1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

2 WRV54G VPN setup HELP!

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by jackncoke, Apr 3, 2005.

  1. jackncoke

    jackncoke Network Guru Member


    I'm a PC tech that's way in over my head. I have a client that I've promised a VPN to; and some functionality and features that I'm not really sure how to set up and implement. As a consultant/tech for mainly SOHO offices, I'm pretty familiar with networking, however this one goes way over my head.

    The situation: the client's got 2 offices, 50 miles apart, that uses a server/client application where the data is stored in plaintext in a folder on the c:\ drive on the server. The application does work over a network, I've had success mapping the data folder from the server to peer clients on the LAN. Basically, in a single office environment, the program works perfectly, as it should. From my rudimentary knowledge of VPN's, I should be able to set up a tunnel between the 2 offices where they can access the data via mapped folders, and thus be able to use the application. In addition, they should be able to get on the 'net without any problems without taking down the tunnel. The tunnel must be up at all times, and their PC's, shared folders and connected printers should be available from either end. After figuring out what they wanted, I went ahead and purchased 2 Linksys WRV54G's, even though the RV042's plus a WiFi AP would be a better.

    The setup: In office #1 (home) - Comcast HSI cable, averaging 3mbps/400kbps. The server is running XP Pro, SP2. There is an HP AIO, plugged directly into the server, but it's got a print server built in, so that may be used in the future. The data, of course, is stored here on the server. Their WAN IP changes once every 100 hours, so I've set up a dyndns account which should track the WRV54G. In office #2, they've got a 2 XP Pro SP2 systems, and the same Comcast setup. An HP printer has been plugged directly into one of the PC's, and is shared on the LAN. Of course, a separate dyndns account has been used for this router. On both ends, the LAN has been configured statically, beginning with (.1 is the router) There are also 2 XP Pro SP2 laptops, and we've purchased USBVPN1's for both, just in case they travel, or go to a remote location with broadband acces. Because they're portable, they could be used in either locations, and access the data from the server over the VPN. Obviously, when they're on the same LAN as the server, there will be no issues. The firmware on both 54g's has been upgraded to 2.37.

    I'd like it set up so that the user can sit at the office from any PC behind the router, go into my network places, see the shared folders from home, and map them as a drive into my computer. Once the drives are mapped, I can pretty much handle it from there. They should also be able to simultaneously surf the 'net, and print to the shared printers, both on the local and remote LAN's. They should have the same functionality from home.

    The Question - first, money is no object, within reason. We went with the '54G because space is limited, but I did mention that the RV042's and a separate access point would be a better choice. As of right now, I've got both set up for 'net access, but can't ping either end - (xxx.dyndns.org) Am I missing something? I've even tried taking one of the 54g's home, where I've got 6mbps SDSL with 5 static IP's, no dice, (yes, the ddns is off at home) and can't even get into the configuration, even with remote administration on at port 8080. I'm sure that in order to see the PC's and folders, there should be some port forwarding, but they should be able to connect a tunnel first. It says the tunnel is connected, and from what I understand, everything is configured correctly. I'd rather not use a software solution as the VPN should be transparent, and must be up all day long. However, at this point, I'm willing to try just about everything - software, RV042's...

    Sorry for the long post, I'm just looking for a little guidance and suggestions from someone who's done something like this before. Any help would be appreciated, and don't hesitate to tell me if my VPN solution is way out of line and impossible. BTW, what's the difference between a VPN gateway, and a VPN tunnel?

  2. H2O_Goalie

    H2O_Goalie Network Guru Member

    OK...let's see:

    1. You can't ping the router because most likely you've got the feature enabled that drops unknown Internet requests. This is a good thing, it keeps random people from doing a ping scan and finding you...which essentially gives them a target. In short, don't worry about not being able to ping the other router. It's enough to see that DNS is resolving the name. If the tunnel should drop or you want to test connectivity, just ping one of the PCs on the other end of the tunnel.

    2. I would strongly suggest that you re-address at least one of the networks. I suspect that you may end up with some problems if both nets have the same IP scheme (right down to the router's IP). You might go with one net as 192.168.1.x and the other as 192.168.2.x, both with 24-bit subnet masks.

    3. Since you're working with a VPN tunnel, you most definitely SHOULD NOT have any kind of port forwarding enabled for Windows shares, unless you want those shares open to the whole world. Go into the advanced VPN setup (you'll see the button on the VPN setup screen) and enable NetBIOS broadcast. This will allow the PCs/printers to "advertise" their shares over the tunnel (normally the router/tunnel would drop this broadcast traffic) and should allow you to browse shared resources at both ends of the tunnel.

    4. Assuming that the laptops are not hosting anything vital (files or printers) and are just clients, I'd probably go ahead and set them up to use DHCP, and allow the routers on each end to dole out a few IPs via DHCP. This will keep the laptop users from having to manually re-address them all the time.

    5. If you've read about the WRVs at all in this forum, you've seen that there is a serious (read: fatal) issue with its ability (or lack thereof) to deal with NAT-T. This will result in your laptops being unable to raise a VPN tunnel when they're on the road (unless they get public IPs). Some have reported success with the QuickVPN client, but I can't speak to that as I haven't tried it. Nor have I used the USBVPN1. My attempts have been with the native XP implementation of IPSec...which works with earlier Linksys products (BEFVP41) but not the newer Linksys boxes (which have NAT-T issues). I'm not sure if this is also a problem with the RVs, but I suspect it probably is.

    You may also want to update the hosts and lmhosts files on all PCs to reflect the network architecture...it certainly won't hurt anything. The only PITA about that is you'll have to keep the files up-to-date and identical on all PCs. But that's really not that big a deal.

    If I were you...in the sense that if I had to make this work to collect a paycheck and keep my professional reputation...I'd do whatever it takes to find 2 BEFVP41s and couple them with a WRT54GS each. The VP41 is a much more (IMO) stable VPN platform. The combination I mention is precisely what I run in my home office, and I have seamless access to both my work HQ (in Vancouver BC) and my home network (when I go on the road). I have never had a single problem making the VP41 tunnels work.

    I bought the WRV with the intention of replacing the VP41 (adding integrated wireless in the bargain) and have had nothing but disappointment and problems with it. I have put the VP41 back in place and added the WRT54GS...and now I've got what I wanted when I purchased the WRV.
  3. H2O_Goalie

    H2O_Goalie Network Guru Member

    And you're welcome to send my percentage (10%) of your fee to me here in Memphis.


    And just a quick note: I'm using v1 on the BEFVP41...there is also a v2 which I haven't used and can't speak to.

    Jack...if you have any questions, just shoot me a PM or an email.
  4. rzeronine

    rzeronine Network Guru Member


    like you, i'm trading my wrv54g for a more stable befvp41 and an access point. i'm thinking of pairing it with a wap54g. i don't understand why you paired yours with a wrt54gs, another router but with a built-in access point. how did you setup a router to router network? i'm interested with your setup. any help from you would be greatly appreciated.

  5. H2O_Goalie

    H2O_Goalie Network Guru Member

    OK...why did I use a WRT54GS instead of a WAP? A couple of reasons:
    1. It was on sale.
    2. When the Sveasoft guys get Talisman out and stable, it'll have IPSec VPN endpoint functionality...and will work in the WRT54GS. Which will give me the box I wanted when I bought the WRV.

    I'm a little unclear on your second question. How to set up a router-to-router network...are you talking about the VPN tunnel (endpoint-to-endpoint) or the fact that I have the VP41 plugged into the WRT? Clarify your question and I'll be happy to answer.
  6. H2O_Goalie

    H2O_Goalie Network Guru Member

    Jack...one other item worth noting. The USBVPN1 depends on a wired ethernet connection to the Internet...and assuming that a wired connection will be available is not wise.

    In my experience most hotels, airports, coffeehouses, etc. that offer broadband access are using wireless. Right there, that kills any use for the USBVPN1. And most corporate (i.e. office) networks that I've had occasion to put my laptop on do not allow VPN passthrough at their firewalls...so again, you're toasted.

    Working under the assumption that you get an endpoint router that will work properly with NAT-T (like the VP41)...all you really need to do is set up the XP implementation of IPSec. That'll handle tunnel-bound traffic with minimal user intervention.

    There is always the option of using the QuickVPN client on the laptop...but again, that's not something I've tried (nor do I plan on it).
  7. rzeronine

    rzeronine Network Guru Member


    Sorry my second question was unclear. When I mentioned router-to-router setup, I was referring to the fact that you have plugged the VP41 into the WRT. I'm no expert on networks but in my experience, I think that setup would get you two subnets.

    Your answer would really help me decide on what unit to buy.


  8. H2O_Goalie

    H2O_Goalie Network Guru Member

    No prob.

    OK...what you need to do is have the BEFVP41 in place as the "Gateway" (Linksys's terminology)...that is, your Internet connection (presumably from a cable modem) is plugged into the WAN port on the VP41. Set up the VP41 as normal, and test it out to make sure you've got Internet access. All of this is perfectly normal, everyday setup stuff.

    Then, on the WRT54GS (in my case), go into the "Setup/Advanced Routing" screen. You'll see a drop-down box labeled "Operating Mode". Change the mode from "Gateway" to "Router". In the "Setup/Basic Setup" screen, leave the "Internet Connection Type" set to "Automatic DHCP", and in the "Network Setup" area, give the router an IP address on the local subnet and configure the subnet mask. Please note that you will not be using the WRT's WAN port. If you did...THEN you could potentially end up with 2 subnets, as well as some weird NAT and firewall issues between anything connected to the WRT (either wired or wireless) and stuff connected to the VP41 (wired PCs and your Internet connection).

    When you plug the WRT into the VP41, just run a cat5 cable from one of the normal ethernet ports on the WRT (NOT the WAN port) into the uplink port on the VP41 (my VP41 has a switch where I can designate one of its ethernet ports as either a straight-through or a crossover/uplink port). You could also use a crossover cable if you wanted to (if you have some problem identifying the uplink port on the VP41).

    You don't need to enable dynamic routing or anything else on the WRT (though I guess you could). When you set this up, you'll see that the WRT's routing table knows about the network it's on (which contains the VP41...the "Gateway" to the Internet) and where to forward packets destined for that network. Since your wireless clients will have the correct address of the "Gateway" (VP41) either hard-coded into their TCP/IP settings or receive it via DHCP (by the way, disable DHCP on the WRT but enable it on the VP41 if you use DHCP) the WRT will just forward those packets out the appropriate interface when received.

    Trust me, it works. I'm posting this via my laptop, which is connected with this setup. If I've confused you, let me know and I'll try to straighten you out.
  9. rzeronine

    rzeronine Network Guru Member

    One of the VP41's ethernet port can be configured as an uplink port?

    Does this setup temporarily turned your WRT into a plain wireless access point?
  10. H2O_Goalie

    H2O_Goalie Network Guru Member

    You've got the idea.

    Yes, my VP41 has an uplink port (actually, one port that has a switch...flip the switch one way and it's an uplink, flip it the other and it's a normal ethernet port). But even if your VP41 doesn't, all you need is a "crossover" cable.

    And yes, essentially the way I have it set up the WRT just becomes a regular wireless AP. With the added benefit that when the Sveasoft firmware is finished, I'll be able to flash it and have a VPN endpoint router (what the WRV is supposed to be).
  11. rzeronine

    rzeronine Network Guru Member

    Cool! So your VP41 is a special one.

    Is Sveasoft any close to finishing that firmware? And will it work only for the WRT54GS?
  12. H2O_Goalie

    H2O_Goalie Network Guru Member

    I don't think my VP41 is special...it's the only one I've ever used. I assume all of the other ones have the same switch mine does...or at least an uplink port.

    The Sveasoft firmware in question...Talisman...is being worked on right now. It's my understanding that the release date was already pushed back once...I think/hope that it'll be out soon. And from what I understand, the Talisman firmware will run in the WRT54G and WRT54GS.
  13. rzeronine

    rzeronine Network Guru Member

    On any hardware version of WRT54G?
  14. H2O_Goalie

    H2O_Goalie Network Guru Member

    That's my understanding...but since I'm not involved in the Sveasoft project, you may want to double-check at their site.
  15. jackncoke

    jackncoke Network Guru Member

    Sorry for the late reply...

    ...but I was sleeping and lagging all day long. I'm pretty much nocturnal.

    Back to the subject at hand...wow. Thanks for such a quick reply. I read your posts last night, and will be following your advice about ditching the WRV54G's; here's why:

    1) One of 'em doesn't work correctly. When the client and I first discussed hardware, he was adamant that it be an all-in-one unit. I told him about the reviews I had read, the negative gossip from fellow techs...and in the end, it was the sum of all the features in one little box that made up his mind. He purchased them from Fry's, (dunno if you've got them out there) which is an amazing store - if it plugs in or needs batteries, they probably sell it. It's one of my favorite stores around here, but they've got one major flaw, which you'll immediately notice if you walk into one - the line for returns is usually longer than the line for the cash registers. Not a good thing, since returned (and broken) products are simply shrink wrapped and placed back on the shelf for the next sucker. Sometimes it's great - because they have such a lenient return policy, I'm always purchasing something I don't need and can't afford, only to use and return it a few weeks later. So, when the client was looking for the WRV54G's, he went there, and purchased ones that were used and returned for $170 each. The one sitting in front of me works fine, the other one refuses to do a hard reset, (30+ seconds on the reset button) crashes frequently under load, and has a bent TNC connector, with the center pin missing.

    2) I did a little research on NAT-T, and from what I understood, yes, it'd be nice to have better support there.

    3) There were more reasons...but I can't remember them. See what 3 hours of sleep does?

    As for the USBVPN1...when the client and I originally assesed his needs, he stated that he simply wanted to be able to access his VPN from any broadband connection, especially hotels. So, I got in touch with an old friend who has some experience in the hospitality industry. While he said some hotels do offer Wi-Fi, the ones at resort locations or in the 'burbs mostly offer ethernet only. After reflecting on my experiences with the client, I remembered that we'd always go to good old Starbucks before we'd talk business. His favorite lunchtime restaurant is also right next to a T-Mobile. Starbucks + T-Mobile = free Wi-Fi. So this afternoon, I walked down to the local 'bucks, laptop in hand. Lo and behold, the QuickVPN worked. 2 grande frappuchinos and a few cigarettes later, I was still on, playing with the configuration on the working, albeit slow VPN. I'm not sure how or why I got it to work, it just did. When I tried to duplicate the feat later at a friend's house, it didn't work. In short, the USBVPN1 is probably unneccessary, and will be returned ASAP.

    So, tomorrow I'm trotting down to Fry's to make some returns, and will be purchasing 2 BEFVP41's. Of course, I'll be implementing some of your advice.

    I do have some burning questions:

    1) RV042 vs. BEFVP41 - You've had some good success with the BEFVP41's, but aren't RV042's kind of an industry standard in the SOHO world?

    2) I played around with a BEFSX41 today - under the security > VPN tab, there's an option to view the VPN tunnel summary - it lists, among other things, if a tunnel is up or not. On the WRV54G, I couldn't find anything like that. The button simply said "disconnect," which would lead me to believe that it's up...but talking to what? Does the BEFVP41 have a summary/log function for VPN status?

    3) Do you (or anyone out there) have any clue as to the difference between the VPN tunnel & VPN gateway radio boxes?


    BTW - The client happens to be an acquaintance to whom I owe a BIG favor, so I told him I'd do this job for payback only. I accepted his offer to gain some VPN experience & knowledge. So, next time I'm in TN, I'll buy you a pint; or I can donate some money in your name, seeing as how valuable a resource this forum is! Cheers!
  16. H2O_Goalie

    H2O_Goalie Network Guru Member

    I'll see if I can't offer you answers to some of your questions:

    1. VP41 vs. RV series - the RVs are fairly new from what I understand. The VP41 dates from when Linksys was a wholly owned subsidary of Linksys (i.e. pre-Cisco). I suspect that the success people have had with the RVs is via QuickVPN...not something I plan on playing with. I am only interested in XP's native IPSec. Once it's been set up it's virtually transparent to the user...which is what I want. I can't really speak to the RV's place in the SOHO world, I just don't have experience with them.

    2. Hotels - I don't know where your friend is located...but I spend about 3 nights per week in hotels. I can't even remember the last time I saw a wired ethernet connection at a hotel. Plus when you hit a Starbucks, and airport, a Borders, etc. it's always wireless. Wireless is pretty much the standard. I'd plan for the standard, not the exception. If you set up the native XP IPSec implementation, it'll work for any adapter in the laptop...wired or wireless.

    3. BEFSX41 - also a pre-Cisco device. It will also function as a VPN endpoint...but will only host 2 tunnels. The VP41 will host like 70...plus it has a separate processor to handle the VPN encryption (speeds things up). The pre-Cisco endpoints have that "Summary" tab/button, the Cisco devices don't. I couldn't tell you why they switched. Yes, the VP41 has the same "Summary" button and also has pretty decent logging (a separate log for the VPN).

    4. I have also been trying to figure out what the difference between tunnel and gateway is. I have had some issues when I've clicked the "gateway" radio button...like I've put the router in some kind of loop. No one has been able to tell me what it does or what the difference is.

    I'd go with the VP41s (coupled with a wireless AP if needed) and set up the XP IPSec policy. I think you'll find that to be a good combination. QuickVPN may be the bomb...but as I've not used it and don't plan on using it I really can't tell you much about it.

    Good luck.
  17. TazUk

    TazUk Network Guru Member

    The Quick VPN client will only work on routers which support it, at this time it's the WRV54G and RVxx series. It will not work with the BEFVP41 or BEFSX41. If you don't want to use XP's built in IPSEC client then I've had success with SSH Sentinel and the BEFVP41 :)
  18. jackncoke

    jackncoke Network Guru Member

    She's ALIVE!

    Ohhh yeah.

    It's up and working. I've already transfered a few gigs of stuff back and forth, with no problems or disconnects. I'll keep transferring stuff for the next 24hrs just to make sure...

    H20, good call on those BEFVP41's - they're great. Not only am I able to connect gateway to gateway, but I tried Greenbow from a friend's house - worked nicely. Since Greenbow works...the USBVPN1 gets returned.

    I do have 2 questions/complaints -

    1) The BEFVP41 seems to have problems obtaining an IP via DHCP on Comcast. I've looked around, it seems others are having the same issues. Even after being power cycled, it takes a few release/renew's to get an IP; it keeps giving me an IP of; and eventually gives me the correct WAN IP. Any ideas?

    2) Since I'm new to VPN's...Comcast, while it's advertised as an "unlimited" service, seems to have a cap set at 100GB/month - I've read about and had a friend whose service was cancelled after reaching this "unlimited" cap. While in So. Cal, my old Road Runner service was cancelled after 250GB one month...Question is: The tunnel has to be up 24/7. Is there any data being transmitted, even when the tunnel is up, but not in use?

    For now, everything else seems to be going great.

    Thanks for the help!

  19. H2O_Goalie

    H2O_Goalie Network Guru Member


    Glad to hear that things are now working for you. It's disappointing when you have to go backwards in technology to make things work...but in the end, the fact that it works is all that counts. On to your questions:

    1. That (DHCP issue) sounds more like a problem on your ISP's network than anything else. The 192.168.x.x address you're seeing is (I think) being assigned by your cable modem. It might be worth calling your ISP...perhaps they'll give you a static IP. The same thing has happened to me in the past with various routers (not just VP41s), and after much complaining I got RoadRunner to admit it was a problem on their end.

    2. I've never run into any problem with caps, and I have a couple of tunnels that are "live" at all times. In actuality, I believe that the tunnels drop when no traffic has passed over them for X amount of time (configurable in the VPN properties I think) and then re-establish themselves when the router detects that it's necessary (i.e. there is traffic that needs the tunnel). There is a setting for "keep-alive" in the advanced VPN configuration screen, but I'd leave it alone. Just let the router deal with establishing/tearing down the tunnels as needed.
  20. jlmartinjr

    jlmartinjr Network Guru Member

    VP41 vs SX41

    I already have two BEFSX41 connected at two sites, I do want greater thru put. The BEFSX seems to have trouble with Netbios transfers when I am doing trying to look a folders with a lot of files and trying to copy info. Would I be better off to just replace the two SXs with VPs and use the SX at locations that do not need a "constant" connection.

    And I'm I reading it right that the VP will allow the native client in XP to connect! What about looking at the network neighbor hood.

    I have a WRV54G that I have not had any luck with, but the problems caused by it lead me to learn a whole lot more about VPNs than I ever wanted to...
  21. DocLarge

    DocLarge Super Moderator Staff Member Member

    For those of us who haven't given up on the WRV54G, there's been a workaround that someone came up with to allow you to use quicvpn parameters inside of greenbow from behind a NAT router and connect to the WRV. Granted, learning the process will take a little bit of time to understand (maybe a day or so) but once you do, you're set. PM me if you're interested in how to do this, because it works.


Share This Page