It's The Little Things (Router Connectivity)

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by DocLarge, Jan 20, 2007.

  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    Toxic and I have been mulling this over for a while, and I now see it's time to just throw this little bit of "FYI" out...

    Some of the issues we all have with our routers has something to do with the mediums we use to connect to the internet (Cable, ADSL, ISDN, Dial-up), and I've continually experienced this having once been on a cable modem connection with a few of my routers and now having to use them on a ADSL (PPPoA) connection.

    For starters, I bought my WRV54G in the states and ran it on a cable modem connection and had "zero" problems with dhcp/ip release times with my provider (Cox Cable). When I got over here and connected it to my ADSL connection via an ADSL "ethernet" modem" it started acting crazy by not refreshing it's lease/ip after 48hrs. However, I bought an SMCBR18VPN firewall router from SMC and it had "no problems" with the ADSL connection. Now, if I set the WRV54G for static, it would then run fine. Here's an interesting fact; the WRV54G was not Nat-t/GRE compliant. You couldn't use a third party vpn client behind it to connect to another WRV54G. Instead, you had to take the router out of the picture and connect directly to the modem to use third party vpn clients (i.e, cisco, greenbow, ssh sentinel).

    Check this out: if you use a nat-t/gre compliant router as your "edge router" and put the WRV54G "behind" it on a different segment, you can now use third party vpn clients!! I stumbled across this one day it put value back into my WRV54G. Some of us run "two" routers as a minimum to enhance security (eric_stewart, toxic, and myself just to name a few); double nat'ing doesn't normally present an issue if you handle your port forwarding/route mapping properly (not that I'll claim to be the best; ask eric :) ).

    Moving along, I bought the WRV200 and ran into the "ADSL" gremlin again. If my WRV200 was set for "obtain ip automatically" I couldn't run vpn tunnels. Toxic has a cable modem connection; he can leave his set to "obtain ip automatically" and run vpn tunnels with zero problems. Once I set my WRV200 to "static," then I'm able to run vpn tunnels (remember, I have an ADSL connection).

    Lastly, if I leave my WRVS4400n set to "obtain ip automatically," I can run vpn tunnels. But, if I set it to "static ip," it loses internet connectivity all together and becomes a paper weight :( So, I tested the "edge router" theory again and guess what? I simply had the edge router (I'm using a netgear DG834G) pass an ip address to the wrvs440n's Wan port, set the WRVS4400n for static, input the ip, subnet, dns, and local information, and it's now running great! Not only am I on the intenet (right now), I can set up vpn tunnels from behind the edge router and connect to other vpn endpoint routers! But, there's a catch...

    For example, if you have a gre/nat-t router running as your edge router and you initiate a vpn tunnel from "behind" it to another vpn router at the opposite end "and that router does not connect," this indicates that router "is not" gre/nat-t compliant. So, when I configure a tunnel with my wrvs4400n from behind the netgear to a wrv54g, the tunnel does not connect, so we (already) know the wrv54g is not gre/nat-t compliant. However, if I make the same connection attempt to a WRV200, RV042, CISCO Pix 501or any other nat-t/gre compliant router from behind the netgear, the tunnels come up, I can ping the distant end computers and open up shares!! :)

    The following is an inconclusive list of the routers that "I" know to support nat-t/GRE

    1) Linsksy WRV200 (connects to/with IPSEC vpn tunnels and clients)
    2) Linksys RV0XX Series (connects to/with IPSEC vpn tunnels and clients; includes 5 PPTP vpn clients)
    3) Linksys WRVS4400N (connects to/with IPSEC vpn tunnels and clients
    4) Linksys RVS4000 (connects to/with IPSEC vpn tunnels and clients
    5) Linksys WAG54G (connects to/with IPSEC vpn tunnels and clients)
    6) SMC SMCBR14VPN (connects to/with IPSEC vpn tunnels and clients; includes 5 PPTP vpn clients) "Discontinued"
    7) SMC SMCBR14UP (connects to/with IPSEC vpn tunnels and clients; includes 5 PPTP vpn clients)
    8) SMC SMCBR18VPN (connects to/with IPSEC vpn tunnels and clients; includes 5 PPTP vpn clients) "Discontinued"
    8) Netgear DG834G (connects to/with IPSEC vpn tunnels and clients)
    9) Dlink DI-804HV/808HV (connects to/with IPSEC vpn tunnels and clients; includes 5 PPTP vpn clients)
    10) CISCO PIX 501/506E/515E (connects to/with IPSEC vpn tunnels and clients) <--- Firewall Devices

    If you are running a microsoft vpn server behind any of these routers and need more than the 5 standard pptp accounts on some of the above routers, you can port forward port 1723 from the router to the vpn server and have the server handle the vpn connections for a total of 128 PPTP/L2TP clients (I use a microsoft vpn server occasionally for a change).

  2. DocLarge

    DocLarge Super Moderator Staff Member Member

  3. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Add the WRT54GS v2 to the list of devices that support GRE pass-through as well as supporting IPSec Client/Server with OpenVPN. This is when using the DD-WRT v23 SP2 firmware. It also supports PPTP Client/Server.

  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    I'm bumping this because the problems people are having are beginning to point to how we all connect to the internet...

  5. yukons

    yukons LI Guru Member

    help me understand how putting a nat-t router infront of a wrv54g router helps? I have a pc (a) --> wrv54g (b) --> cable modem --> internet --> cable modem --> wrv54g (c - destination vpn router)

    It seems from all the reading that the c router does not support nat-t which means my pc (a) can not be behind a nat router (b). If I was not behind a nat router it would be fine. So how does moving c down one help me?
  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    A Nat-t enabled router is able to handle the encapsulated package. In the end, the issue comes down to translation of the packet being sent from the vpn client (i.e., "green bow") through the WRV54g, which is promptly blocked by the WRV54G because it's not able to do the translation. I'll see if I can find an old link that explains NAT and Ipsec because the answer is more detailed than I can give.

    "From my experience" and based on people who've also found this to be true, putting a NAT-T enabled router as your gateway router and putting the WRV54G behind it is an excellent workaround and solves the problem. It's not ideal, but it works:

    WAG54G---modem---internet---modem---nat-router---wrv54g---pc w/vpn client (greenbow)

    Using the above configuration, I've successfully connected to various routers to include a WRV54G that was on the opposite side. I'll have to break out my gear to test this again being it's been a while but this configuration does work...

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice