Greenbow/Quickvpn Fix Connects to WRV54G From A NAT-T Rtr

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by DocLarge, Apr 23, 2005.

  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    If some of you don't know, one of the members of this forum studied the file structure in quickvpn and found a way for you to connect from behind another router to a wrv54g. I've used it over and over and it works. Bare with me now because I'm going to do this the "LONG" way to ensure everyone understands exactly what I'm describing.

    Make sure you have quickvpn "and" greenbow loaded on the client computer. As an opening example, take a look at the following syntax entries:

    c:\>cd program files
    c:\>cd linksys
    c:\>cd linksys vpn client
    c:\>wget https://username:password@a.a.a.a/StartConnection.htm?version=1?IP=b.b.b.b?USER=username

    Let's say you have a vpn client on the wrv54g named Mark and his password is test, and the WAN IP of the wrv is Your remote user's computer (Mark) has an internal LAN IP address behind "his" WRT54G router of In the example above, where you see a.a.a.a is the WAN IP of the WRV you are connecting to and b.b.b.b is the local LAN IP address of the remote user’s computer, in this case, Mark.

    Mark would next open a command prompt and follow the DOS command steps above until he is inside of the "linksys vpn client" directory on "his" computer. Once there, he enters his user information at the command prompt:

    c:\>wget https://mark:test@

    Make sure there are no spaces between this line of syntax. The only space in this entire line is between the “wget†command and https://. To verify string syntax, look at the “wget_error.txt†file located in the same directory.

    When you hit enter, you'll notice the quickvpn parameters connect directly to port 443 on the wrv54g. Again, this is because linksys designed quickvpn to work "exclusively" with the wrv54g and no other vpn client "if" you are behind another NAT-T router. When you see it say "ok," you know you've established the IPSEC tunnel.

    Open up windows explorer and go to the c:\>program files\linksys\linksys vpn client\ directory and look for a file that starts out with "StartConnection@version." Open this file and look for “pre shared key; copy everything between the = sign and the tab (displayed as small square in this file).


    (Phase I) Alright, Mark now opens greenbow vpn version 2_50_013 and types in his username (mark) for the tunnel, puts the asterik (*) in the interface field, and uses for Remote Gateway. Paste the pre shared key from the linksys directory into the greenbow pre shared key fields. 3DES/MD5/DH1024 should be the settings in Phase I/II. Save and apply.

    (Phase II) Mark is the tunnel name again, client IP is; address type is “subnet;†choose for LAN and for subnet.

    Again, 3DES/MD5/DH1024 are standard; make sure mode is "tunnel." “PFS†should be checked. Save and apply.

    Open the greenbow vpn console so you can check the session. Click "open tunnel" and you should see greenbow connect (the green tunnel light on the far right will turn to red if you're connected). If for any reason it doesn't connect the first time, don't sweat it. Just go back to the dos command, hit the up key and modify the last line by changing "StartConnection" to "Stop Connection." When you do this, you'll see another file appear in the linksys vpn directory called "StopConnection.htm." So as not to confuse yourself, delete the StartConnection/StopConnection files as you go.

    Go back to your command line and tap the up arrow key until you have your start connection string again and hit enter. Again, you'll see the quickvpn parameters connect to the remote WRV54G; the "StartConnection.htm" file appears in the directory again. Copy the preshared key portion the same as before, paste it into greenbow; hit save and apply.

    Try opening tunnel; if it didn't work the first time, it should this time.

    That's the trick...

  2. ipcdmatt

    ipcdmatt Network Guru Member

    well i tried this, ...unfortunately , no success for me

    all went as per instructions, right up to opening tunnel

    console showed, transport error udp, could not create peer session ...not literally but along those lines.

    tried the stop-start , repasted the key, to no avail.

    still checking it out, if you have any thoughts, let me know.

  3. DocLarge

    DocLarge Super Moderator Staff Member Member

    Key thing to remember is that greenbow is using "quickvpn" parameters meaning the "6 Step Approach" must be adhered to (I put this in a previous post). If I left that out, my bad. Here are the basic steps that should be in place prior to trying the greenbow/quickvpn fix:

    1) Disable pptp and L2tp on the wrv54g
    2) Disable all vpn port forwarding (500, 1701, 1723, 4500) to limit background process interference
    3) Disable all vpn settings (tunnel, gateway, IKE)
    4) Make sure quickvpn is the "only" client loaded on your machine (it won't work if another one is present)
    5) Enable Ipsec on the WRV54G
    6) Check under services and make sure Ipsec is running

    These are just the general ground rules to start out with when quickvpn is running by itself to make an initial connection. Once you're able to make a basic connection, then you move on to the greenbow/quickvpn fix. Your WRV54G router settings must be in place prior to using this workaround. What I've suggested to others is that they create a batch file so as to limit hoping back and forth between screens.

    Again, my bad for scooting along so fast and leaving out this tidbit :) :)

  4. ipcdmatt

    ipcdmatt Network Guru Member

    DOC, I had tried all of this ... mine still failed, ... I went for another soloution, diffrent vendor, up and running in minutes.

    Thanks for all your help.
  5. mikejk67

    mikejk67 Network Guru Member

    I've also tried this method and failed. My work lan (behind router i'm sure)has prevented me from using QuickVPN.(?) It "works" up to the point of verifying network (can "see" using remote admin on WRV54g that it establishes a tunnel(?)) and then responds with remote router not responding or such and forces me to disconnect. Could you be more specific about your 6 steps on the wrv54g? I don't know how to disable vpn port forwarding etc. I'm using firmware 2.8 emailed to me from linksys.
  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    This workaraound (as you see) is not for the faint hearted but it does work (a majority of us in the forum use it).

    Steps 1 through 6 are as basic as it gets. There's nothing else to it (literally). However, interpretation varies, and this is an international site so let me try something else :)

    Alright, when I say "disable vpn forwarding," I'm saying you need to make sure you uncheck any forwarding options you may have enabled on the "Applications and Gaming" page on your wrv54g router.

    All of the references to "disable" is me saying these functions need to be turned off "on your wrv54g."

    Under the "Security" tab, then under VPN, disable (turn off) pptp, l2tp, and vpn tunnel/gateway (IKE isn't that big a deal). Now, if you were going to use a third party vpn client along with the quickvpn client (i.e., greenbow vpn), you should enable the IPSEC feature. If you are just trying to connect to your router from someplace else, enabling IPSEC is an option you can leave on, but I sometimes tell people to turn off ipsec, l2tp, and pptp just to establish a baseline.

    The combination greenbow/quickvpn workaround is for those of us who know how to establish the basic quickvpn connection and understand how to configure it (again, the 6 step approach has been consistent).

    Lastly, when referring to firmware, did you mean to say Linksys emailed you firmware 2.38?

    I'll help as much as I can...

  7. mikejk67

    mikejk67 Network Guru Member

    Thanks for the reply Doc. Yes, linksys support emailed me the 2.8 and bunch of text about not passing it around and warnings about it being beta etc. What I'm trying to do is connect to my small home network from my work computer. I have cable internet at home with a moto modem attached to my linksys wrv54g router and 5 computers in my lan. I really don't need to do this, but I want to be able to do it to learn proceedures and more about networking and vpn and so on.
  8. DocLarge

    DocLarge Super Moderator Staff Member Member


    I've revised my 6 Step approach information to see if I can make more sense. I'm going to post it to the forum in a minute but before I do, I'm giving you an exclusive :) Since I can't upload it, I'll just have to post it here:

    6 Step Approach for fast Quickvpn connection:

    1) Disable pptp and L2tp
    2) Disable all vpn port forwarding (500, 1701, 1723, 4500) to minimize background process interference
    3) Disable all vpn settings (tunnel, gateway, IKE)
    4) Make sure quickvpn is the "only" client loaded on your machine (won’t work otherwise)
    5) Enable Ipsec on the wrv54g to allow quickvpn to connect “out†and/or if you have someone using a third party vpn client (like greenbow or ssh sentinel) so they can connect (examples below).

    Methods of Connection:

    1) greenbow-->modem-->internet<---modem<--WRV<--Srvr [connects]

    2) quickvpn-->modem-->internet<---modem<--WRV<--Srvr [connects]

    3) quickvpn-->WRV-->modem-->internet<---modem<--WRV<--Srvr [connects]

    4) greenbow-->WRV-->modem-->internet<---modem<--WRV<--Srvr [no connection]

    NOTE: If you have a vpn client who is trying to access the wrv54 through a direct connection while using a third party client, method 1 is the “only†available option, unless you understand the quickvpn/greenbow workaround configuration. If you have a vpn client who’s using quickvpn, either methods 2 or 3 are suitable. Again, the WRV will "only" accept quickvpn requests from behind another router due to quickvpn being designed "specifically" for use with the wrv. All other vpn requests from other clients behind routers will be "dropped" unless it's a direct connection (see option 1).

    6) Check under services if you are running a windows OS and make sure Ipsec is running (if you’ve tried ssh sentinel recently, this knocks ipsec offline).

    If you are going to try and connect with quickvpn from another location (i.e., a wi-fi internet café) to your wrv54g, that establishment (Starbucks, for example) “must†have ipsec enabled on their wi-fi router in order for you to connect out (just the same as if you were trying to connect from your own wrv54g to another wrv54g acting as an endpoint (vpn host).

    These are just the general ground rules to start out with. One last thing to consider is if you're getting "verifying network," check your mtu setting. At times, you have to lower it to avoid fragmentation of
    the data packets.

    As always, what's outlined is just a "baseline." As you start having success's, start varying your configuration
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice