN: Identifies the local network by the user's FQDN (e.g., email address).

(Example selects IP Address).

Step 10: Enter the identifier for the local network in the Local Identifier field. (Example: 124.123.122.121).

Step 11: From the Local IP Type dropdown, select the IP address type that VPN clients can access. Options are:

Subnet: Allows remote VPN clients to access hosts within a specified subnet.
IP Address: Allows remote VPN clients to access a specific host by its IP address.
Any: Allows remote VPN clients to access any host.

(Example selects Subnet).

Step 12: Enter the IP address of the network or host that VPN clients will access in the IP Address field. (Example: 10.10.10.1).

Step 13: Enter the subnet mask for the IP address in the Subnet Mask field. (Example: 255.255.255.0).

Step 14: Select the Remote Identifier Type from the dropdown. Options are:

Remote WAN IP: Identifies the remote network by the WAN IP of the interface.
Remote FQDN: Identifies the remote network by its FQDN.
Remote User FQDN: Identifies the remote network by the user's FQDN.

(Example selects Remote WAN IP).

Step 15: Enter the WAN IP address of the remote router in the Remote Identifier field. (Example: 124.123.122.123).

Step 16: From the Remote IP Type dropdown, select the network type that the local network needs to access. Options are:

IP Address: Allows local hosts to access a remote host with a specific IP address.
Subnet: Allows local hosts to access resources on remote hosts within a specified subnet.
Any: Allows local hosts to access remote hosts using any IP address.

Step 17: Enter the LAN IP address of the remote network in the IP Address field. (Example: 192.168.2.1).

Step 18: Enter the subnet mask for the remote network in the Subnet Mask field. (Example: 255.255.255.0).

Step 19: Click Apply.

Step 20: Click Save.

At this point, the VPN settings should be configured on the local router.

Remote Router Configuration

Step 1: Identify the VPN settings of the local router. This includes:

Interfaces used for the VPN connection on both local and remote routers.
WAN IP addresses of the local and remote routers.
LAN addresses and subnet masks of the local and remote networks.
Pre-shared key, password, or certificate for the VPN connection.
Security settings of the local router.
Firewall exceptions for the VPN connection.

Step 2: Log in to the router's web-based utility and navigate to VPN > IPSec Profiles.

Step 3: Configure the VPN security settings on the remote router to match those of the local router. Refer to the relevant guide if needed.

Step 4: On the local router's web-based utility, navigate to VPN > Site-to-Site.

Step 5: Click the plus icon [+] to add a new connection.

The Site to Site Table will display columns for Connection Name, Remote Endpoint, Interface, IPsec Profile, Local Traffic Selection, and Remote Traffic Selection.

Step 6: In the Basic Settings tab, ensure the Enable checkbox is selected (checked by default).

Connection Name: Enter a name for the VPN connection. Note that the connection name on the remote router may differ from the one specified on the local router. (Example: TestVPN).
IPsec Profile: Select the IPsec profile. These options depend on the created IPsec profiles. For instructions on creating an IPsec profile, click here. (Example selects CiscoTestVPN).
Interface: Choose the interface the remote router will use for the VPN connection. Options are similar to the local router (WAN1, WAN2, USB1, USB2). (Example selects WAN1).
Remote Endpoint: Select the identifier type for the local router's WAN interface. Options are similar to the local router (Static IP, FQDN, Dynamic IP). (Example selects Static IP. The interface identifier on the remote router should match the local router's).

Step 7: Enter the WAN IP address of the local router. (Example: 124.123.122.121).

Step 8: Select the desired Internet Key Exchange (IKE) authentication method. Options are Pre-shared Key or Certificate. (Example selects Pre-shared Key).

Step 9: Enter the pre-shared key for the VPN connection in the Pre-shared Key field. (Example: A series of dots representing a password).

Step 10 (Optional): Uncheck Minimum Pre-shared Key Complexity Enable if a simple password is desired.

Step 11 (Optional): Check Show plain text when edit Enable to display the pre-shared key in plain text.

Step 12: Select the Local Identifier Type from the dropdown for the remote router's perspective on the local network. Options include:

Remote WAN IP: Identifies the local network by the WAN IP of the interface.
IP Address: Identifies the local network by its IP address.
Remote FQDN: Identifies the local network by its FQDN.
Remote User FQDN: Identifies the local network by the user's FQDN.

(Example selects IP Address).

Step 13: Enter the identifier for the local network in the Local Identifier field. (Example: 124.123.122.123).

Step 14: From the Local IP Type dropdown, select the IP address type that VPN clients can access. Options are Subnet, IP Address, IP Group, GRE Interface, or Any. (Example selects Subnet).

Step 15: Enter the IP address of the network or host that VPN clients will access in the IP Address field. (Example: 192.168.2.1).

Step 16: Enter the subnet mask for the IP address in the Subnet Mask field. (Example: 255.255.255.0).

Step 17: Select the Local Identifier Type from the dropdown. Options are Remote WAN IP, Remote FQDN, or Remote User FQDN. (Example selects Remote WAN IP).

Step 18: Click Apply.

Step 19: Click Save.

You should now have the VPN settings configured on the remote router.

For related videos and other technical lectures from Cisco, click here.

	Cisco AnyConnect Installation and Usage Guide for RV34x Routers on Ubuntu Desktop Step-by-step guide to install, use, and uninstall Cisco AnyConnect Secure Mobility Client v4.9.x on Ubuntu Desktop. Covers prerequisites, software download, terminal commands, and UI operations for RV34x series routers.
	Cisco RV345/RV345P Router Quick Start Guide: Setup and Features Get started quickly with the Cisco RV345/RV345P Router. This guide covers package contents, features, installation, setup wizard, and troubleshooting for small business network connectivity.
	Cisco RV345/RV345P Router Quick Start Guide This guide provides instructions for installing, configuring, and troubleshooting the Cisco RV345/RV345P Dual WAN Gigabit VPN Router. It covers initial setup, features, and support resources.
	IPsec ESP Wildcard Forwarding Configuration for Cisco RV Series VPN Routers A guide on configuring IPsec ESP Wildcard Forwarding on Cisco RV042, RV042G, and RV082 VPN Routers to establish private networks between computers on different networks using a wildcard key.
	Cisco Secure Client - AnyConnect 5.0 for iOS 16 CC Configuration Guide This guide provides IT personnel with instructions for configuring Cisco Secure Client - AnyConnect 5.0 for iOS 16, covering installation, operational procedures, security settings, and troubleshooting for a Common Criteria evaluated environment.
	Guida Rapida Router Cisco RV345/RV345P Questa guida rapida fornisce istruzioni essenziali per l'installazione e la configurazione dei router Cisco RV345/RV345P, ideali per piccole aziende che necessitano di una connessione Internet affidabile e ad alte prestazioni.
	Cisco ASR 900 Series IPsec Configuration Guide This guide details the configuration of IPsec VPNs on Cisco ASR 900 Series routers, covering IKE, transform sets, virtual tunnel interfaces, and security features for network protection.
	Cisco RV340x Administration Guide Comprehensive administration guide for the Cisco RV340x series routers, covering installation, configuration, management, security, and troubleshooting for network administrators.