1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN: All attempts have failed and overdue deadline.

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by productologist, Apr 3, 2005.

  1. productologist

    productologist Network Guru Member

    Hello people,

    I have been reading this web site hoping to find a solution to my problem and unfortunatly have not found a working solution. Perhaps someone can hold my hand and show me the way because i've been trying for 2 weeks and today is deadline day.

    I am trying to use a WRV54G with revision 2.37 to accept VPN connections. The sole purpose of using VPN is for this reason:

    Our office has 5 static ip addresses which have all been granted access by another business network's firewall to access a particular private web site. We want to use VPN to tunnel into our office network from any location in the world and be able use the router's static IP and use it as a 'middle man' to access this 3rd party website. That's all we care about, we dont need anything else but this.

    I thought I would be able to use the WRV54G, config it up with a static ip, turn on the vpn and that would be it. How wrong i was, i should have read up on this NAT-T issue with this router first.

    I am failing misreably. I have tried QuickVPN, ipsec, greebow vpn all which dont work for me. I have tried from a dialup and within the lan.

    Someone please help me.. I even ditched the whole router at this point all together and am now trying to use a wxp server to accept vpn, i got it to connect but once connected I cant browse any website whatsover. as you can see Im desperate.

    thanks for any help u can offer.
     
  2. H2O_Goalie

    H2O_Goalie Network Guru Member

    Well...one huge problem that you're going to run into is the NAT-T issue. Right there, that's probably a showstopper...unless you're willing to use GreenBow, QuickVPN, etc.

    The second issue that you're going to have a problem with is that the router is really designed only to accept incoming VPN traffic for the local network. There is a name for what you're trying to do (which I forget right now)...it's considered a major security faux pas. You could potentially try to get around it by aliaising/mapping IPs (thought I don't think the WRV will do that) or getting tricky with some routing table entries.

    I suspect that the absolute easiest way to accomplish what you're after is to do these two things:
    1. Establish a VPN tunnel, by hook or by crook, with your laptops. Whether that's by GreenBow, QuickVPN, magic wand, whatever. My suggestion would be to dump the WRV and get BEFVP41s.
    2. Set up a PC on the local (office?) network running Remote Desktop. When the remote (laptop) guys need to use the "private website", have them raise a tunnel to the office, use Remote Desktop to control the local (office) PC and then jump from that PC into the "private website".

    The NAT-T issue is screwing you, that's for sure. But the additional functionality you're looking for is really a little bit beyond the scope/ability of a $150 router. Aliasing/mapping IPs is the kind of thing you do on a "real" router.
     
  3. TazUk

    TazUk Network Guru Member

    Id' suggest setting up a proxy server at the office and set the remote PC's to access the web though that.

    The problem at the moment is the remote PC's will be trying to access the website directly as they do not know to go via the VPN. The other issue is the WRV54G is acting as a gateway rather than a router which limits static routing etc.
     
  4. H2O_Goalie

    H2O_Goalie Network Guru Member

    Proxy isn't a bad idea at all Taz...in fact it popped into my head about 2 minutes after my last post.
     
  5. TazUk

    TazUk Network Guru Member

    Thanks, I do have these brain waves once in a while :D
     
  6. productologist

    productologist Network Guru Member

    H2O_Goalie:

    I can't dump the WRV at the moment and get BEFVP41s because this country's computer supplies are limited and ordering that model would take a long time, I had a friend bring down the WRV54G from Canada. Maybe in the future I can get one though.

    Remote desktop was one option I thought of but it is a bit unsecure and sluggish at the same time, my co-worker also thinks it is a bit sketchy. I would hate to have to resort to this as a last resort.

    The NAT-T issues are heartbreaking... I know. I was thinking of trying to customize the routing tables and see if I that resolves anything, I guess I'll brush up on that a bit today and learn more about it because I have never customized routing tables.

    TazUk:

    Proxy is something I initially thought to do but thought current implemtations were unsecre and I opted for VPN. At this point maybe it will be my savior combined with SSL. Don't know how secure a proxy is though. I will spend some time on that too today and see what I can learn on types of software or possibly 3rd party out sourcing. Any help again would be much appreciated.

    I have other routers in the office available, US Robotics USR8000, maybe I can get that to be the gateway and have WRV54G set in router operation mode or vice versa and fiddle with the routing tables. Sounds daunting.

    I also have a linux box somewhere in the office with RedHat 9 maybe I can figure something out with that.

    BTW does anyone know of a good guide online to setting up IPSec Policy for VPN in gpedit.msc

    Thanks guys for the help so far, I will see what I can do today and write back soon.
     
  7. H2O_Goalie

    H2O_Goalie Network Guru Member

    No offense man...but it's clear that you don't know what you're doing. I was referring to running Remote Desktop over a VPN tunnel (more than secure...hardly sluggish in my experience...I do it myself with various apps when I'm on the road). Likewise, Taz was referring to hitting the proxy server over the VPN tunnel (once again, more than secure).

    Customizing the routing tables is not going to help you overcome the NAT-T issue. End of story.

    If you can't switch up on hardware, then due to the NAT-T problem you'll have to make use of the QuickVPN client (or something similar, like Greenbow). Which will still leave you with this reality: a low-end router like the WRV simply isn't designed to do aliasing/mapping like you'd need to do. You will have to have a machine on your office network "relay" in one manner or another...either via Remote Desktop or a proxy.

    You shouldn't have waited until now to ask these questions.
     
  8. DocLarge

    DocLarge Super Moderator Staff Member Member

    Productologist,

    I'm in agreeance with goalie as far as the "limitations" of the wrv54g (NAT-T) however his tonality and condescending nature I don't share (I'll keep my asshole in my pants as opposed to showing it to someone I don't know; "Netiquette" goes quite far in some instances) :) :) :) Not all of us are psuedo-professionals who are in a postion to pass insult to those who are in need of help, man. We just try to help when we can...

    If you'd like, subcribe to the wrv54g@yahoogroups.com forum because one of our members has found a way to utilize quickvpn parameters inside of greenbow to connect from behind a NAT router to another Nat router (as a matter of fact, it was my router he did it with). Here's the post he put on another board in linksysinfo:

    http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=3608

    In conjunction with this, I've got some developer friends I've introduced this problem to and one of them said if I can convince them there is a market, it would make it worth their time to "fix the problem," for a nominal fee of course (roughly $15 - $20 bucks for a patch).

    I've got a WAG54G ADSL Gateway I bought over here in England and I had someone connect from behind a WRT54G using greenbow to my wag54g (which "DOES" NAT-T and is about $60 to $100 cheaper than the WRV54G) and access the shared resources. Basically, the WAG has the two NAT-T patches the WRV doesn't (Chris, who came up with this workaround, compared the source codes). The WAG54g only supports 5 tunnels, but it does NAT-T. As I told my developer friend, alot of us would rather pay a few bucks for a patch rather than going out to buy another device (or two). Not all of us have that "long green" to be putting on another router due to a "patch issue."

    The WRV54G isn't exactly a low end router; the limited view on how to approach a solution is the detractor...

    Let me know if this helps...

    Doc
     

Share This Page