1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN Frustration with RV042 and WRV200

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by leed, May 9, 2008.

  1. leed

    leed LI Guru Member

    Finding no worries on the net and a lot of fancy pictures on linksys boxes showing connected rv042 and wrv200 devices, I decided to purchase these products for a VPN sollution.

    That was in January, it still doesn't work. I've searched the forums and only found threads addressing other problems with the devices, hopefully someone can help me here, you guys sound as if you rebuild these things.

    My Plan
    What I'm trying to do is to set up two VPN tunnels from my home using a WRV200 to connect to my parents WRV200 and my offices RV042. I often get asked for support and would prefer to do that from home. Also I want to enable my colleagues at work to connect to the office using quickVPN.

    [​IMG]

    The Problems
    -QuickVPN only works sometimes over ADSL (rarely). No changes were made to the clients used. Tried to connect in all three places.
    -QuickVPN over Dialup it always works, but is too slow to use.
    -QuickVPN over UMTS it hasn't worked so far.
    -Connecting to the office with PPTP using a linux client worked for a short time, but now doesn't.
    -None of the Gateway to Gateway tunnels worked so far. Absolutely no success.

    QuickVPN Symptoms
    -In some cases QuickVPN hangs on "Verifying Network"
    -In most cases QuickVPN returns a message listing several possible problems (Password, ip, serveraddress, firewall ... none are the real reason)
    -In rare cases it works immidiately

    Things I have tried/or not forgotten
    -Disabling Firewalls and AntivirusProgs on Clients
    -Certificates (*.pem) are added to the clients
    -All Routers use dyndns FQDN addresses, but I'm also trying with static ip (I have dynamic ip that change periodicly) so far absolutely no successes.
    -All networks, including those between the linksys routers and the ISP devices have different Network Ranges (192.168.xx.0, 255.255.255.0)
    -Phase 1 & 2 DH Groups as well as the Encription and Authentications are set the same on all devices (Group2, 3DES, MD5 blabla)
    -Preshared keys are set properly
    -Tried enabling/disabling NAT-T, didn't do much, it just disturbed my settings on the WRV200 (couldn't set up the remote group anymore).

    My Boss is pushing, I'd really be grateful if anyone could give me a tip on what I'm doing wrong here.
     
  2. Sfor

    Sfor Network Guru Member

    I do have a two WRV200 and one RV042 triangle shaped gateway to gateway VPN network working correctly. The difference is, all devices have static IP from the provider, and there are no NAT between them.

    WRV200 does seem to support NAT traversal by default. But, there has to ba an IPSEC VPN passthrough capable router on the way. Ports 500 and 4500 have to be forwarded to WRV200, as well.

    The NAT-traversal switch in the WRV200 does not seem to enable NAT traversal, it forces the device to accept connection from any client, instead.

    One of my WRV200 is not an internet gateway. I switched it to the router mode and placed behind another NAT router. The WRV200 serves just as a IPSec gateway, that way. The NAT traversal option in the WRV200 is disabled. Still it makes IPSec connections with another WRV200 (NAT-T disabled, as well) and RV042 (NAT-T enabled).

    My RV042 is running 1.3.10 firmware, both WRV200 are running 1.0.37 firmware.
     
  3. leed

    leed LI Guru Member

    What I'm doing

    Could you give me a hint where you got those firmwares from? Are they official? I can't find them on the linksys site

    I'm using the following Versions

    RV042: 1.3.9
    WRV200: 1.0.32.2-ETSI

    VPN Clients (WinXP SP2): QuickVPN 1.2.6


    What I'm doing with the ISP Routers is setting their NAT to forward everything to the Linksys Routers behind them, so they shouldn't be a problem because that basicly disables the second NAT.
     
  4. Sfor

    Sfor Network Guru Member

    The 1.3.10 firmware does have a NAT-T issue corrected. So, it would be good to use it in your RV042.
    The official 1.0.32.2 is a very old firmware with many issues. The newest available is 1.0.38.

    Both 1.0.38 and 1.3.10 are betas. You have to contact Linksys support to get them, as Linksys stopped providing betas on public servers, recently.

    Well, putting the WRV200 in DMZ should work, but for some reason I was unable to connect in such a case. I had to buy a new IPSec passthrough capable router and to forward 500 and 4500 ports to make gateway to gateway IPSec VPN to work behind a NAT. I was using SMC Barricade 7004BR and Digitus DN-11005 devices, but I was unable to get a connection working with any possible configuration. Everything went well with OvisLink IP-1000R, on the other hand.
     
  5. Toxic

    Toxic Administrator Staff Member

    some users have reported that QVPN works when setting a static IP addresses on the client machines.
    for the office rv042 i would use the built in pptp as this works 100%.
     
  6. leed

    leed LI Guru Member

    Thanks for all replies, you've been a great help. I've got some minor successes, but all in all I'm not where I want to be yet.
    [​IMG]

    After upgrading the Firmware on the RV042 I had the problem, that the DynDNS function no longer noticed, that the router (using NAT) is behind another NAT Router. So it posted the internal IP on dyndns instead of the WAN IP. I managed to solve this problem after finding out how to convert the ISP Router in the office into a Network Bridge, eliminating the excessive network between the LAN and WAN. I'll try to get this working on the other ISP Routers, but I'm not sure if they are capable of doing this. They do however use the Linksys Routers as default NAT client (forward all ports).

    After changing that router into a bridge, PPTP started working (didn't respond before). I could access shares, browse intranet and print over VPN, still experimenting with VNC. So I already have a possibility for Clients to connect from outside, although it's not really a safe solution and it's also limited to 5 Users.

    Also after upgrading the WRV200 at home, I can connect to it via QuickVPN (Firewall must be open), strange enough however this only works from the office to my home, not from my home to the office.

    The Gateway to Gateway connections still don't work.

    What I still want to achieve
    -VNC Connections over VPN
    -Constant Tunnels between the Gateways
    -quickVPN to replace the PPTP for the clients connecting to the office

    Problem Symptoms
    QuickVPN
    -Connecting to my parents from anywhere it hangs at Verifying Network... my dad sent me the certificate, but quickVPN still says it can't find a certificate on my machine, Firmware on that one is still old and I guess the thing needs a new certficate.

    -Connecting to the office with quickVPN still only works over DialUp phoneline, with DSL it blocks with the "failed to establish a connection" window (list with 4 possible reasons, of which none is the case). But it does seem to recognize the server, if I remove the certificate from the client, QVPN says that it can't find the servers certificate before bringing the same error message.

    -The Gateways are still showing no sign of a tunnel, with or without static ip settings. Also tried with the ugly NAT-T setting leaving everything open in the WRV200

    RV042 log:
    STATE_AGGR_I1: initiate
    [Tunnel Negotiation Info] >>> Initiator Send Aggressive Mode 1st packet
    initiating Aggressive Mode #63 to replace #62, connection "ips0"
    STATE_AGGR_I1: initiate
    message ignored because it contains an payload type (ISAKMP_NEXT_HASH) unexpected in this message
    Phase 1 message is part of an unknown exchange
    message ignored because it contains an payload type (ISAKMP_NEXT_HASH) unexpected in this message


    All a bit cryptic to me, does anybody know what this could mean?
     
  7. leed

    leed LI Guru Member

    Also noted a strange symptom after updating my parents network, just like on mine the quickVPN connection to the office (RV042) worked on the first attempt, after that I got the same symptoms as I have at home.
     
  8. netlinker

    netlinker LI Guru Member

    My link between an RV082 and a WRV200 has been up for months without a single interruption.

    The RV082 sits on a fixed IP address. But IP by DNS Resolved for the Local Group Setup should probably also work.

    Some hints:

    RV082
    Local Group Setup: IP Only

    Remote Group Setup: IP Only
    IP by DNS Resolved

    IPSec Setup
    IKE with Preshared Key
    Perfect Forward Security

    Advanced
    Aggressive Mode
    Keep Alive
    Dead Peer Detection


    WRV200
    NAT Traversal
    Disabled

    Remote Secure Gateway
    IP Addr.
    (this should probably be FQDN if the other end is also on dyndns)

    Key Exchange Method
    Auto

    Operation Mode
    Aggressive

    ISAKMP Encryption Method
    3DES

    ISAKMP Authentication Method
    MD5

    ISAKMP DH Group
    Group 2

    ISAKMP Lifetime
    28800

    PFS
    Enabled

    IPSec Encryption Method
    3DES

    IPSec Authentification Method
    MD5

    IPSec Key Lifetime
    3600

    Dead Peer Detection

    Detection Delay
    10

    Detection Timeout
    120

    DPD Action
    Suspend Connection

    Anti Replay



    Of course Keys must match and IP Adresses (use zero at the end) and Netmask must also match.
     
  9. netlinker

    netlinker LI Guru Member

    For remote access by roaming users you don't really want to mess around with configurations on client computers. SSL is the way to go.

    Have a look at the Linksys RVL200. This could sit behind the RV042 and give users clientless VPN access back to the office.
     
  10. cactusfazer

    cactusfazer Network Guru Member

    If you have configured (active or not) an ipsec in the RV042 for a WRV200 home, you can't connect from the home network to the RV042 with QVPN.
    A lot of computer have 2 network card: you must have only one ip for the computer and desactivate all other network card.
    The WRV200 work with NAT-T with my version: 1.0.33
     
  11. leed

    leed LI Guru Member

    Tried the above settings from Netlinker, got me a little further, also tried a few more changes myself (change of passcode, AES-128/SHA-1 instead of 3DES/MD5, NAT-T on WRV200 & "IP + FQDN" on RV042...

    I managed to get around some problems, but not this one
    (RV042 log)

    -Phase 1 message is part of an unknown exchange
    -message ignored because it contains an payload type (ISAKMP_NEXT_HASH) unexpected in this message
     
  12. cactusfazer

    cactusfazer Network Guru Member

    You MUST put the same parameter for crypto !Don't try to change it.
    Try to play with "operation mode" : main or aggressive.
    In aggressive mode, it don't controle all exchange in the negociation.
    Try to verify that lifetimes are identical.
     
  13. netlinker

    netlinker LI Guru Member

    And in addition you should also check that:

    - your dyndns settings are correctly set
    - you use the same preshared key; the following should work for test purposes jlog980345dsy86joy83icf08
     
  14. cactusfazer

    cactusfazer Network Guru Member

    Try to check tour MTU setting: in my case, i have to put it at 1400.
    You can find a faq on linksys.com faq.
     
  15. gdewey

    gdewey Addicted to LI Member

    RVO42

    RVO42 on 1.3.9-q50 firmware really has problems dealing with VPN NAT-T, and linkys support, at least the Mexican / Argentina tech guys haven’t sent me the 1.3.10 to see if it solves the problem (if anyone has the files I would eternally appreciate it).
    I have realized that IPSec was my worst alternative for my actual network conditions. Ipsec plus buggy firmware like the RVO42 I is making by head blow.
    In the time Linksys determines is a good time for them to send the update firmware I started to play around with OpenVPN on a windows VPN server I have on the office. In no time I was able to make problem-less tunnels from any network topology. Insider firewalls, over 3 nated clients etc.. I would say that ipsec is good for site-to-site places, the the only advantage I see is its security (not that ssl vpn is bad) where you will have full control or want to change the network topology. And for road warriors having an open vpn is the best option. Stared as a tryout I will get rid of the idea of quick vpn from Linksys and use open vpn with the gui windows client, so configurable, free and so stable over any network condition.
    Guillermo Dewey
     

Share This Page