1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Greenbow Setup Guide For WRV54G/RV0XX/BEFVP41/BEFSX41/WAG54G

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by DocLarge, Jul 16, 2005.

  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    HEY LOOK!! A GREENBOW VPN SETUP GUIDE!!!!!

    Use version 2.50 (or latest version) of the greenbow client by the way. Also, third party vpn clients "will not" connect to a WRV54G if you are connecting from behind another WRV54G; you will have to make a "direct connection" (computer to modem) to connect. Linksys devices that do not have this NAT-T problem when "hosting" VPN tunnels are the WAG54G ADSL Gateway (sold over here in England and Europe) which supports 5 IPSEC tunnels, the BEFVP41, which supports 50 IPSEC tunnels, and the BEFSX41, which supports 2 IPSEC tunnels. If you want to make a secure vpn connection to a WRV54G, you'll need to use the Linksys Quickvpn client, or configure a WRV54G to WRV54G dedicated tunnel.

    Below is a "step-by-step" baseline example to get started.

    Phase I (Greenbow VPN Client):
    1) Tunnel: The name you use should be the same on the router you're connecting to
    2) Interface: leave it as an asterik.
    3) Remote gateway: This is the WAN address (ISP provided ip address) of the router you're trying to connect to obviously.
    4) Pre-shared key: Use a hexadecimal string beginning with 0x (i.e. 0x123456789 with most other routers); if you are connecting to a WRV54G, upper or lowercase words seem to work better (meagainstwhomever).
    5) Certificate: N/A
    6) Encryption: Use 3DES
    7) Authentication: SHA (the equivalent on the WRV54G is SHA1)
    8) Key Group: Set this to DH1024
    9) Save and apply settings.

    Phase II (Greenbow VPN Client):
    1) Tunnel Name: Same as Phase I
    2) Vpn client address:This is "your" WAN ip address (provided to you by your ISP) if you are connecting directly to a modem; use the local LAN IP if you are behind a router that supports NAT-T (again, the WRV54G, right now, does not support this feature; use quickvpn instead).
    3) Address Type: Use "Subnet" address. Input the Remote LAN's local IP settings
    (i.e.) Local IP: 192.168.1.5
    Subnet: 255.255.255.0
    4) Encryption: 3DES
    5) Authentication: SHA
    6) Mode: Tunnel
    7) PFS: Ensure this box is checked
    8) Group: The group should be dh1024
    9) Save and apply settings

    Additionally, make sure you set the "maximal lifetime settings" for encryption and authentication to "3600." You can do this by clicking on the "parameters" link. Additionally, make sure you "always" remember to make sure the encryption and authentication times are the same.

    ON THE ROUTER

    IPSEC: Enabled
    PPTP: Enabled
    L2TP: Disabled

    Tunnel Name: Same as Greenbow
    VPN Tunnel: Enabled
    VPN Gateway: Disabled

    Local Secure Group: Your local router settings. Either host or subnet work (I prefer subnet)

    Remote Secure Group: This is the router/client at the distant end. Either input the local LAN settings of the “remote†router/client by choosing the “Subnet†option or use “Any†to make your initial connection; I’d recommend using “Any†first (handles all incoming connections). Try using “Subnet†to specify connections (Local LAN IP and Subnet) after you get the hang of it. “Any†isn’t too secure but allows you to see the connection for the first time without breaking a sweat. Once you understand the configuration better, vary your configuration.

    Remote Secure Gateway: This is the WAN IP “or†the FQDN of the router/client that is going to be connecting to your router. My personal success comes from using “Any†and “FQDN.†Use FQDN if you have registered a dynamic dns name (you can do this at wwwdyndns.org).

    Encryption and Authentication is 3DES and SHA1.

    Key Management: Auto(IKE) [Enabled]
    PFS: Enabled
    Pre Shared Key: Same as Greenbow
    Key Lifetime: Same as Greenbow

    Click “Advanced VPN Tunnel Setup:

    Phase I:

    Mode: Main
    Encryption: 3DES
    Authentication: SHA1
    Group: Same as Greenbow
    Key Lifetime: Same as Greenbow

    Phase II:

    Encryption: 3DES
    Authentication: SHA1
    PFS: Enabled
    Group: Same as Greenbow
    Key Lifetime: Same as Greenbow

    Under “Other Options,†check the “Netbios†option and leave all others blank, unless required.

    ONCE YOU GET CONNECTED:

    Once you’ve made the connection and you want to connect to a shared resource that you have rights to from a remote location, on the "client" computer, open up windows explorer and click on "tools," then “map a network drive.†After clicking on that, choose a driver letter and type the ip address of a computer you have rights to on that network. You would type the following: \\192.168.1.10\sharename

    Where you see sharename would be where you would substitute the name of a folder you have share permissions to access (i.e., \\192.168.1.10\vpn).

    Before you click finish, click on “connect as different user†because in order to connect, that local machine needs to have a "username and password" created on it so it recognizes who you are. If you are part of a domain, make sure that your "domain user account" has been added to each computer you want to access remotely.

    When you click this link, you’ll be asked to type in a username and password that has access rights. Click O.K., then click finish. The shared resource you have been given access to should pop up! If the account you’re connecting to has the permissions set properly, you’re all good now!


    VERY IMPORTANT: Make sure all of your greenbow settings match your router settings and that the remote ip settings are different from your own!

    Just in case anyone new to this forum doesn't understand the difference between PPTP server settings and Linksys Quickvpn, the settings listed above for greenbow connectivity are "specifically" intended for use with the built-in pptp server that comes with the WRV54G/RV0XX/BEFVP41 (50 available tunnels) and BEFSX41 (2 tunnels) routers. The difference is that with the WRV54G/RV0XX routers, the quickvpn client sets all of this up when it loads on the client computer. Additionally, quickvpn uses MD5 for authentication whereas greenbow gives you the option for SHA and MD5.

    Here are some brief examples to connect greenbow to your router:

    Config #1

    Local Secure Group: Subnet
    Remote Secure Group: Any
    Remote Secure Gateway: Any

    Config #2

    Local Secure Group: Host
    Remote Secure Group: Host
    Remote Secure Gateway: FQDN

    I'm not sure how successful you might be with dialup; these settings have been verified successfully over broadband, but try anyway and see what happens...

    DocLarge

    Edit (29 May 2006):

    Here's a third config that I'm using right now to connect:

    Config #3

    Local Secure Group: Subnet

    Remote Secure Group: IP Address (Your Computer's Local IP)

    Remote Secure Gateway: IP Address (Your WAN Address)

    Doc
     
  2. gigamama

    gigamama Guest

    I had to increase the IKE to 7200

    I ciould not get this to work, I then went to the Parameters section on the client increased the Authentication ( IKE )
    was
    default
    3600

    new default
    7200

    Same on the router side under Key Management
    PFS
    Key Lifetime 7200 (sec)

    it was set at 3600
     
  3. Rubsi2

    Rubsi2 Addicted to LI Member

    Hey Doc, can you tell me what firmware version you were at on the WRV54g when this worked?

    I am running at 38.6 but seem to be getting nowhere at all. I am using the evaluation of thegreenbow VPN client at version 3.0 (I also tried it with version 2.51).

    After attempting phase 1 for a couple of the little boxes on the open tunnel progress bar, it just stops, no errors or messages on the console either.
     
  4. Rubsi2

    Rubsi2 Addicted to LI Member

    Just a footnote to my last post.

    I gave up on this in the end (or at least for now). I was using it as a possible solution for Bluetooth -> GPRS (cellphone dialup), VPN connections.

    Managed to get quickvpn to work - mostly (it stalls at Verifying Network) but allows connectivity all the same.
     
  5. frisbee-gr

    frisbee-gr Addicted to LI Member

    Thanks for the post!

    What if one wants to connect via Greenbow to a BEGSX41 which lies behind a WAG54GS?

    Cheers,
     
  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    Hi everybody,

    sorry I'm late responding to this; not a lot of people have been using greenbow so this sticky has fallen to the side..

    Gigamamma: Is it working for you?

    Rubsi2: I'm not sure if the WRV54G will let that type of communication pass; the linksys techs have locked this router down to the point it will almost "only" support proprietary features in order to promote the "Quickvpn Client."

    Frisbee-GR: I'd say to make sure you forward ports 1723 (TCP) and 500 (UDP) from the WAG to the IP address your BEFSX41 pulls from your WAG. By the way, you need to make sure the BEFSX's WAN port is connected to one of the LAN ports on the WAG.
    Caution I can't rember if any of the ports on the WAG have crossover capability.

    Doc
     
  7. 512Cypher

    512Cypher Addicted to LI Member

    Great job

    good post.
    i'm getting weird results but it works.

    great job m8
     
  8. sgroom

    sgroom Addicted to LI Member

    RVS4000 and Greenbow 4.1.x

    Has anyone attempted this? This guide has proved very useful in interpreting the settings for the 4.1 Greenbow client but some things don't jive. For example, UNEQUAL_PAYLOAD_LENGTHS in the greenbow conneciton log...

    anyone have any suggestions?
     
  9. yukons

    yukons Addicted to LI Member

    i followed this greenbow setup to a t when connecting to a wrv54g and it give me invalid_cookie errors after it attempts a connection. I am using this config

    pc (192.168.15.108) --> wrv54g router (source side) 66.57.... --> cable modem --> internet --> cable modem --> wrv54g (configured based on guide) 70.63....

    prior to installing greenbow i tried quickvpn but it just connected and could not ping anything on the destintaion end. keep gettting negotiating IP Security. so i gave up.

    I installed greenbow and configured both ends based on the docs mentioned in this link. It connects and the syslogs show something but the router has these errors

    the test greenbow that comes with the client works fine to the greenbow server on the 192.168.175.50 server so it seems my client and source router are fine but the destination router is not working correctly. please help.....

    11-20-2007 14:46:33 System0.Warning 192.168.55.1 Nov 20 14:46:32 2007 linksys Nov 20 19:46:32 pluto[34]: "ips1_ipsec0"[1] 66.57.127.164: deleting connection "ips1_ipsec0" instance with peer 66.57.127.164
    11-20-2007 14:46:33 System0.Warning 192.168.55.1 Nov 20 14:46:32 2007 linksys Nov 20 19:46:32 pluto[34]: "ips1_ipsec0"[1] 66.57.127.164 #3: max number of retransmissions (2) reached STATE_MAIN_R2
    11-20-2007 14:45:53 System0.Warning 192.168.55.1 Nov 20 14:45:52 2007 linksys Nov 20 19:45:52 pluto[34]: packet from 66.57.127.164:500: received and ignored informational message
    11-20-2007 14:45:53 System0.Warning 192.168.55.1 Nov 20 14:45:52 2007 linksys Nov 20 19:45:52 pluto[34]: packet from 66.57.127.164:500: ignoring informational payload, type INVALID_COOKIE
    11-20-2007 14:45:30 System0.Warning 192.168.55.1 Nov 20 14:45:29 2007 linksys Nov 20 19:45:29 pluto[34]: "ips1_ipsec0"[1] 66.57.127.164 #3: no suitable connection for peer '192.168.15.67'
    11-20-2007 14:45:30 System0.Warning 192.168.55.1 Nov 20 14:45:29 2007 linksys Nov 20 19:45:29 pluto[34]: "ips1_ipsec0"[1] 66.57.127.164 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.15.67'
    11-20-2007 14:45:23 System0.Warning 192.168.55.1 Nov 20 14:45:22 2007 linksys Nov 20 19:45:22 pluto[34]: "ips1_ipsec0"[1] 66.57.127.164 #3: no suitable connection for peer '192.168.15.67'
    11-20-2007 14:45:23 System0.Warning 192.168.55.1 Nov 20 14:45:22 2007 linksys Nov 20 19:45:22 pluto[34]: "ips1_ipsec0"[1] 66.57.127.164 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.15.67'
    11-20-2007 14:45:22 System0.Warning 192.168.55.1 Nov 20 14:45:22 2007 linksys Nov 20 19:45:22 pluto[34]: "ips1_ipsec0"[1] 66.57.127.164 #3: responding to Main Mode from unknown peer 66.57.127.164
    11-20-2007 14:45:22 System0.Warning 192.168.55.1 Nov 20 14:45:22 2007 linksys Nov 20 19:45:22 pluto[34]: packet from 66.57.127.164:500: ignoring Vendor ID payload
    11-20-2007 14:45:22 System0.Warning 192.168.55.1 Nov 20 14:45:22 2007 linksys Nov 20 19:45:22 pluto[34]: packet from 66.57.127.164:500: ignoring Vendor ID payload
    11-20-2007 14:45:22 System0.Warning 192.168.55.1 Nov 20 14:45:22 2007 linksys Nov 20 19:45:22 pluto[34]: packet from 66.57.127.164:500: ignoring Vendor ID payload
    11-20-2007 14:45:22 System0.Warning 192.168.55.1 Nov 20 14:45:22 2007 linksys Nov 20 19:45:22 pluto[34]: packet from 66.57.127.164:500: ignoring Vendor ID payload
    11-20-2007 14:45:22 System0.Warning 192.168.55.1 Nov 20 14:45:22 2007 linksys Nov 20 19:45:22 pluto[34]: packet from 66.57.127.164:500: ignoring Vendor ID payload
    11-20-2007 14:45:17 Daemon.Info 192.168.55.1 Nov 20 14:45:17 2007 linksys rg_system_full:275: spawned PID 219
     
  10. sgroom

    sgroom Addicted to LI Member

    Grrenbow Troubleshooting

    From the greenbow troubleshooting Doc...

    4.2 « INVALID COOKIE » error
    115933 Default message_recv: invalid cookie(s) 5918ca0c2634288f 7364e3e486e49105
    115933 Default dropped message from 195.100.205.114 port 500 due to notification
    type INVALID_COOKIE
    115933 Default SEND Informational [NOTIFY] with INVALID_COOKIE error

    If you have an « INVALID COOKIE » error, it means that one of the endpoint is using a SA that is no more in use.
    Reset the VPN connection on each side.

    I'm using a different Linksys so I can't duplicate your error. I overcame that one but I can't recall how.. I think it was a minor setting ... check in the parameters section of greenbow
     
  11. yukons

    yukons Addicted to LI Member

    i saw this reason in a guide but i reboot both routers and the desktop and nothing seems to help with that. i do not see any settings that help either
     

Share This Page