1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WRV-toWRV Tunnel for dummies?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Frosty99, Jan 17, 2006.

  1. Frosty99

    Frosty99 Network Guru Member

    Does anyone have a guide or some kind of step by step explanation of how to create a tunnel between 2 WRV's?

    It's just me and a friend trying to link up.

    PC--->WRV--->DSL===INTERNET===DSL<---WRV---PC
    Pretty basic.


    We both have dyndns names registered. Is that useful?

    Do we turn on both the tunnel and the gateway?

    Also do we both need to create a tunnel to each other?

    If anyone can break this process down for me, I'd really appreciate it?

    THANK YOU!!

    -Jimi
     
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    WRV54G-to-WRV54G VPN Tunnel Configuration (Doc's Way)

    Let it now be broken down and forever more be "BROKE!!!"

    Here's the scenario (pay attention) :) . I used the standard Linksys private range to simplify things. If you look at the settings below, it's "exactly" the format as the WRV54G VPN page so it should be easy to follow.

    The post is a little long, but I wanted to lay everything out "end to end."

    LAN #1

    IPSEC: enabled
    PPTP: enabled
    L2TP: disabled

    Tunnel: enabled
    Gateway: disabled
    Tunnel Name: (Must Match LAN 2)

    Local Secure Group: Subnet
    192.168.1.0
    255.255.255.0

    Remote Secure Group: Subnet
    192.168.2.0
    255.255.255.0

    Remote Secure Gateway: IP Address
    (Use "WAN" IP of router on remote side)


    Encryption: 3DES
    Authentication: SHA1

    Key Exchange Method: Auto (IKE)
    PreShared Key: (Your Choice; must match LAN 2 Key)
    RSA Signature: (Ignore this....)
    Key Lifetime: 3600

    LAN #1 Advanced Settings

    Tunnel 1

    <u>PHASE 1:</u>

    Operation Mode: Main

    Encryption: 3DES
    Authentications: SHA1
    Group: 1024-bit
    Key Life Time: 3600

    <u>PHASE 2:</u>

    Encryption: 3DES
    Authentications: SHA1
    Group: 1024-bit
    Key Life Time: 3600

    <u>Other Options:</u>

    Netbios: enable

    Leave the remaining options blank.

    LAN #2

    IPSEC: enabled
    PPTP: enabled
    L2TP: disabled

    Tunnel: enabled
    Gateway: disabled
    Tunnel Name: (Must Match LAN 1)

    Local Secure Group: Subnet
    192.168.2.0
    255.255.255.0

    Remote Secure Group: Subnet
    192.168.1.0
    255.255.255.0

    Remote Secure Gateway: IP Address
    (Use "WAN" IP of router on remote side)


    Encryption: 3DES
    Authentication: SHA1

    Key Exchange Method: Auto (IKE)
    PreShared Key: (Your Choice; must match LAN 1 Key)
    RSA Signature: (Ignore this....)
    Key Lifetime: 3600

    LAN #2 Advanced Settings

    Tunnel 1

    <u>PHASE 1:</u>

    Operation Mode: Main

    Encryption: 3DES
    Authentications: SHA1
    Group: 1024-bit
    Key Life Time: 3600

    <u>PHASE 2:</u>

    Encryption: 3DES
    Authentications: SHA1
    Group: 1024-bit
    Key Life Time: 3600

    <u>Other Options:</u>

    Netbios: enable

    Leave the remaining options blank.

    The preshared key is a determining factors with "some" of the linksys routers, so, I like to add an "x" in the middle of everything (i.e. linksysvpnx1234 or homelinkx1234) I know for a fact the WAG54G is funny as Hell (at least in my experience configuring it for vpn gateway traffic) about this.

    This should work for you... :rockon:

    Doc
     
  3. Frosty99

    Frosty99 Network Guru Member

    Indeed it's broke!

    Doc, thanks for schooling yet another newbie.

    I do have a couple questions.

    I see you say to turn on NetBIOS broadcast. Will that allow the "other guy" to map devices using the name as opposed to the IP address?

    Also are the endpoint to endpoint connections intended to be permanent? As in not "on demand"? it seems like both administrators need to try to connect. If the device is waiting for connection, it seems like it goes into timeout and the tunnel is disabled. How can I set it so that if one guy wants to turn the tunnel on, both ends fire up?

    -Jimi
     
  4. ZuoNET

    ZuoNET Network Guru Member

    hi!

    maybe one thing that might be important: are you both connecting to the Internet via the same provider? i for myself have allready ran into some problems when trying to connect from within another provider to my home WRV router. reason of the problem is that my provider is blocking inbound VPN towards the residential dynamic ip addresses...

    if you are not facing an issue with the above then putting both WRV vpn tunnels in enable mode, will eventually lead to the automatic creation of the VPN tunnel. this might initially take some time, just give it "some time" :) if one user decides that he wants to terminate the vpn, he just has to set the tunnel into disabled mode.

    also keep in mind that your dynamic ip address which you receive might and will change sometimes, this leading to an interruption of the tunnel, however after "some time" it will built up again automatically.

    and to finish this post: one small remark regarding doc's explanation --> you mentioned you are using dyndns accounts, so you should select "fqdn" instead of "ip address" for the definition of the other side peer, and then fill in the dyndns url that you have enabled.

    good luck!
    Dimitri
     
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    Sorry for the late response...

    As Dimitri pointed out, if you have a dynamic dns account, then you "should" primarily use that. I have a static ip and sometimes automatically assume everyone else has this :) . If not, using a dynamic dns provider will help greatly.

    Once two tunnel with similar settings and the same share key find each other during the "broadcast" phase of tunnel initiation, the tunnels automatically "come up" (provided all settings match on both sides).

    Just vary the baseline I've outlined and you should be able to connect...

    Doc
     
  6. Frosty99

    Frosty99 Network Guru Member

    Done!

    My tunnel connects just fine. But due to work schedules and my friend's network woes, we haven't really had a good opportunity to test it much yet.

    I am active duty military, and sadly the movers come on Tuesday to pack up the bulk of my things for my return to the US. I'll be keeping the WRV up until next month so hopefully I'll be able to test it during my last month here.

    -Jimi
     
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    What a coincidence, I'm active duty also (Air Force), and I'm in London. I came over here from Davis-Monthan last year (I'm in the communications career field).

    I bought my WRV54G in Sep '04, and I think it's an awesome little device "barring" missing NAT-T functionality, the absent AES encryption that's advertised on the box, and it's inability to pass GRE traffic through (which I believe can be altered in the downloadable config backup file under the administration tab...).

    I've been able to connect with quickvpn and make tunnel-to-tunnel connections between different SOHO endpoint routers consistently. I don't mind the haters, they generally don't have a solid grasp of VPN or are "short cutting" because they're able to set vpn up in other applications/hardware...

    Doc
     
  8. Frosty99

    Frosty99 Network Guru Member

    London? Are you on a special-duty? I didn't know the AF had slots there. I know about Lakenheath and Moldy-Hole. I am in Izmir, Turkey now on my way back to Travis and I am also in communications. I am a 2E2 (originally a 306/2E3) working as NCOIC in our NCC, so I've had an interesting time learning enterprise-level server goodies.

    I started on VPN using SveaSoft firmware on my WRT, but PPTP seemed slow and not very reliable. I've been watching the development of the WRV for a long time and finally took the plunge. The power button on mine does absolutely nothing, and a friend of mine just got his... dead straight from the box.

    Here's a question... is TCP 443 and UDP 500 generally passed through garden variety home networking routers? I am wondering if I take my laptop to my bro's house, will I have to set VPN passthrough on his router just to get QuickVPN to work? What about coffeehouse hotspots?

    I've got a tunnel up to my friend and I can get QVPN to connect up as well. But dangit he's not home and all his PCs are running software firewalls so I can't ping anything. Oddly I can't ping his router either. Is that an MTU issue?

    -Jimi
     
  9. DocLarge

    DocLarge Super Moderator Staff Member Member

    TCP 443 is normally "not" required for your "garden variety" routers to work "unless" there's an application running that requires SSL (secure OWA access). The WRV has port 443 wide open because quickvpn uses it to establish the session, followed by 500 for IPSEC; these two ports are opened permenantly by default on the WRV. Additionally, if you ever needed to connect from behind "any" router with quickvpn, IPSEC passthru needs to be enabled because quickvpn uses IPSEC...

    Most hotspots have IPSEC passthru enabled by default because they never know what applications their customers will be using.

    Like I mentioned before, minus a few limitations, that WRV is a solid router that has "untapped" potential only because Linksys is concentrating more on the "RV0XX" series routers...

    Doc

    P.S.,

    yep, I'm in a special duty assignment for another two years. I may go to Lakenheath next...
     
  10. HercNav

    HercNav LI Guru Member

    What do the following do, and what is gained by disabling them?



    Anti-replay

    Keep Alive

    If IKE failed more than X times, block this unauthorized IP for XX seconds
     
  11. DocLarge

    DocLarge Super Moderator Staff Member Member

    Anti-replay (if based on Security+ documentation) "should" prevent sessions from captured and "re-broadcasted" thus allowing someone to trap information going through the tunnel (provided they can get through the IPSEC) then using it to "spoof" earlier session informaton and "hack" into your network. Again, that's how I understand it from a Security+ standpoint, but you might want to google this and see how it pertains to vpn and the wrv54g

    Keep alive means that the session will remain up and running whether it's a persistant "point to point" connection or an info packet that's released every 5-30 seconds just to keep tunnel the connection open.

    IKE authentication works in a similar fashion as logging onto a windows domain; if you blow your logon (based on the settings) 3 times, then you're locked out until unlocked, or for whatever amount of minutes (usually 30) based on policy. Therefore, if there's a problem with authentication, you can block the ip for a determined amount of seconds.

    Doc
     
  12. HercNav

    HercNav LI Guru Member

    Above, there is a reference to disabling each of those three. It sounds like I want AT LEAST NetBios, Anti-Replay, and Keep Alive.... right?
     
  13. TazUk

    TazUk Network Guru Member

Share This Page