Greenbow VPN Setup Guide For WRV54G (Have a Look!!)

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by DocLarge, Jul 4, 2005.

  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    I've just emailed a guide I've thrown together to show how to get greenbow vpn to connect to a wrv54g. With luck, Toxic will have it posted by the end of the day...


    EDIT: Ah Hell, here it is. Look for it in Sticky Format.

    Use version 2.50 of the greenbow client by the way. Also, third party vpn clients "will not" connect to a WRV54G if you are connecting from behind another WRV54G; you will have to make a "direct connection" (computer to modem) to connect. Linksys devices that do not have this NAT-T problem when "hosting" VPN tunnels are the WAG54G ADSL Gateway (sold over here in England and Europe) which supports 5 IPSEC tunnels, the BEFVP41, which supports 50 IPSEC tunnels, and the BEFSX41, which supports 2 IPSEC tunnels. If you want to make a secure vpn connection from one WRV54G, you'll need to use the Linksys Quickvpn client.


    If you make another router the direct connection to the internet that is NAT-T capable and connect the WRV54G behind it, you can then use 3rd party vpn clients "and" quickvpn (you have to forward 443 and 500 on the first router) at the same time "without" having to connect your computer directly to a modem.

    Below is a baseline example to get started.

    Phase I (Greenbow VPN Client):
    1) Tunnel: The name you use should be the same on the router you're connecting to
    2) Interface: leave it as an asterik.
    3) Remote gateway: The WAN address (ISP provided ip address) of the router you're trying to connect to obviously.
    4) Pre-shared key: Use a hexadecimal string beginning with 0x (i.e. 0x123456789 with most other routers); if you are connecting to a WRV54G, upper or lowercase words seem to work better (meagainstwhomever).
    5) Certificate: N/A
    6) Encryption: Use 3DES
    7) Authentication: SHA (the equivalent on the WRV54G is SHA1)
    8) Key Group: Set this to DH1024
    9) Save and apply settings.

    Phase II (Greenbow VPN Client):
    1) Tunnel Name: Same as Phase I
    2) Vpn client address:"Your" WAN ip address (provided to you by your ISP) if you are connecting directly to a modem; use the local LAN IP if you are behind a router that supports NAT-T (again, the WRV54G, right now, does not support this feature; use quickvpn instead).
    3) Address Type: Use Subnet address. Input the Remote LAN's local IP settings
    (i.e.) Local IP:
    4) Encryption: 3DES
    5) Authentication: SHA
    6) Mode: Tunnel
    7) PFS: Ensure this box is checked
    8) Group: The group should be dh1024
    9) Save and apply settings

    Additionally, make sure you set the "maximal lifetime settings" for encryption and authentication to "3600." You can do this by clicking on the "parameters" link.


    IPSEC: Enabled
    PPTP: Enabled
    L2TP: Disabled

    Tunnel Name: Same as Greenbow
    VPN Tunnel: Enabled
    VPN Gateway: Disabled

    Local Secure Group: Your local router settings. Either host or subnet work (I prefer subnet)

    Remote Secure Group: The router/client at the distant end. Either input the local LAN settings of the “remote†router/client by choosing the “Subnet†option or use “Any†to make your initial connection; I’d recommend using “Any†first (handles all incoming connections). Try using “Subnet†to specify connections (Local LAN IP and Subnet) after you get the hang of it. “Any†isn’t too secure but allows you to see the connection for the first time without breaking a sweat. Once you understand the configuration better, vary your configuration.

    Remote Secure Gateway: This is the WAN IP “or†the FQDN of the router/client that is going to be connecting to your WRV54G. My personal success comes from using “Any†and “FQDN.†Use FQDN if you have registered a dynamic dns name (you can do this at

    Encryption and Authentication is 3DES and SHA1.

    Key Management: Auto(IKE) [Enabled]
    PFS: Enabled
    Pre Shared Key: Same as Greenbow
    Key Lifetime: Same as Greenbow

    Click “Advanced VPN Tunnel Setup:

    Phase I:

    Mode: Main
    Encryption: 3DES
    Authentication: SHA1
    Group: Same as Greenbow
    Key Lifetime: Same as Greenbow

    Phase II:

    Encryption: 3DES
    Authentication: SHA1
    PFS: Enabled
    Group: Same as Greenbow
    Key Lifetime: Same as Greenbow

    Under “Other Options,†check the “Netbios†option and leave all others blank, unless required.

    VERY IMPORTANT: Make sure all of your greenbow settings match your router settings and that the remote ip settings are different from your own!

    Just in case anyone new to this forum doesn't understand the difference between PPTP server settings and Linksys Quickvpn, the settings listed above for greenbow connectivity are "specifically" intended for use with the built-in pptp server that comes with the WRV54G (50 available tunnels). The Quickvpn client sets all of this up when it loads on the client computer. The only difference is quickvpn uses MD5 for authentication.

    Here are some brief examples to connect greenbow to the wrv54g:

    Config #1

    Local Secure Group: Subnet
    Remote Secure Group: Any
    Remote Secure Gateway: Any

    Config #2

    Local Secure Gateway: Host
    Remote Secure Group: Host
    Remote Secure Gateway: FQDN

    These greenbow settings work with the RV0XX series routers also, although some settings may vary on the client side.

  2. 512Cypher

    512Cypher Network Guru Member

    local secure group????

    for local secure group do i enter my router ip address or the
    range of ip address on my network?
  3. DocLarge

    DocLarge Super Moderator Staff Member Member

    You'll enter the ip range of your local subnet/range:


    Local Secure Group:

  4. zillah

    zillah Network Guru Member

    Thanks for this explaination
    This is exactly my case , my laptop is connected to dialup modem,,,,,,in this case I have to use public ip address which has been provided by ISP.

    Kindly comment this , if you look to the diagrma in the WARV54 G pdf file,,,you can tell that the remote laptop (not local one) does not have ADSL router (i.e. it does have public ip address not private),,,then why has he assigned private ip address to that remote laptop ?


    My understading that you prefer to use subnetwork address instead of ip address (host address)

    Is it mandotary that "Local Secure Group" on Linksys router should be same as "Remote LAN address" on phase 2 VPN client ?
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    He probably assigned that ip because he was connecting from behind a router that was running NAT. In your case, I'm guessing you are connecting "directly to a modem, which means your computer receives the public ip address directly...

    As far as your second question goes, yes.

    If you have the following:


    local group:

    remote group: laptop public ip
    subnet mask

    remote gateway: wan ip from laptop's isp

    then your dialup client should be


    local group: laptop public ip
    subnet mask

    remote group:

    remote gateway: wan ip from router's isp

    Does this help?

  6. zillah

    zillah Network Guru Member

    I have got these Terminology:

    Local Secure Group----which you mentioned it as local group without word "Secure".

    Local Security Gateway-----You have not mentioned this,,,,in the my configurationn I left it as default.

    Remote Secure Group----which you mentioned it as the remote group without word "Secure",,,in the my configurationn it is "any"

    Remote Security Gateway---which you mentioned it as the remote gateway without word "Security",,,in the my configurationn it is word "any"

    I have got :

    1- Remote Gateway----- phase1

    2- Reomte LAN address------ phase2,,,,which I think you mentioned it as the remote group:

    I have not got this "local group: laptop public ip subnet mask "
  7. Tek12

    Tek12 Guest

    Works great thank you!
  8. Youson

    Youson LI Guru Member

    Help needed: Need to use VPN client from corpnet

    I need to be able to use a VPN client from my office network. So the IP address that I have on my desktop is not exposed to the internet. Everything goes through a proxy server, for both HTTP and SOCKS.

    Is it possible to setup Greenbow for this type of config? I can use the Windows VPN client fine, but I have to setup a VPN Server to get this working, which is what I am trying to avoid.

  9. TazUk

    TazUk Network Guru Member

    To what router?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice