Quickvpn & Greenbow VPN Using Dual Router Configuration

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by DocLarge, Oct 1, 2005.

  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    I picked this information out of one of my previous posts because I realized if I was looking to run two routers at home to get around the NAT-T problem the WRV54G can't negotiate, I'm sure somebody else was trying to also. It's kinda long, but if you want to have the option to use quickvpn and greenbow, to possibly include SSH Sentinel, check it out.... Yes, you can now use a third-party vpn client "without" having to connect the computer/laptop directly to a modem to access the internet.

    Oh, it's not required the second router be a BEFVP41; my second router with the direct internect connection is an SMCBR18VPN eight port firewall router that doesn't have the NAT-T issue. Whatever second router you use, make sure it can do NAT-T.

    For a few of you newbies just joining the forum, if you're trying to use greenbow while the wrv54g is directly connected to the internet (via your cable/xdsl modem), it's not going to work because the wrv does not support NAT-T. This was most likely done by Linksys in order to promote the quickvpn client, which "does work" once you figure out the proper configuration for the client machine it will be loaded on (I use quickvpn daily).

    Before doing any of the below steps make sure you connect straight thru cat5 from a LAN port on the wrv and run to your computer; log in with factory settings and make sure it's set for DHCP and set your LAN ip range (for example

    On the BEFVP41:

    1) connect the befvp41 to your cable/xdsl modem
    2) configure it to give out one ip address
    3) run "straight thru" cat5 from one of it's LAN ports to the WAN port of the wrv54g

    On the WRV54G:

    1) make sure cat5 from one of the befvp41's LAN ports is connected to the WAN port of the wrv
    2) log into the wrv via direct connection or wireless
    3) you should see that the wrv's WAN ip will be whatever address it has pulled from the befvp41; the wrv will automatically register this path in its routing table (wrv does automatic discovery)
    4) set your wireless security (no SSID broadcast, static ip's if they aren't that many systems on wireless, WPA...)

    Alright, you now have two subnets. Let's say the befvp41 LAN scheme is and the wrv LAN scheme (as previously stated) is However, because it is pulling an ip address from the befvp41, the wrv's "WAN" ip address is "This" connection is what will allow the wrv to send/receive information via the befvp41 to the internet and receive information from the internet. Keep in mind they are still on different subnets so you may or may not be able to have both subnets communicate with each other.

    I've seen some posts where people with firewall routers were able to make entries that allowed one subnet to talk to the other in this type of setup. Right now, the wrv subnet (if I remember correctly) will be able to talk to the befvp41 subnet, but the befvp41 subnet can't talk to the wrv subnet.

    Last but not least, go back to your befvp41 router and forward ports 443 and 500 to the ip address that is registered on the wrv's WAN port (the ip address it pulled from the befvp41). This will allow you to use quickvpn. Hey, I work it like this everyday of the week for my quickvpn users

    As for greenbow, you can run it on "either subnet" now because the befvp41 router handles the NAT-T issue. One thing I will mention is that when you get to phase II and you need to put in an address of the client computer that's using greenbow, you will now be able to specify either the private ip of the computer, or the WAN ip given to you by your isp (this depends on whether or not your modem is capable of "Live IP" courtesy of an x-modem ce by adslnation.com). Keep this in mind also: when you setup greenbow in this config (or any other for that matter) start out with the following settings:

    local secure group: Use "subnet" (your local router's ip scheme)

    remote secure group: Use "any" ("Hail Mary" option)

    remote secure gateway" Use "any" ("Hail Mary" option again)

    Once you've got your "technique" in running this configuration, you can start substituting you remote group/gateway choices.

    I never use greenbow to connect in to my network (although I can with this config) because I either use quickvpn or the 2000 vpn server I've configured for remote vpn access also.

    My wrv actually performs better in this config (DHCP refresh time problem is gone!!) and I can run for weeks on end unless I have to make a setting change.

  2. pointmark2

    pointmark2 Network Guru Member

    Similar WRV54G VPN Problem

    Hi Doc

    I am new to this forum, but have read most of your previous posts regarding the WRV54G.
    I have followed all your suggested settings (Instruction you & Dave Warner created)
    I still have a few unanswered questions.
    I can get quick VPN to verify, but not connect, (FireWalls dissabled,
    Ipsec started, no other VPN client etc)
    I think I am very close. ( using Firmware 2.38)
    Have sold three others to customers and can not get to work (what a time waster)
    You guys have obviously spent heaps of time getting it to work correctly and all this info is greatly appreciated.

    Do a need a Static IP with my ADSL broadband account (costs $180.00 extra in Australia)
    I have changed all my Network ranges from 192.168.1.X to 10.170.X.X otherwise WRV54G does it for me when I add someone to the VPN Client List Table
    What ip range should I use for the computers on my network
    My PC is, subnet
    friends pc, subnet
    My WRV54g Gateway IP
    Friends WRV54g Gateway IP
    My Netcomm ADSL Modem DHCP dissabled
    Friends Netcomm ADSL Modem

    I can not get my ADSL work on any computer on my network when Netcomm NB4 ADSL Router plugged into the WAN port of the WRV54G (No green light, only orange) (did get it work with green Internet Light early on, so wonder if it is a setting or firmware revision), but it works fine when I use one of the WRV54G Lan Ports, but then when I do a reverse DNS lookup at http//remote.12dt.com/rns/ it comes up with a different IP each time I log on and Quick VPN will not even try to connect when I put in that IP in the Server Address field (standard 4 possible errors), but if I put in my WRV54G Gateway IP into Quick VPN ( it will Activate policy, verify network, then fail to negotiate.

    Have dissabled firewall at my mates place and created a user on his PC with same details as quick VPN login details.

    Have put in a host name and domain name as other users have suggested.

    Have VPN username & password greater than 7 characters.

    I must be close, but not sure what else to do.

    I am almost ready to give up after and try WRV54G to WRV54G Endpoint without using Quick VPN because my customer has two at different locations that he wants to connect to each other and I want to connect to my freind's WRV54G.
    Is there a set of instructions for this that works.

    We did want to Use Quick VPN to connect to one of them using dial up (slower than ISDN), but from what I have read no one has been able to do that with Quick VPN, especially if VPN Tunnel & Gateway Enabled ( But may be able to use some suggestions in this Post)
    So we will settle from doing it from Office to Office with Two WRV54G's

    I hope someone can answer these questions. I will post the same questions in a new post as well.

    Many Thanks
    Pointmark Computers
  3. DocLarge

    DocLarge Super Moderator Staff Member Member


    in my example above, both routers are strictly "ethernet" routers and "not" router/modem gateway combinations, such as the WAG54G, WAG354G, and your Netcomm router.

    Configuration with a pure ethernet router is much easier because you do not have to deal with PPPoA, which is what ADSL runs over. This is why you can't get the configuration to work. In order for you to do this, you would need to put your Netcomm router/modem in "bridge" mode. This will cause it to function just as a modem only. This means that the device behind it (your WRV54G) needs to be able to translatej PPPoA.

    Here's where your problem comes in. The WRV54G is "not" designed to function with ADSL directly because it is an ethernet router, but here's an off the wall configuration some people have had success with.

    The Work Around

    After you set your Netcomm to bridge mode, you may need to run crossover cable between on of the Netcomms' LAN ports to the WAN port of the WRV54G. Next, log into the WRV54G and change it's setting to PPPoE. Now, put the credentials you normally use to connect with your Netcomm router into the WRV54G. There is no guarantee this will work, but there have been a few people who've been able to do this over here and the configuration has worked.

    Should this not work for you, then you'll need to get an adsl "ethernet" modem. This type of device is strictly a modem and will convert the PPPoA signal that comes in through the RJ-11 port to ethernet as it leave the RJ-45 ethernet port (both ports are located on the back of the modem).

    Here's something also for future considerations:


  4. pointmark2

    pointmark2 Network Guru Member

    Hi Doc

    Thanks for the info.
    I will give it a try over the next couple of days and let you know how it goes.

    Cheers Mark
  5. dazzasimmo

    dazzasimmo LI Guru Member

    wow, just put in my own topic but this topic seems close to the problem im having... was the problem ever solved? maybe the crossover cable is the answer to MY problems as well? Pointmark2, did it work?!

  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    The only way I personally have seen to get around this is to get an adsl ethernet modem. Buying another adsl router/modem won't do the trick because if the phoneline isn't connected to the back of the unit, it's nothing more than a switch. Then, the other solution would be to get a PPPoE connection, but now I'm talking crazy :)

    It's cheaper to buy the adsl ethernet modem:


    Personally, a separation of router and modem is always the way to go to avoid the problem you're running into...

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice