wrg54g 2.37.13/2.38 and NAT-T

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ipcdmatt, Apr 20, 2005.

  1. ipcdmatt

    ipcdmatt Network Guru Member

    Okay Gurus, I have a multi-part question , hope someone can help.

    To begin, branch to branch (back to back WRV54G) already purchased unfortunately)

    Site B must access server app on site A, .. both sites NATTED.

    Can someone categorically tell me wheter NAT-T is resolved on Firmware releases 2.37.13 or 2.38 ... reading posts gives fuzzy picture as to this answer although I am leaning to the "NO it does not as of yet"

    Secondly, ... , while Site "B" user runs server app from Site "A" , it needs to make an additional tunnel to "SITE C" as part of the APPS functionality.

    Note: The client for this is integrated into the APP itself and uses PPTP.

    There have been references to disabling PPTP passthrough and VPN portforwarding, ... in order to make the Initial tunnel work.

    I have a sinking feeling that even if I am successful in creating an IPSEC tunnel between "A" and "B", the the whole thing breaks when the 2nd tunnel attempts to kick in (A very neccessary activity) or no paycheck.

    In the absense of an acceptable soloution, does anyone know where I can get an extremely long cable :)
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    Unfortunately, the NAT issue is still unresolved in "any" current firmware version for the wrv54g router. At this time, it's been made public that the two patches that would allow the wrv54g to handle NAT'd activity was intentionally left out by Linksys in order to market the quickvpn utility (this is my personal opinion and I'm sticking to it :) ).

    Are you looking for some sort of diagram to illustrate tunnel to tunnel configuration?
  3. ipcdmatt

    ipcdmatt Network Guru Member

    wrv54G ... NAT-T or lack thereof

    Okay, well thats what I thought.
    As far as your offer for tunnel to tunnel diagram that would be great, if you could also please advise on the other issue I had mentioned with respect to the PPTP session sourcing from behind the WRV54G going to Site C.

    As of now the following is true for me:

    1)2.37.13 firmware in use.
    2)Can get QuickVPN to now work from a natted network twds WRV54G,..but not always
    3)Can get Greenbow to work from Un-Natted to WRV54G
    4)Cant get Greenbow to work from Natted to WRV54G
    5)Cant get Back to Back WRV54G to establish tunnel,end-end.
    6)Cant find the nerve to throw the routers through FutureShops windows.

    Any additional help will be greatly appreciated.

    Thanks !!
  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    Numbers 4 and 5 I should be able to help you with (4 is courtesey of a workaround found by Chris547).

    Gimme a little bit and I'll PM you with what I have...
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

  6. ipcdmatt

    ipcdmatt Network Guru Member

    thanks, ill be looking forward to your replies.

    ps: with respect to 2, i have been playing with mtu to no avail and am now checking out a packet analyzer to get the beef.

    For 2, .. my "not always" means a pc on a given pipe that always connects and two others different pipes that dont, one natted , one not.

    the one that does is also natted.
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    Alright, here goes...

    4) One of the guys in the WRV54G Yahoo Groups studied the file structure in quickvpn and found a way for you to connect from behind another router to a wrv54g. I've used it over and over and it works. Bare with me now because I'm going to do this the "LONG" way to ensure everyone understands exactly what I'm describing.

    Make sure you have quickvpn "and" greenbow loaded on the client computer. As an opening example, take a look at the following syntax entries:

    c:\>cd program files
    c:\>cd linksys
    c:\>cd linksys vpn client
    c:\>wget https://username:password@a.a.a.a/StartConnection.htm?version=1?IP=b.b.b.b?USER=username

    Let's say you have a vpn client on the wrv54g named Mark and his password is test, and the WAN IP of the wrv is Your remote user's computer (Mark) has an internal LAN IP address behind "his" WRT54G router of In the example above, where you see a.a.a.a is the WAN IP of the WRV you are connecting to and b.b.b.b is the local LAN IP address of the remote user’s computer, in this case, Mark.

    Mark would next open a command prompt and follow the DOS command steps above until he is inside of the "linksys vpn client" directory on "his" computer. Once there, he enters his user information at the command prompt:

    c:\>wget https://mark:test@

    Make sure there are no spaces between this line of syntax. The only space in this entire line is between the “wget†command and https://. To verify string syntax, look at the “wget_error.txt†file located in the same directory.

    When you hit enter, you'll notice the quickvpn parameters connect directly to port 443 on the wrv54g. Again, this is because linksys designed quickvpn to work "exclusively" with the wrv54g and no other vpn client "if" you are behind another NAT-T router. When you see it say "ok," you know you've established the IPSEC tunnel.

    Open up windows explorer and go to the c:\>program files\linksys\linksys vpn client\ directory and look for a file that starts out with "StartConnection@version." Open this file and look for “pre shared key; copy everything between the = sign and the tab (displayed as small square in this file).


    (Phase I) Alright, Mark now opens greenbow vpn version 2_50_013 and types in his username (mark) for the tunnel, puts the asterik (*) in the interface field, and uses for Remote Gateway. Paste the pre shared key from the linksys directory into the greenbow pre shared key fields. 3DES/MD5/DH1024 should be the settings in Phase I/II. Save and apply.

    (Phase II) Mark is the tunnel name again, client IP is; address type is “subnet;†choose for LAN and for subnet.

    Again, 3DES/MD5/DH1024 are standard; make sure mode is "tunnel." “PFS†should be checked. Save and apply.

    Open the greenbow vpn console so you can check the session. Click "open tunnel" and you should see greenbow connect (the green tunnel light on the far right will turn to red if you're connected). If for any reason it doesn't connect the first time, don't sweat it. Just go back to the dos command, hit the up key and modify the last line by changing "StartConnection" to "Stop Connection." When you do this, you'll see another file appear in the linksys vpn directory called "StopConnection.htm." So as not to confuse yourself, delete the StartConnection/StopConnection files as you go.

    Go back to your command line and tap the up arrow key until you have your start connection string again and hit enter. Again, you'll see the quickvpn parameters connect to the remote WRV54G; the "StartConnection.htm" file appears in the directory again. Copy the preshared key portion the same as before, paste it into greenbow; hit save and apply.

    Try opening tunnel; if it didn't work the first time, it should this time.

    That's the trick...

    5) You can go to Linksys support and use the knowledge base for tunnel to tunnel configuration. When you ge there enter 1705 in the search field and it will bring up a description on how to configure it this way. Even thought the description is for the RV082 router, it still pertains to the WRV54G through comparison.

    Try those fixes...
  8. ipcdmatt

    ipcdmatt Network Guru Member

    Thanks DOC, ... will try these out and let you know.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice