WRV200 VPN Setup Please Help

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by fgcity, May 13, 2008.

  1. fgcity

    fgcity Addicted to LI Member

    Hi . I have a Static IP on My DSL line.

    We recently made a deal with a GSM provider for SMS forwarding through SMPP.

    But first we must setup the VPN network with their system.

    They gave us 2 IP's

    firewall/endpoint IP(IP sec tunnel endpoint)

    Application IP (SMSGw-EMG):

    Application IP (this is our ADSL Static IP)

    Now how do i set this up on WRV200 to connect to this network ?

    the other settings of the provider are:

    IKE Mode Main
    Message Encryption Algorithm: 3des-cbc
    Message Integrity (Hash) Algorith: ah-sha-hmac
    Peer authentigateon method: pre-shared
    Key exchange DH group identifier: 2 (1024 bits)
    ISAKMP policy Lifetime (sec): 86400 (1 day)

    IPSec Mode: Tunnel

    IPSec SA Lifetime (sec): 3600 (1 hour)
    Perfect Forward Secrecy (PFS) No
    IKE Mode quick
    Mechanism for Payload Authentication(ESP): esp-sha-hmac
    Mechanism for Payload Encryption (ESP): esp-3des-cbc
    Encryption none
    IPSEC Packet Fragmentation Pre-Fragmentation

    So how do i set this up ?

    Please help out here.

    PS: My local network starts from (which is the Router)
  2. cactusfazer

    cactusfazer Network Guru Member

    The version of your firmware on the WRV200 ?
    Configuration is in VPN/Ipsec VPN.
    Seem to be ok with the WRV200: have SHA and 3DES algo.
  3. fgcity

    fgcity Addicted to LI Member

    the firmware is:

    i've managed to make the IPSec tunnel but i have another question.

    i have a 8ip DSL

    so my IP1 is the router

    the IP2 is the endpoint for the IPSEC

    if i declare the IP2 in the IPSec settings of the router then it loggs on OK.

    But i have a Server on my local network that i have to assign that IP. (public)

    how do i do that ?
  4. Sfor

    Sfor Network Guru Member

    The simplest solution is to set the WRV200 as the gateway router with public IP assigned, and to set the server as DMZ LAN IP.
  5. fgcity

    fgcity Addicted to LI Member

    Could you explain that please?

    My provider gave me 2 things to fill.

    1 . Firewall IP (for example -> My router)
    2. End point Application IP. (for example -> My second public IP)(They both have to be Public)

    So we have 4 Public IP's.

    (for example)

    For example i have my Router set up for (example)

    and for the secure local group on the VPN/IPSec of the Router i set the IP

    the router connects fine to the provider.

    But what after that?

    My server is on a local network of the router. with an IP 192.168.1.whatever

    so how do i direct that IPSec tunnel of the router's connection to my server's IP ?
  6. Toxic

    Toxic Administrator Staff Member

  7. fgcity

    fgcity Addicted to LI Member

    this didn't help. I'm Trying to connect to a GSM provider's IPSec. Not to another router somwhere at home. Please read the previous posts.

    My router Connects fine to the remote provider.

    But how do i route that traffic from the router to a local ip ?

    Here is my routing table:

    Destination LAN IP Subnet Mask Gateway Interface
    My NetIP 255.255.255.xxx WAN LAN&Wireless
    Default Route (*) My internet Gateway WAN LOOPBACK
  8. cactusfazer

    cactusfazer Network Guru Member

    I don't understand what it doesn't work !
    In my case, when 2 routers are linked with VPN, i can ping all machine in LAN from the other LAN without adding a route. The route is automaticly adding by the router.
    If your LAN is 192.168.1.x, what is the LAN of your SMS provider?
  9. fgcity

    fgcity Addicted to LI Member

    THAT is the point.

    My lan Can't be 192.168.1.x

    They only accept Public IP's

    So when i enter in the : Local Secure Group the Second public IP (since my router is set up for the then the IPSEC connects on the router

    But in my local network i have 192.168.1.x So that IPSec is terminated on the router.

    So i can't connect from the local netowrk to the Tunnel it self.
  10. fgcity

    fgcity Addicted to LI Member

    Could i try the following:

    Connect the Router to the IPSec tunnel.

    and then with a VPN Client software from LinkSys to connect to the router from my second public IP. Then the router would see my second public IP and could send the IPSec to it,

    Could that work ?
  11. Sfor

    Sfor Network Guru Member

    To make a working VPN IPSec tunnel you need to provide your WAN public IP of the router and a LAN adress range. (The standard for the WRV200 is So, the GSM provider will be able to make a tunnel with you.

    For the whole idea to work you have to have a LAN with the address pool different than the WAN adress pool. The tunnel setting of your end has to be done according to your LAN IP range.

    Since you have an 8 IP DSL line. It is possible you do not have a LAN at all. You are working on the provider address range, probably.

    So, the most important question at the moment is: Do you have a gateway router in your network? (I mean the one all the traffic is comming through)
  12. fgcity

    fgcity Addicted to LI Member

    the router i have now IS working as a Gateway. So you're saying i have to put a second router to act as a Router not as a Gateway? IF so then i have a second router to use (WRT54GS)
  13. Sfor

    Sfor Network Guru Member

    No. If the IPSec gateway is the gateway router in the same time, the traffic to the remote network on the other end of the tunnel will be router automaticaly. No additional routing rules are required.

    The concept is, if a particular frame destination adress falls within the VPN tunnel remote network range it will be routed through the tunnel. For the whole idea to work the remote nework adress range has to be different than the local LAN adress range.
  14. fgcity

    fgcity Addicted to LI Member

    Sorry. You lost me there.

    My provider gave me 2 IP's.

    IPSec Tunnel Endpoint :
    and Application IP:

    I have 4 Public IP's.

    So i set my router to Gateway as a Static ip :

    and gave the provider as My Tunnel Endpoint : and as my Application IP

    So if i enter in the IPsec Tunnel settings of the router the settings as follows:

    Local Secure Group: IP - >

    Remote Secure Group ->

    Remote Secure Gateway

    then the Router makes a Connection.

    But from my Routers's side where i have some PC's connected to it with Local IP's (192.168.1.x) i can't see the IP of the provider.

    So this is my setup. How can i make this work?

    They also told me that to test it i can do : telnet 9921

    So now whenever i do that i get nothing (on windows)
  15. Sfor

    Sfor Network Guru Member

    If you want a computer with an adress from 192.168.1.x range to use the tunnel, the local secure gropu has to be

    The local secure groups tells the router what computers are allowed to use the tunnel. The local secure group is the remote secure group on the other end of the tunnel. So, the answer will return to the computer sending queries, only if it is in the local secure group.

    In other words, the IP of the sender has to be in the local secure group. In other case the answer will not go back to the sender.
  16. fgcity

    fgcity Addicted to LI Member

    That much i understand. But when i change the Local secure group from my Public IP to the 192.168.1.x then the IPSec doesn't connect anymore Since the provider doesn't accept Private IP adresses. So i can't use 192.168.1.x in the local secure group cause the Provider doesn't accept Private IP's. Only Public. So i enter my Second Public IP in there (the one i have told the provider to add to his Firewall) and it works but that IP is actually not connected to anything eXcept from the Tunnel it self.

    So you can see my problem Here.

    I HAVE to use a Public IP in the Local secure group. Otherwise the Tunnel doesn't connect.
  17. Sfor

    Sfor Network Guru Member

    Indeed. It is necesary to change the local secure group settings on both ends of the tunnel.

    However, you can use a NAT router to translate the LAN 192.168.1.x address range to a single WAN IP in the remote secure group range. The WAN port should be connected to WRV200, and gateway IP to WRV200 lan IP. Still the WRV200 LAN address range should include the local secure group address from the tunnel.
  18. fgcity

    fgcity Addicted to LI Member

    What NAT router would you suggest ?

    How else could i do this ? Please explain a bit more. I'm new to IPSec in general and it would help allot.
  19. Sfor

    Sfor Network Guru Member

    I mean any router capable of doing the NAT (the same thing as a single IP internet connection splitting to many computers).

    You mentioned a WRT54GS router. It should be able to do it, I think.
  20. cactusfazer

    cactusfazer Network Guru Member

    When you use the VPN from Linksys, a VPN rules is created in the windows and when you want to go to the LAN of the router, traffic is redirected by the VPN rule to your router. If an IPSEC VPN is created on your router to another factory, the traffic is not redirected to your LAN because the PC with QuickVPN don't know this remote LAN.
    Note that the WRV200 bug when you use a lan that is not in 192.168.x.x or 10.10.x.x (private network): it's a linksys support who tel me this.
    If you have only one computer who have to communicate with the SMTP of your SMS service, it better to use a third utilitie for connect VPN or system VPN because if your SMS provider don't use the standart rules, it is too difficult to configure.

    Local secure group must be 192.168.x.x or 10.x.x.x and remote too. If it not respect this, it's hard to find material that can work with this !!
  21. fgcity

    fgcity Addicted to LI Member

    Could anyone tell me any Third Utility to use?

    You mentioned that i could use WRT54GS.

    So how would i do that ?

    Connect the router to mu WRV200 and set WRT54GS to use a static IP (the one I have submitted in the Secure Local Group of WRV200 ? e.g. ?

    Then from there to connect a local PC with an IP 192.168.1.x ?

    And set WRT54GS as a Router, not as a Gateway ? Is this what you are saying ?
  22. Sfor

    Sfor Network Guru Member

    Not exactly. The WRT54GS router has to be in gateway mode. As, the gateway mode means NAT.

    As for the WRV200. It should be possible to use it in both gateway or router mode. But, if Cactusfazer is right, and it is not possible to use other than 192.168.x.x and 10.x.x.x ranges in the WRV200, the whole idea will not work.
  23. fgcity

    fgcity Addicted to LI Member

    So what exactly should i do ? Could you guys please explain in Dummy Words how could i set this up ?
  24. walhan

    walhan Guest


    I am having the same problem, can anyone help me how to use public ip in my pc that is behind linksys wrv200 gateway having another public ip for it's gateway
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice