1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Vodafone 3G/ GPRS QuickVPN and GreenBow VPN tunnel problem

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by mmcalis1, Nov 24, 2005.

  1. mmcalis1

    mmcalis1 Network Guru Member

    Ok - I am again stumped.

    We can setup our remote users with either the QuickVPN or GreenBow VPN Clients - all works fine when they are at home connected via their home ADSL connection or dialed in using their telephone modems.

    The problems starts when they are on Vodafone 3G!

    Vodafone gives the card a 10.xx.xx.xx private IP address which is then mapped via their network to a real public IP address - then they try and create a VPN tunnel with the RV042.

    And nothing happens!

    All I get is a log like this one in the Firewall Log

    Connection Refused - Policy violation
    UDP 212.183.131.xxx:40799->82.69.41.xxx:500 on ixp2

    Where the 212.183.131.xxx IP is the Vodafone public IP and the 82.69.41.xxx is the Public IP of the RV042

    Is this NAPT? ie. Network Address Port Translation Port 40799 -> 500

    does it not like NATP?

    Why does this happen - Dial up modem to an ISP is fine and 3G is not?

    I have heard all sorts of things about NAT-T and data encapsulation etc but I have no idea what they are and does the RV042 support them? if not how do I get 3G connected laptops to VPN into the RV042 via a Greenbow VPN Client?

    According to Greenbow their version 3 client support all those things - does the RV042?

    BTW - if I do drop the firewall setting of not to respond to WAN requests I do actually get the following in the VPN log

    Start---
    [Tunnel Negotiation Info] >>> Initiator Send Aggressive Mode 1st packet
    initiating Aggressive Mode #303 to replace #302, connection "ips3"
    STATE_AGGR_I1: initiate
    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-00]
    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]
    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]
    Received Vendor ID payload Type = [Dead Peer Detection]
    ---End

    I am guessing that the RV042 does not like NAT-T IKE? correct?

    (the VPN Client is the latest Greenbow v3 client)

    Please help!

    M
    :cry:
     
  2. TazUk

    TazUk Network Guru Member

    I have the same problem with my Vodafone GPRS card :( I did speak to Vodafone about it and they said they would change the APN I connect to, either they didn't do this or it doesn't work as I still can't connect. Haven't had time to chase them up over this :unsure:
     
  3. mmcalis1

    mmcalis1 Network Guru Member

    I have now been on to Vodafone, Greenbow, Linksys and the guys who sold me the 3G card and none of them have been any help - does anyone know why VPN will NOT work via GPRS and 3G but the same VPN will work via normal dial up networking?

    I am stumped and now have 3 x 3G cards that have been useless since the day I got them!

    Can anyone shed any light on this?

    M
     
  4. mmcalis1

    mmcalis1 Network Guru Member

    I have been in touch with Vodafone - they inform me it is them who are the problem - it seems the way they handle NAT-T on 3G will not work with some VPN boxes!!!

    We are exploring this issue with Vodafone but I am but a minnow in the vast ocean that is Vodafone and so I don't hold out much hope.

    I did find out though that Orange 3G give two different APN's - one called 'internet' and the other called 'internetvpn' - the latter gives you a public IP and so all is well with your VPN box.

    The other big problem is that the RV042 does not seem to support IPSEC over NAT Traversal. It seems another VPN box - Zyxel Zywall 35 does however but it is almost 4 times the price of the RV042!!!

    Hindsight is such a wonderful thing!!!!

    Let me know if anyone can get any answer from Linksys about the IPSEC over NAT-T - I give up with them!!!!

    M
     
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    The easy and cheap way I got around that problem was simply by installing another router as my "primary" router for my network and the problem went away. For $78 from newegg.com, the SMCBR18VPN Firewall router is fully capable of passing NAT-T and GRE, which it seems the RV0xx/WRV54G series are not (intentional, I might add). Think about it; if these routers supported all the other protocols as previous linksys routers, Linksys would not have been able to market "quickvpn" as a solution for those users who are "thick in the head" :)

    So, get yourself a router capable of passing NAT-T/GRE, install it as your primary (making the RV0xx your secondary router) and all problems should be resolved:

    http://www.smc.com/files/AP/DS_BR18VPN_EN.pdf

    Doc
     
  6. mmcalis1

    mmcalis1 Network Guru Member

    Thanks Doc - but this router does not seem to be available in the UK!

    Any other manufacturers/ routers? is there a list?

    So....

    Do I connect my ADSL modem to the NAT-T/GRE Router (SMC as above) then connect that to one of the ports on the RV042 - then would I port forward all ports on the NAT-T/GRE box to the RV042 as the DMZ? or would I let the NAT-T/GRE box handle the VPN's for me?

    Confused :unsure:

    All you help is very much appreciated.

    M
     
  7. mmcalis1

    mmcalis1 Network Guru Member

    A supplier has found a SMCBR14VPN - same as the 18 but with just 4 ports for £50! hurray!

    Doc - Could you tell me if I then just setup the DMZ on the SMC router as the RV042 - or do I use the VPN capabilities of the SMC box?

    A very simple network setup would help me loads!!!!

    Thanks,

    M
     
  8. TazUk

    TazUk Network Guru Member

    You would use the VPN capabilities of the SMC router ;)
     
  9. mmcalis1

    mmcalis1 Network Guru Member

    Thanks TazUK!

    So the VPN tunnel will reside between the SMC box and the Greenbow 3G client.

    How do I setup the comms between the SMC machine and, say, the WAN2 port on the RV042? Do I drop the firewall on the RV042 for all traffic from the SMC box? where do I do port forwarding?

    My office network is a 172.16.0.0 network with a netmask of 255.255.255.0.

    The network between the RV042 and the SMC would be what type of network? 192.168.4.0 (255.255.255.0)?????

    I have never set this sort of thing up before as I generally only use one Router for an ADSL connection which then takes over the WAN IP of the ADSL modem - simple! I understand this but when another router is put in place how does the bit in the middle work and get set up? forwarding ports? firewalls? ip addresses?

    Any help of this would be much appreciated - sorry for being such a daft newbie! :D

    M
     
  10. DocLarge

    DocLarge Super Moderator Staff Member Member

    Here's an older post of mine:

    http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=11877

    I'm running this configuration right now, and I can vpn either into my SMC, connect to a 2000 vpn server box "through" my SMC by opening up port 1723 (SMC can pass GRE with no problems), or just forward ports 443 and 500 on SMC to my WRV54G and use quickvpn. Ultimately, I have more than one vpn option which is advantageous when one of them is playing up...

    Doc
     
  11. mmcalis1

    mmcalis1 Network Guru Member

    Doc,

    Thanks for the info

    Can you have a look at http://www.msoft.co.uk/vpn.pdf

    It is a potential layout for comment - could you have a look and comment?

    I am mainly interested in the blue vpn route (I have included a red vpn route for commnet)

    My only confusion is the port forwarding/ single NAT'ing between the SMC and RV042.

    Option 1 - forwarding
    Option 2 - Single NAT - ie. like a DMZ - I am using linksys terminology

    Option 1 I guess solves the NAT-T issue but would option 2 negate the use of the SMC box!!!?!

    If I used the SMC box for VPN'ing would the red route be used or am I being a silly newbie?

    Someone mentioned I would use the SMC for VPN and not the RV042 - could I use both? if so what route would the SMC VPN take?

    I thank you again for all your help both past and in advance :thumbup:

    M
     
  12. DocLarge

    DocLarge Super Moderator Staff Member Member

    Sorry for taking so long to get back.

    I'd try Option 1 first. I forget for a moment the the RV042 has two WAN ports (heh).

    Ideally, by just putting the RV042 "behind" the smc router, "all of the NAT-T/GRE problems will disappear!!!! The only thing then becomes a case of what to do with the spare static ip... :)

    Doc
     
  13. mmcalis1

    mmcalis1 Network Guru Member

    Thanks Doc.

    But I have a wee problem - my supplier now informs me that the SMC BR14VPN and the SMC BR18VPN are no longer available.

    Do you know of any other VPN capable routers that support NAT-T and GRE?

    I have looked a the usual suspects and they don't say aything about it! Netgear, SMC, Zyxel.....

    Is ESP the same as NAT-T?

    Why on earth are all the major manufacturers dropping their vpn routers? something I should know about?
     
  14. mmcalis1

    mmcalis1 Network Guru Member

  15. TazUk

    TazUk Network Guru Member

    Yes and Yes :)
     
  16. DocLarge

    DocLarge Super Moderator Staff Member Member

    Like Taz said, this is what you're looking for. As a confession (linksys community, please forgive me) I went out and bought a DG834G ADSL VPN router from Netgear. As expected, it runs like shit (drops tunnel, becomes unresponsive...) but I needed something on the other side for testing purposes. As of the last couple of days, it's been behaving, so I'll give it another chance.

    Granted, for a home router with vpn capability, it's not that bad. If you can't find anything else, just stop in a local "Dixons" if you're living in the UK and pick one up. It'll work...

    Doc
     
  17. mmcalis1

    mmcalis1 Network Guru Member

    Taz and Doc,

    A big big thanks to you guys! :rockon:

    I may rethink the DG834 after your experience - I am sure there are others out there.

    I will get all the bits together and see what happens - I will post my results in the forum - I hope this helps anyone who has difficulty with VPN's coming from 3G or GPRS cards.

    I wish Linksys would just do a NAT-T aware vpn box! life would be so simple!

    I do wonder why all the competition seem to be dropping their VPN parts to their routers - linksys included! - then afterwards they don't do a vpn only box! most odd! or maybe I am blind.

    I will post soon.

    M
     
  18. mmcm888

    mmcm888 Guest

    An Alternative - It works with 3G/GPRS cards NAT etc

    have a look at www.accessmylan.com - This is a hosted VPN with no need for appliances on the server network. Works with 3G/GPRS data cards using the Vodafone Internet APN. There is a free trial available.
     
  19. DocLarge

    DocLarge Super Moderator Staff Member Member

  20. mmcalis1

    mmcalis1 Network Guru Member

    OK - after lots of pratting about with my Linksys RV042, trying to get hold of an SMC vpn router and then buying Netgear Dual WAN box (terrible do NOT buy one!) I have given up and bought a Zyxel Zywall 35.

    It is great and is very reliable - can't seem to use the DLink 300T modems but just bought new Zyxel ones - so I am the proud owner of 2 Zyxel Modems and a Zywall 35 and it all supports 3G and GPRS VPN clients.

    It cost me a bit £220+vat and the two modems came to ~£60+vat but it was all worth it after I had spent months on this trying to do the job in a round about way.

    Thanks for all your help on this Doc and Taz and sorry for bugging out in th end but I needed a solution fast as my road warriors were giving me a serious headache!

    M
     
  21. mmcalis1

    mmcalis1 Network Guru Member

    Anyone want to buy an RV042?

    :grin:
     
  22. papabong

    papabong Guest

    Hi i have exact the same problem. Anyone managed to get the vodafone 3G card working with the Linksys WRV54 Router ?

    I can connect via quickvpn (at least my router saysit is connected) - but it hangs at "verifying network" and i cant connect to my private network (and i dont get an ip adress from this network).

    If I try to connected from a regular internet connection it works fine.

    Hopefully this issue is solved soon.
     

Share This Page