1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco VPN Server Behind DD-WRT Firmware Router

Discussion in 'DD-WRT Firmware' started by chanchiya, Jun 21, 2007.

  1. chanchiya

    chanchiya Network Guru Member

    I am new to the forums and haven't done much posting in the past so any constructive criticism on etiquette would be appreciated!

    My end goal is to have a Cisco VPN Client connect through the Internet to a Cisco 2800 router that is sitting behind a SoHo router that is doing NAT (basically to my home through my ISP).

    I currently have a Cisco 2800 server that I am using to make a VPN connection to. This works fine from Cisco VPN client on a Windows PC when there is no Linksys router in between but fails when I place a Linksys BEFSR41 in between the Windows PC and the Cisco 2800.

    I have enabled VPN Passthrough on the Linksys BEFSR41, and enabled port forwarding on it for UDP 500 and TCP/UDP 4500. The Cisco 2800 is set to do nat keepalives and also to do udp encapsulation.

    The Cisco 2800 complains with ISAKMP errors which I believe are due to the Linksys BEFSR41 not correctly passing ESP (IP Protocol 50) and AH (IP Protocol 51) packets correctly.

    Since the Linksys BEFSR41 does not seem to be working with VPN Passthrough, I am looking for alternatives and thought about using DD-WRT. I cannot confirm with all my Googling whether DD-WRT on a Linksys WRT54G(S) will allow this setup to work or not and was hoping someone on these forums has some prior experience with this.

    Any help that anyone can give would be greatly appreciated! I hope I have given enough information, but if not, please let me know and I will try to provide anything else that is needed. Thanks everyone!
     
  2. ifican

    ifican Network Guru Member

    Vpn passthru if for clients behind the router going in the outbound direction. Why can you put the 2800 on the border so you can connect to it and then run your nat'd internal network behind it? There are a couple ways to get it to work, you need to create a one-to-one nat mapping, not sure you can do it with the bef, so maybe putting it in the dmz or turning nat off and using the bef as a router (but then again why not just put the 2800 in its place). The reason you are having this issue as you have discoverd, the bef has no idea what to do with the ipsec (protocol 50) traffic when it hits the wan interface.
     
  3. chanchiya

    chanchiya Network Guru Member

    ifican, thank you for your response!

    Putting the 2800 in front is what I would do, but there are circumstances that require having a simple SoHo router like the BEFSR41 connected directly to the ISP.

    I have turned on UDP encapsulation on the Cisco 2800. Perhaps my understanding is incorrect, but why do I need to even worry about protocol 50 and 51 if everything is UDP encapsulated? Should this not abstract out everything other than the fact that a router must be able to forward UDP packets by port number and the Cisco 2800 will extract the payload, which is the actual VPN traffic?

    Having placed the Cisco 2800 interface in the BEFSR41's DMZ does not change the error messages I get. The Cisco 2800 still gives the following errors when I try to connect with the VPN:

    ISAKMP (0:1): atts are not acceptable. Next payload is 3
    ISAKMP (0:1): Encryption algorithm offered does not match policy!

    Thanks in advance for any help!
     
  4. ifican

    ifican Network Guru Member

    I was'nt sure if the DMZ was going to work as i have always had to create a one-to-one nat mapping (which you cant do on the BEF). The BEF is a software dmz right? You have put the ip for the router in the DMZ?

    Now back to your other can o worms. Nat-T does infact incapsulate the protocol 50 traffic in a port 4500 udp wrapper. And as you ask yes it should work that way, the problem is i dont think the 2800 (though i have not yet looked) is nat-t capable. When the intiating device offers of a nat-t session the receiving device too has to know what to do with it. In this case its the 2800, when the port 4500 traffic hits the 2800 (if its not a nat-t capable device) it sees the traffic, runs it against any access-control in place and then passes or drops it. Without the 2800 knowing that it is suppose to look inside the encapsulated packet it simple sits there waiting to see protocol 50 comming across plain as day.

    Ok stepping back and looking at your post again, per your error message your not even passing phase 1, encryption algorithm does not match is telling you that your ike settings are not matching up on both sides.

    edit- quick look and yes depending on the ios nat-t is supported, also found a couple field notices about a few ios that are defective with nat-t implemetnation they are in the 12.3 line, what ios is on that router?
     
  5. chanchiya

    chanchiya Network Guru Member

    ifican,

    Thank you for getting back to me so quickly, I really appreciate you help.

    Before I continue, I must apologize as the Router I told you I had was incorrect, I just mixed it up, sorry! The stats for my current Cisco router are below:

    Cisco 2611XM (MPC860P)
    IOS C2600 SOFTWARE (C2600-A3JK9S-M)
    VERSION 12.3(22)

    Where are you looking online for the information that tells you that NAT-T is broken? I have been going in circles trying to understand how or why the BEFSR41 would mangle payload data (UDP encapsulated data).

    As for your question about the BEFSR41, yes I believe the router does software DMZ. I actually don't like setting anything to the DMZ because connecting to the router's web interface seems to stop working when DMZ is enabled (I guess packets on port 8080 are forwarded so the web server never sees them).

    As for the IKE phase 1 issue, I have been a little confused about this also. If I remove the BEFSR41 from the picture everything works fine. As soon as I add it, everything breaks. I don't know how the IKE settings could be different in one setting and not in the other by changing intermediate network devices.

    Since I have not given a visual diagram, let me provide a simple diagram of my setup below:

    This setup works
    VPN Client <-> Cisco 2611XM <-> Host behind VPN

    This setup fails
    VPN Client <-> Linksys BEFSR41 <-> Cisco 2611XM <-> Host behind VPN

    Thank you once again and I look forward to hearing from you. I am actually going to get a Hub later today so I can use Ethereal and maybe learn a bit more. Also, I am going to get the WRT54GL later today and try to put DD-WRT on it today or next week.
     
  6. ifican

    ifican Network Guru Member

    You can try also forwarding tcp/500, something else that comes to mind if i am not mistaken cisco does something funky with port 10000 when connecting in hard to connect situation, you need to look into that. Nat-t was broken on 12.3(8.3 - 9) so you are ok there, and its located on ciscos website under field notices.

    You actually have already identified that the bef is breaking the connection, Other then potentially the port 10000 maybe fixing it, the only other way i have gotten it to work is to forward all traffic to one IP, but thats going to break anything else you have going on. Just out of curiosity why are you not able to put the cisco router at the border?
     
  7. Toxic

    Toxic Administrator Staff Member

    sounds like the BEF does not support IP Protocols 50 and 51

    IPsec-based VPN's need UDP port 500 opened for ISAKMP key negotiations, and IP protocol 51 for Authentication Header traffic (not always used. It also needs IP protocol 50 for the "encapsulated data itself. The only "forwardable" port here is UDP port 500.

    "Protocols" (and not ports) 50 and 51 must be supported by your router.
     
  8. chanchiya

    chanchiya Network Guru Member

    ifican:
    So far, I have forwarded port 500, 10000, and 4500 with no luck. I have also tried putting the Cisco 2600 in the BEFSR41's DMZ with no luck. I would like nothing more than to put the Cisco 2600 at the border, but not everyone I work with is technical and currently insist on it being this way, coupled with the fact that I am the new guy right out of college, I just grin and bear it for now...

    Toxic:
    I can readily accept that the BEFSR41 does not support IP Protocols 50 and 51, but what I don't understand is why this should matter if I am using UDP encapsulation. Could you elaborate on this statement? From my understanding the VPN data is encapsulated within a UDP datagram so the actual VPN traffic looks like any ordinary payload to the BEFSR41.

    I did manage to find a hub and used to to capture packets using Ethereal. The first setup was to place the hub between the VPN client and the BEFSR41 and the second setup was the place the hub between the BEFSR41 and the 2600. The third setup was with no BEFSR41 in the picture. In all three cases the packets looked the same at the ISAKMP level except for the Initiator cookie, with the only differences being at the Ethernet, IP and UDP level, namely for the Source and Destination values (and implicitly the checksums), which I would assume is normal routing algorithms at work.

    In the first two setups, the ISAKMP request goes through and then there is no traffic. In the third setup, the connection happens normally.

    In addition to the Ethereal output, I have debug crypto isakmp error and debug crypto ipsec error turned on. In the first two above mentioned setups, I get the following error messages and the VPN fails:
    *Mar 5 02:24:51.657: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.657: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.657: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.657: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.657: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.657: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.661: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.661: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.661: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.661: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.661: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.661: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.661: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.661: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.661: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.661: ISAKMP (0:2): atts are not acceptable. Next payload is 3

    Now in the final setup where there is no BEFSR41, I get the following errors but the VPN client connects correctly, which confuses me even more:
    *Mar 5 02:24:51.657: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.657: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.657: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.657: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.657: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.657: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.661: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.661: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.661: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.661: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.661: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.661: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.661: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.661: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:51.661: ISAKMP (0:2): Encryption algorithm offered does not match policy!
    *Mar 5 02:24:51.661: ISAKMP (0:2): atts are not acceptable. Next payload is 3
    *Mar 5 02:24:52.294: ISAKMP (0:2): FSM action returned error: 4
    *Mar 5 02:24:54.077: ISAKMP (0:2): FSM action returned error: 4 Unknown Attr: 0x7000 Unknown Attr: 0x7001 Unknown Attr: 0x7003 Unknown Attr: 0x7007 Unknown Attr: 0x700B Unknown Attr: 0x7009 Unknown Attr: 0x7008 Unknown Attr: 0x700A Unknown Attr: 0x7005
    *Mar 5 02:24:54.105: ISAKMP (0/2): Unknown Attr: UNKNOWN (0x7000)
    *Mar 5 02:24:54.105: ISAKMP (0/2): Unknown Attr: UNKNOWN (0x7001)
    *Mar 5 02:24:54.105: ISAKMP (0/2): Unknown Attr: UNKNOWN (0x7003)
    *Mar 5 02:24:54.105: ISAKMP (0/2): Unknown Attr: UNKNOWN (0x7007)
    *Mar 5 02:24:54.105: ISAKMP (0/2): Unknown Attr: UNKNOWN (0x700B)
    *Mar 5 02:24:54.105: ISAKMP (0/2): Unknown Attr: UNKNOWN (0x7009)
    *Mar 5 02:24:54.109: ISAKMP (0/2): Unknown Attr: UNKNOWN (0x7008)
    *Mar 5 02:24:54.109: ISAKMP (0/2): Unknown Attr: UNKNOWN (0x700A)
    *Mar 5 02:24:54.109: ISAKMP (0/2): Unknown Attr: UNKNOWN (0x7005)
    *Mar 5 02:24:54.137: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-md5-hmac comp-lzs }
    *Mar 5 02:24:54.137: ISAKMP (0:2): IPSec policy invalidated proposal
    *Mar 5 02:24:54.137: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-sha-hmac comp-lzs }
    *Mar 5 02:24:54.141: ISAKMP (0:2): IPSec policy invalidated proposal
    *Mar 5 02:24:54.141: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes esp-md5-hmac comp-lzs }
    *Mar 5 02:24:54.141: ISAKMP (0:2): IPSec policy invalidated proposal
    *Mar 5 02:24:54.145: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac comp-lzs }
    *Mar 5 02:24:54.145: ISAKMP (0:2): IPSec policy invalidated proposal
    *Mar 5 02:24:54.145: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-md5-hmac }
    *Mar 5 02:24:54.149: ISAKMP (0:2): IPSec policy invalidated proposal
    *Mar 5 02:24:54.149: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-sha-hmac }
    *Mar 5 02:24:54.149: ISAKMP (0:2): IPSec policy invalidated proposal
    *Mar 5 02:24:54.153: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes esp-md5-hmac }
    *Mar 5 02:24:54.153: ISAKMP (0:2): IPSec policy invalidated proposal
    *Mar 5 02:24:54.153: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac }
    *Mar 5 02:24:54.153: ISAKMP (0:2): IPSec policy invalidated proposal
    *Mar 5 02:24:54.157: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-md5-hmac comp-lzs }
    *Mar 5 02:24:54.157: ISAKMP (0:2): IPSec policy invalidated proposal
    *Mar 5 02:24:54.157: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-sha-hmac comp-lzs }
    *Mar 5 02:24:54.161: ISAKMP (0:2): IPSec policy invalidated proposal
    *Mar 5 02:24:54.161: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-md5-hmac }
    *Mar 5 02:24:54.161: ISAKMP (0:2): IPSec policy invalidated proposal

    I realize this is not a Cisco forum, but I thought the problem was with the Linksys BEFSR41 this whole time, and it still may be, but I am not entirely sure anymore...
     

Share This Page