Problems using VPN over 2 WRV200 behind NAT

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ila1000, May 29, 2007.

  1. ila1000

    ila1000 LI Guru Member

    I have been trying to set up a VPN connection between two networks using 2 WRV200 routers. Both routers are behind an ADSL modem using NAT. I was hoping to get this working by using port forwarding of UDP ports 500 and 4500 from the ADSL modem to the WRV200, but it fails.
    During tunnel setup, the initial IKE messages are exchanged correctly, but the next messages fail, because the initiating router expects that the responder identifies itself with its WAN address. However, the responder identifies itself with its local LAN address.
    Does anybode know how this can be solved?
    Another worry is whether the routers will use NAT-T traversal. If I switch it on explicitly in the interface, I can no longer use an explicit WAN address for the other end of the tunnel, so the router can no longer initiate the VPN.
  2. Toxic

    Toxic Administrator Staff Member

    can you set the ADSL modem in Bridged mode?
  3. ila1000

    ila1000 LI Guru Member

    I tried to disable NAT in several ways.
    I cannot set the modem in bridged mode (ISP uses PPPoA).
    DHCP spoofing did not seem to work for unknown reasons (kept getting a local address).
    I tried to connect via PPTP from the WRV200 to the ADSL modem (Speedtouch Home; contains a PPTP server with bridge to the WAN). In this case the WRV200 gets the WAN address, WAN gateway and DNS servers as expected. I could ping to an IP address, but not to a FQDN name. Capturing with Wireshark on the WAN side of the WRV200 revealed that the DNS queries are not sent via the PPTP tunnel, but directly on the LAN!!
  4. datdamnmachine

    datdamnmachine LI Guru Member

    I had an issue like this, however, we were using Sonicwall firewalls and not Linksys but the solution should be the same. Basically, the DSL modem will need to be set up to foward all ports to a DMZ in which your Linksys is the only device on there. You may want to statically assign the ip address as well. Make sure you disable any firewalls, and filtering from the DSL modem. If I remember correctly, NAT will still need to be turned on. Although double-NAT is not recommended, if it's your only option, it is. A bit of warning though, this solution was set up at 1 remote location and the main location has a static public but it should still work.

    Another option (depending on your ISP) would be to get a /30 subnet and configure ip unnumbered (depending on your equipment, I've had to set this up for customers using Qwest DSL w/PPPoA authentication and Actiontec DSL modems/gateways). This will all the modem to do the PPPoA authentication and you will configure a public ip on the ethernet side of the modem and that will become the default gateway of yoru Linksys router (you will configure the remaining available ip address on the Linksys WAN interface).

    Another option (this strictly depends on the ISP and depending on upgrades to their system; if it works, it may stop working all of a sudden) is to use PPPoE authentication to do the PPPoA authentication. I've known of instances when this worked because of how the ISP network was set up (Qwest) but they've been upgrading things so that only PPPoA authentication will work.

    I wonder when the router manufacturers will add PPPoA authentication to their routers?
  5. ila1000

    ila1000 LI Guru Member

    DMZ will not work, since the VPN router will identify itself with its local address to the remote VPN router. Set up will fail then (see my first post).
    I am afraid that one of the few options left is downloading the firmware and modifying it...:mad:
    Anybody with tips? It would be very handy to have an ssh server also.
  6. datdamnmachine

    datdamnmachine LI Guru Member

    That should not be the case. The endpoints should only see the public ip addresses of the other end and believe it is communicating with that end as long as you are forwarding all ports to the individual devices that are hosting the VPN endpoints. I would highly suggest trying it out first before you throw the idea away. I've not only seen this way work, but have had to set this up in production environments.

    've had plenty of customers who could not obtain static ip addresses for their remote locations use VPN not only behind a continuously changing public ip address but also behind a modem doing NAT. Instead of just configuring DMZ, you may just need to forward all ports to the VPN boxes. You may have to try it a few ways with the DSL modem as all brands do things a little differently. The only other thing you may need to do is setup NAT-T in case, because of NAT, the packets get encapsulated to use port 4500 instead of port 500 for isakmp traffic. That, in of itself, would then depend on your configuring it on your VPN endpoint boxes instead of this being something that would need to be configured on your modem. Also, remember to disable any firewalls and/or access restrictions and such.

    I would also suggest checking out for your brand of modem as they may already have an article about how to do what's being suggested.
  7. ila1000

    ila1000 LI Guru Member

    I have tried earlier what you suggest. I have a static WAN IP on both locations. The WRV200 routers are both behind ADSL modems using NAT. In my first attempt I configured the ADSL modems to use the WRV200 as the DMZ. Later, I removed the DMZ and just forwarded UDP ports 500 and 4500 to the WRV200s. I used Wireshark to capture the packets between the ADSL modem and the WRV200 on one site. I saw that a few ISAKMP messages were exchanged. However, the initiating site indicated an error to the responder. When I looked in the VPN log of the initiator, I saw an entry that said something like "expected IP address <WAN address>, but responder has IP address <LAN address>". Indeed, the <LAN address> logged at the remote side was the local LAN address of the WRV200 router at the local site.
    This problem also sounds logical, since the WRV200 on the local site does not know the local WAN address because of NAT. The local router is given a local LAN address on its WAN port by the DHCP server in the ADSL modem. It will use this local LAN address as identification during IKE and I do not know how to change that.
    Problem is that I cannot set all necessary parameters for IKE, since the HTTP interface of the router only allows me to set a subset of these parameters.
    I am confused how this could work at other sites as you mention.
  8. datdamnmachine

    datdamnmachine LI Guru Member

    Interesting. Without seeing the log entries on both routers regarding the IKE negotiation, I wouldn't know for sure. The best thing to do is post the error you are getting, as well as the private ip being assigned to the WAN interfaces of the VPN gateways as well as the LAN ip scheme on the LAN interfaces of the VPN gateway. It could be as simple as a configuration issue that's gone unnoticed. Like I said, I've seen production sites where this has worked. Also, did you configure NAT-T (NAT Traversal)?
  9. thelinksysuser

    thelinksysuser LI Guru Member


    I ve posted a thread about the same situation around 7 april 2007

    See link:

    I did not found a fix yet for it. What can be done about the message that the WRV200's are generating.(initiating router expects that the responder identifies itself with its WAN address)
  10. ila1000

    ila1000 LI Guru Member

    This is indeed exacty the same problem as I have. My log file is similar to the log file in the link above.
    One of the replies in above link suggests using DMZ, but I expect that it will fail for the same reasons (router will use local LAN address as identification).

    The same problem was most probably the underlying cause in When "Secure Gateway Address" contained the WAN address, the tunnel would not get set up. The fix was entering (meaning "anyone"). I expect that entering the local LAN address of the remote party would have worked also.
    In the present case however both routers are behind NAT and at least one should have the WAN address or otherwise neither router is able to initiate the tunnel.
  11. datdamnmachine

    datdamnmachine LI Guru Member

    I was going to suggest the same thing. Also, when they mean enter they mean enter that as the source ip address on both ends. The destination ip address should still be the WAN ip address of the routers. This way, the routers will allow crypto to be initialized from any party attempting to connect. Is this way less secure? Yup, but as long as your pre-share key is a thing of beauty then you don't have anything to worry about. Also, you can always configure your routers access-rules to allow crypto only from the other device which would counter the issue of allow connections from (any).

    Again, I think it may have more to do with your DSL modem then anything. Mind you, I've never encountered NAT being used on both ends but I've seen it being use on each end individually. Being that it's on both ends, may be the problem as well. Did you, by any chance, set up NAT Traversal on both ends? Also, you still should be able to get a static ip address even with PPPoA. You will need to talk with your provider about it for sure. Some providers have options, other's don't.
  12. thelinksysuser

    thelinksysuser LI Guru Member

    Did someone already find a fix for this. Because neither DMZ seems to work or a NAT traversal on both ends.

    With the dmz configured the WRV200 is still telling that is has an other address configured. (initiating router expects that the responder identifies itself with its WAN address)
    With the double NAT-traversal none of the VPN-routers can initiate a tunnel.

    Please can someone tell me if i am doing something wrong with the configuration, but as i can see the WRV200 is acting like it is designed. Maybe if the above 2 points are truth that there can be a done a firmware change or something to solve such a situation. Now i ve to wrv200's which only do some internet routing :(
  13. DocLarge

    DocLarge Super Moderator Staff Member Member

    Whoa (lotta reading).

    If I'm understanding this, if you disconnected your wrv200 from your adsl modem, you could hook a computer directly to your modem and connect to the internet right? I've been sitting here for almost 20 mins going over this also...

    What is the ip address the "WAN" Port of your WRV200 gets from the adsl modem?
  14. thelinksysuser

    thelinksysuser LI Guru Member

    This is the situation.

    The wrv200 gets the following address: (side1)

    Public IP Adslmodem/router (x.x.x.x)
    Private IP Adslmodem/router (
    Public IP WRV200 (
    Private IP WRV200 (
    The wrv200 gets the following address: (side2)

    Public IP Adslmodem/router (x.x.x.x)
    Private IP Adslmodem/router (
    Public IP WRV200 (
    Private IP WRV200 (
  15. thelinksysuser

    thelinksysuser LI Guru Member

    And indeed when placing a computer directly behind the ADSLmodem/router, it can connect directly to the internet. The Public ip address are also both static address.

    The log that the wrv200's are given are as follow. I marked the most important rule.

    020 [Fri 12:24:42] "TunnelA" #1: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation
    021 [Fri 12:24:42] "TunnelA" #1: received Vendor ID payload [Openswan (this version) 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
    022 [Fri 12:24:42] "TunnelA" #1: received Vendor ID payload [Dead Peer Detection]
    023 [Fri 12:24:42] "TunnelA" #1: received Vendor ID payload [RFC 3947] method set to=109
    024 [Fri 12:24:42] "TunnelA" #1: enabling possible NAT-traversal with method 3
    025 [Fri 12:24:42] "TunnelA" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    026 [Fri 12:24:43] "TunnelA" #1: STATE_MAIN_I2: sent MI2, expecting MR2
    027 [Fri 12:24:43] "TunnelA" #1: I did not send a certificate because I do not have one.
    028 [Fri 12:24:43] "TunnelA" #1: NAT-Traversal: Result using 3: both are NATed
    029 [Fri 12:24:43] "TunnelA" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    030 [Fri 12:24:43] "TunnelA" #1: STATE_MAIN_I3: sent MI3, expecting MR3
    031 [Fri 12:24:43] "TunnelA" #1: Main mode peer ID is ID_IPV4_ADDR: ''
    032 [Fri 12:24:43] "TunnelA" #1: we require peer to have ID 'X.X.X.X', but peer declares ''
    033 [Fri 12:24:43] "TunnelA" #1: sending encrypted notification INVALID_ID_INFORMATION to X.X.X.X:4500
    034 [Fri 12:24:43] "TunnelA" #1: received 1 malformed payload notifies
  16. datdamnmachine

    datdamnmachine LI Guru Member

    Have you changed the peer's on both end to and tried it then?
  17. cactusfazer

    cactusfazer Network Guru Member

    try to change your private lan between adslmodem and WRV200. Address 192.168.x.x is not routing well on this product. I was having problems with an SIP and the linksys asistance tell me that there is some bug when the router is using lan 192.9.x.x because for it, it's a internet address. It's possible that the 192.168.2.x and 192.168.1.x bug the WRV.
  18. thelinksysuser

    thelinksysuser LI Guru Member

    Ok, i shall test an other range.

    The trick did not fix the issue.
  19. DocLarge

    DocLarge Super Moderator Staff Member Member

    Here's something you might check; go to "Shields Up" and see if the firewall on your ADSL modem/router's with the public ip's are still running (technically, it shouldn't because it's in bridge mode, or supposed to be); this will "faq up" a quickvpn connection real good!!

    The linksys adsl2mue's firewall is still active even if you set it to "bridge" mode. It took me forever to figure this out and explained why quickvpn wasn't connecting (I had my WRV54G behind the adsl2mue)...

  20. thelinksysuser

    thelinksysuser LI Guru Member

    I ve tested to use a other range 10.0.0.x/8 between the Adslmodem and the WRV200 and it does not work. Still the same messages.

    "we require peer to have ID 'X.X.X.X', but peer declares ''"
  21. lespaa

    lespaa Network Guru Member

    Sorry Dude. If both ends have double NAT and WRV200s you're out of luck. The WRV200 can only respond to a tunnel initiation that originated from behind NAT with it's NAT-T implementation. It can't send a tunnel initiation from behind NAT with NAT-T enabled.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice