1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WRV200 and setting VPN from LAN to WAN

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by mbury, Jul 20, 2007.

  1. mbury

    mbury LI Guru Member

    Hello all
    First sorry if this subject was mentioned before...

    I have following scenario

    I have WRV200 setup in some LAN to get seperate subnetwork
    It has WAN IP address from the main network (192.168.51.254) - this router is also visible from internet - has it's own public IP (89.x.x.x)

    On the other end I have RV042 connected directly to internet with public IP 62.x.x.x

    What I want to get is to setup VPN tunnel between these two routers.
    The problem is that RV042 shows in it's VPN logs that there is incoming:

    Jul 20 20:52:28 2007 VPN Log Aggressive mode peer ID is ID_IPV4_ADDR: '192.168.51.254'
    Jul 20 20:52:28 2007 VPN Log No suitable connection for peer '192.168.51.254', Please check Phase 1 ID value
    Jul 20 20:52:28 2007 VPN Log initial Aggressive Mode packet claiming to be from 89.x.x.x on 89.x.x.x but no connection has been authorized,please check peer ID

    Does anybody knows how to setup VPN tunnel on RV042 side to get it running?
    If I should show current settings on both sides - pls let me know.


    TIA
    Marcin
     
  2. ifican

    ifican Network Guru Member

    Yes please do post the settings: However you will setup the tunnel with the public wan ip on both sides and make sure you have nat-t enabled. The remote side will be the rv lan and the wrv lan.
     
  3. mbury

    mbury LI Guru Member

    Basic setup WRV200

    Internet Connection Type: Static IP
    IP Address: 192.168.51.254
    Subnet Mask: 255.255.255.192
    Default Gateway: 192.168.51.193

    VPN Tunnel settings - WRV200

    Tunnel Entry: TunnelA
    VPN Tunnel: Enabled
    Tunne name: MB_IM
    NAT-Traversal: Disabled

    Local Secure Group
    Type: SubNet, IP Address 192.168.25.0, Mask 255.255.255.0

    Remote Secure Group
    Type Subnet, IP Address 192.168.5.0, Mask 255.255.255.0

    Remote Secure Gateway
    Type IP Addr, IP 62.x.x.x

    Key Management
    Method : Auto(IKE) , Mode (Agressive)
    Encryption 3DES, Authentication SHA1, DH Group: Group2
    (same settings for Phase1 and Phase2)
    Preshared key: xxx
    PFS: Enabled, ISKAMP key lifetime 28800, IP Sec key life time: 28800

    Basic setup RV042
    WAN1 IP : 62.x.x.x
    WAN2 IP : 0.0.0.0
    Mode : Gateway
    VPN Tunnel settings - RV042
    Local Group Setup
    Local Security Gateway Type: IP Only
    IP Address 62.x.x.x
    Local Security Group Type : Subnet (192.168.5.0/255.255.255.0)

    Remote Group Setup
    Remote Security Gateway Type: IP Only
    IP Address 89.x.x.x (public IP address of WRV200)
    Remote Security Group Type : Subnet (192.168.25.0/255.255.255.0)

    IPSec Setup
    Keying Mode: IKE with preshared key
    Phase1 DH Group: Group2
    Phase1 Encryption: 3DES
    Phase1 Authentication: SHA1
    Phase1 SA Life Time: 28800 seconds
    Perfect Forward Secrecy: Enabled
    Phase2 DH Group: Group2
    Phase2 Encryption: 3DES
    Phase2 Authentication: SHA1
    Phase2 SA Life Time: 28800 seconds
    Preshared Key: xxx (same as WRV200)

    Uff, lots of writing :)

    Regarding NAT-Traversal
    When I set it enabled and trying to save setting I get a message saying:
    "The Remote Secure Gateway must be "Any"... "


    Is it ok?

    Marcin
     
  4. ifican

    ifican Network Guru Member

    On the surface everything looks good except for nat-t. If your wan interface is sitting behind a nat router, you have to have nat-t enabled to make it work. I wont go into why just know it assists in making the border (nat) router forward the traffic properly. If you need to set one or both end to any thats no big deal as unless someone has your ip and key and ike setting exactly they will not connect. You can also look at your router logs to determine if someone is trying.
     
  5. ila1000

    ila1000 LI Guru Member

    I have tried a similar setup as mbury describes, but with 2 WRV200's. I believe that the WRV200 does not support initiating a VPN tunnel if it is behind a NAT router, like in mbury's case. The reason is that the WRV200 will identify itself to the remote VPN router with its NATted local address. Because of this, the remote router will reject the tunnel.
    In your setup with a RV042 directly connected to an WAN address you might be able to get it working by setting remote secure gateway to "all" in the WRV200. In that case, the WRV200 can obviously no longer initiate a VPN tunnel itself, but it will respond to VPN tunnel setup from a remote VPN gateway, in your case the RV042.
    You will find some more information about NAT problems with the WRV200 in the following thread Problems using VPN over 2 WRV200 behind NAT
     
  6. mbury

    mbury LI Guru Member

    How I can setup RV042 to accept initiation of VPN tunnel from any address.
    It has only following options for Remote Secure Gateway:
    1. IP Only
    2. IP + Domain
    3. IP + Email
    4. Dynamic IP + Domain
    5. Dynamic IP + Email

    and it does't allow to put 0.0.0.0 in IP address.

    Someone in previously mentioned threads suggested to modify firmware to identify itself with public IP address instead of 'local' WAN address (because this is main reason). Any progress here?
     
  7. ila1000

    ila1000 LI Guru Member

    If the RV042 doesn't support 'any', then there seems to be no solution, at least I don't know one. It is quite stupid that those routers don't let you enter the WAN address for VPN identification.
    I have the same problem with 2 WRV200's both placed behind a NAT router/DSL modem. After I understood the root cause of the problem, I tried to solve it in a different way by using half-bridge mode in the DSL modem, so that the WRV200 will get the WAN address. In that setup however a new problem emerged: my ISP gives me an IP address and a gateway address that are not in the same network. The WRV200 cannop cope with this! If found some other threads here that this is a common problem with other routers also.
    The WRV200 firmware is just a web interface above some standard 3rd party embedded Linux system. Most probably, the underlying Linux system will support all this, but the Web interface just won't let you enter the required parameters or modify the configuration files! I have downloaded all sources from the Linksys website and was able to compile the firmware image without problems, but so far I have not tried to upgrade the WRV200 with this image. The Web interface is the only interface to upgrade the firmware, so the risk that the WRV200 becomes bricked after introducing some bug is substantial. I was still hoping that Linksys or someone else came up with a solution for this. I would image that this is a common problem in the field!
     
  8. Sfor

    Sfor Network Guru Member

    Indeed. No bad firmware upload recovery routine makes the WRV200 a bad choice for GPL code development.
     
  9. ila1000

    ila1000 LI Guru Member

    In contrast to what I said earlier in this thread it is possible to use half-bridge mode in the DSL modem if the provider assigns you an IP address and a gateway address that are not in the same subnet.
    The trick is that the router does not need to know the real gateway address at all, it just needs to forward all packets with a destination outside the local network to the DSL modem. You can just assign an arbitrary IP address in the same subnet as your IP address to the DSL modem and use this address as the gateway address. For instance if your IP provides assigns you IP address 1.2.3.4/24 you could assign address 1.2.3.5/24 to the DSL modem and use this address as gateway address in the router.
    Moreover, I found later that the Speedtouch 546 ADSL modem can even do this same trick automatically by specifying the keyword "localgw=enable" in the half-bridge pool:

    [dhcs.ini]
    ...
    pool config name=spoofpool intf=LocalNetwork leasetime=30 unnumbered=enabled localgw=enabled
    ...


    The simplest solution would of course be to specify a static ARP entry in the router with the gateway address resolved to the DSL modem's ethernet address (this is how Windows XP does it), but with the WRV200 this is not possible since it unfortunately has no telnet server.

    If both VPN routers are behind a DSL modem in half bridge mode, it will be possible to have a VPN tunnel after all!
     
  10. DocLarge

    DocLarge Super Moderator Staff Member Member

    Speaking from experience, the WRV200 can and does initiate vpn tunnels from behind NAT enabled devices; I've been able to create vpn tunnels behind a CISCO Pix 501 and and SMCBR18VPN Barricade Router. The device on the opposite side was also a PIX 501 (the tester on the other side of the tunnel was Eric.Stewart). Oddly enough, in order for the tunnel to actually come up, I had to set the wrv200 to "static ip." At the time, I was using it on an ADSL connection on its default of "obtain ip automatically," once I configured it for "static ip" my tunnel(s) started working.

    To make matters stranger, if you put a wrv200 on a cable modem connection set at it's default "obtain ip automatically," vpn tunnels run fine. Hmmmm *scratch* *scratch*

    On another note: I've just discovered an anomaly I've reported to the developers. The issue is when you're running vpn tunnels between a wrvs4400n and another vpn router, the tunnels connect. "BUT," as soon as you connect a tunnel between the wrv200 and the wrvs4400n, the tunnel drops between the wrvs4400n "and" any other vpn device; the tunnel between the wrvs4400n and the wrv200 remains in tact (the developers acknowledged this and are working on fix).

    So, if anyone has been having problems running multiple tunnels with various routers, consider this :)

    Jay
     
  11. HughR

    HughR LI Guru Member

    Wow. Is the firmware you built identical to the stock firmware? Were you able to include the non-GPL code (perhaps by cutting and pasting from a binary)?

    All that is needed to start making progress is access to a shell (ssh would be great). Just using a shell is unlikely to accidentally brick the box.
     
  12. ila1000

    ila1000 LI Guru Member

    I have obtained the GPL code from the Linksys site (see here). I could compile the code as is without problems on a Linux system. I obtained a FW image with about the same size as the original FW (a few hundreds of bytes difference). Because it was not exactly identical, I was afraid to flash it, since it might brick the box and there is no way to unbrick it again. That said, it should not be difficult to add the sshd and tftp daemons; this would be a real asset.
     
  13. lespaa

    lespaa Network Guru Member

    Other than the unknown issue of if the GPL compiled code will flash. Would it ever be possible to add the WRT-like bootup TFTP flash functionality into the GPL code. I.E. does the hardware interface and memory storage locations appear to be similar? Just an off the wall question.
     

Share This Page