Results 1 to 10 of 10

Thread: Cisco VPN 3000 + Linksys DSL Router = trouble

  1. #1
    Ranthum
    Guest

    Angry Cisco VPN 3000 + Linksys DSL Router = trouble

    DSL installed successfully yesterday into the waiting arms of my Linksys Router. As trouble-free as all the claims on this site indicate using 100% factory default settings with PPPoE enabled. Everything worked fine - FTP, ICQ, email, my old VPN software - until I tried installing Cisco's VPN 3000 client today as mandated by my employer.

    Everything else still works, but I am unable to connect using the VPN client. It appears that the VPN tunnel requests make it out of the router and hit the Cisco 3000 concentrator at my company HQ, but nothing makes it back to my PC. My basic understanding is that the VPN client isolates all network traffic on the attached IP to just route through the VPN, so my guess is that information is making it back to the router, but that the router cannot "forward" that info back to the PC.

    I have IPSec passthrough enabled and I have tried various combinations of Linksys settings including forwarding ports 500 and 10000 to the PC, putting the PC in the DMZ, and disabling DHCP on the router. I have also adjusted the MTU between 512 and 1408 to no avail. Linksys, Cicso, and other bulletin boards have not helped.

    Logging from the router shows this incoming activity:
    Source IP Destination Port Number
    x.xx.xxx.xx 500

    Outgoing activity runs through ports 137, 427, and 500.

    I still need to try dialing in to the corp system to see if the VPN client works then. I suspect it will.

    I read another post about trouble with a Nortel VPN which is still outstanding. Any ideas or personal experience with this configuration?

    Thank you,

    Matt

  2. #2
    Kip Patterson
    Guest

    Post

    You may have tried this already - hook a PC directly to the modem and see if it works.

  3. #3
    Moderator Bouncer's Avatar
    Join Date
    Oct 1999
    Location
    OCONUS
    Posts
    4,834

    Post

    I'f you're using Win2000 you'll need version 3.0 of the client.

    "Client Software: Win95/98, Windows NT4.0
    Release 2.5 of the Cisco VPN 3000 Client does not operate on a Windows 2000 system. Windows 2000 support will be available in Release 3.0."

    You'll need to make sure the following ports are open on the linksys:
    Service Protocol Number Src Dest
    PPTP Control Connection 6 (TCP) 1023 1723
    PPTP Tunnel Encapsulation 47 (GRE) N/A N/A
    ISAKMP/IPSEC Key Management 17 (UDP) 500 500
    IPSEC Tunnel Encapsulation 50 (ESP) N/A N/A

    In addition, if you're standing behind NAT (which I'm guessing you are if you're using the Linksys) then the VPN authentication header may be broken. I'm not a linksys tech, but you'll have to check to see if they support IPSec and/or PPTP sessions through the router.

    From Cisco:
    "
    Q) Is network address translation (NAT) a factor for VPN configurations?

    A) The use of NAT has become quite common in cable and DSL deployments in order for multiple machines to share one public IP address. In this scenario, NAT can be compatible with IPSec and PPTP based VPN. However, you should check that the NAT implementation on your DSL/cable modem router has been coded to properly direct IPSec and PPTP packets to their final destinations. This usually requires the DSL/cable modem router to have an internal map containing the source and destination for each IPSec and/or PPTP session. In addition, certain limitations may exist on these routers which prevent multiple IPSec or certain PPTP sessions from connecting to the same VPN server simultaneously. However, for most small/home networks, this particular limitation will not pose a problem."

    Regards,
    -Bouncer-




    ------------------
    "Yeah Baby, YEAH!!!"


  4. #4
    Ranthum
    Guest

    Unhappy

    Gentlemen, thank you both for your replies. I appreciate the help and hope the eventual solution will help others.

    For the record, I am using Windows 95 4.00.950 C and Cicsco client 2.5.2, so the versions shouldn't be causing the problem.

    This evening, I pulled the PC off the Linksys and attempted to tunnel directly through the DSL modem. This eventually worked - after I stopped running a background BlackIce firewall program that kept killing the incoming UDP traffic from the server. Based on this, I almost thought I deserved an award for being a total ******** for not catching this somewhat obvious omission (although I did consistently shut down the BlackIce program that sits in my system tray).

    I was ashamed yet excited that the hidden BlackIce daemon may have been the problem the entire time, I quickly reassembled the network in its previous configuration. Unfortunately, this was not the problem as it still will not tunnel.

    I am using IPSec as the logging from Cisco shows:

    ISAKMP message not received! Retransmitting last packet!
    SENDING >>> ISAKMP OAK AG (Retransmission) to xx.xxx.xx.xx

    Over and over and over...

    I think the next step is an email to the Linksys folks asking them about the map for IPSec traffic. The router is set up to support IPSec, but the fact that traffic gets out, but doesn't come back to the PC signals this as a possible problem. The strange thing is that neither opening ports 500, 1023, and 1723 nor putting the PC in the DMZ works either. The router admin screens only allow port forwarding for incoming traffic and I'm not sure if there is a link between outgoing and incoming traffic, so that may be one aspect. Also, placing the PC in the DMZ should mean that NAT no longer applies, but I still see no return traffic showing up on any port while the VPN client is attempting to connect.

    Just one question to make sure I am doing this correctly. When talking about ports, that indicates the 500, 1723, and 1023 referred to in Bouncer's post, correct? Port number has nothing to do with the protocol number (6, 47, 17, 50) as it pertains to the settings in the Linksys port forwarding admin screens. You wouldn't enter "17:500" to forward IPSec traffic, right, just "500".

    If any of this additional information sparks ideas, let me know. I'll report back with info from Linksys.

  5. #5
    goz
    Guest

    Post

    Did you ever get a resolution for this? I am having the same issue and it's driving me nuts.

    thanks

  6. #6
    goz
    Guest

    Question

    Didn't work.

  7. #7
    Overlord66
    Guest

    Post

    Have you tried to upgrade the firmware to 1.36 that may solve your problems with ipsec.

  8. #8
    Ranthum
    Guest

    Talking

    Success! Linksys finally responded to my second email request and provided the information to get this working. If anyone comes across this problem in the future, here is the configuration I used to allow the Cisco VPN to work with the Linksys BEFSR41 Router. All router settings besides the ones mentioned are the defaults (except for PPOE, which I have enabled).

    1) Upgrade the router firmware to the latest version. I have version 1.36.t4, Nov 09 2000, which isn't available yet on the webpage (http://www.linksys.com/download/firmware.asp). I'm not sure if the "t4" designation matters for this application, but I'd be happy to send the firmware to Speedguide for posting if people have problems with the earlier version.

    2) Modify Windows Networking settings. You need to assign a static IP address, subnet, gateway, and DNS settings for this to work. Make a note of your current settings before you make any changes so you can go back if necessary.

    2a) You must first set your LAN adapter up to use a "hard" or static private IP address. (This means that DHCP no longer applies for the machine that uses the VPN client, which was a drag for me since it is a laptop that uses DHCP in other environments. I got a copy of Netswitcher to easily flip the Windows network settings back and forth between "Specify IP Address" and "Obtain IP address automatically".) In the network settings window, open the TCP/IP Properties dialog box for your LAN adapter and make sure you are on the "IP Address" tab. Choose "Specify IP Address" and enter an address in the range 192.168.1.2 through 192.168.1.99 (assuming your router uses 192.168.1.1 and that your subnet is 255.255.255.0).

    2b) Enter a subnet mask that matches the router. Default is 255.255.255.0.

    2c) Go to the "Gateway" tab, enter your router's IP address (default is 192.168.1.1) in the "New Gateway" area and click the "Add" button.

    2d) Go to the "DNS Configuration" tab. Click "Enble DNS". Enter a name for your computer in the "Host" field. This can be whatever name you want. In the "Domain" field, enter the domain of your ISP. This should be whatever comes after the @ in your email address. For example, Pacific Bell DSL would use "pacbell.net". Check with your ISP if you're not sure. Start entering DNS server IP addresses in the "DNS Server Search Order" field. These you can get from your ISP.

    3) Once you have done all this, click OK and reboot your machine. After the reboot, open your browser and make sure you can still access sites on the Internet. If so, it's time to configure the router.

    4) The Cisco client uses IpSec VPN protocol, so that's what we'll configure here. First, logon to the router through your browser by entering the IP address of the router (192.168.1.1) in your browser Address window.

    5) Once logged on, click on the "Advanced" tab and then click on the "Filters" tab. Towards the bottom, every setting from "Block Wan Request" on down should be set to "Disable" EXCEPT for "IPSEC Passthrough" which should be set to "Enable". Click the "Apply" button to register the settings.

    6) Click the "Forwarding" tab and enter the ports that you want to forward to your VPN client machine. At the risk of being hacked, my configuration uses ports 10000 and 500 to support the Cicso VPN so I enter "500" in both fields under the "Service Port Range" heading, choose "Both" as the protocol, and then enter the static IP address of my VPN client machine. I did the same thing for port 10000. Do this for each port that needs to be opened up to support VPN. Talk to your VPN admin if you need more help. Once you have all the ports forwarded, click the "Apply" button to save your changes.

    After doing all this, I sparked up the VPN client and to my amazement, was able to connect quite easily. I recently installed the iSpeed program to optimize my Windows registry settings and my machine is now averaging 152KBytes/sec on test downloads from ftp.cdrom.com -- up from 40 KBytes/sec before! I couldn't be happier with the setup.

  9. #9
    mm41731
    Guest

    VPN Woes

    Bought a Linksys wireless VPN router before I realized that my DSL Speedstreem modem was also a wireless router, as well. I'm told that because of this, VPN configuration will only work if I set the DSL modem to bridge mode.

    Tried unsuccessfully (with the help of DSL ISP reps and linksys reps) to get the VPN router to connect under PPPOE. Even taking the VPN rounter out of the equation and setting up the modem for wireless connectivity didn't work.

    Gave up on bridge mode, and reconfired the DSL modem to factory default, using the DSL user logon credentials, etc. Also reconfigured the VPN router back to Automactic DHCP. No problems with Internet connections when that's done.

    IPSEC is already configured on our Windows 2003 server, and also on remote clients. Is there a way to configure the Speedstream modem to publish a public IP to the Internet, even though the Linksys router is in the mix. In the present configuration, the linksys router is displaying a private IP in the 192 range.

    If I understand this correctly, I need my remote clients to see a public IP for VPN connections to be made. If there is no way to have this work under two NATs (Linksys router and DSL modem/router), my only other option is to have the DSL ISP to send me out a standard DSL modem, which they said they could do. This way, I wouldn't have to worry about any router issues on the modem.

    Any ideas from you guys would be greatly appreciated.

  10. #10
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    51,048
    Anytime I'm doing a setup for a client, and the ISP has shipped a modem which is also running as a router (NAT)...and I need to use our own router for some purpose (like a Sonicwall SOHO for a VPN)...I always flip the modem that the ISP provided to pure bridged mode. Otherwise you end up double NAT'ing, and that, as you found out, can lead to various issues. You should be able to turn off the router mode on that ISP provided device, turn it into a pure modem/bridge.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •