Routing between SMCBR18VPN and WRV54G

Discussion in 'Networking Issues' started by DocLarge, Aug 18, 2005.

  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    I realize I may receive some scathing comments for stepping outside of the beloved covenant of "Linksys" but my curiousity of the SMCBR18VPN router got the best of me.

    The WRV54G (after working the bugs out) is "now" everybit the router I wanted when I bought about a year ago. The setup guide a friend and I collaborated on is getting alot of folks connected with quickvpn (finally). What I'm currently trying to do is test the WRV54G's capability to still route vpn connections from behind another SOHO router and as of right now, I've run into small roadblock.

    At this time, dynamic routing took over and both routers established routes between themselves. I can surf both nets (my wife is on 172.16.x.x while I'm on the other) and even connect to my ftp server on my 192.168.x.x segment. The problem is that I can't get quickvpn to connect in this configuration. I can't, for the life of me, figure out why the quickvpn can't see the WRV. When the wrv54g is connected directly to the adsl modem, vpn runs fine. Yet, when I put the smc router in front and run CAT5 from one of the smc's eight ports to the WAN port of the WRV, it routes traffic perfectly, but "won't" talk to the quickvpn client, which initially led me to believe NAT or Firewall settings on the smc must be the cause.

    I've enabled/disabled NAT (on the smc), ensured all routes are open and not blocked, to even trying to use the "virtual computer" and "virtual applications" and still no response. My only guess at this point is there's something going on with the firewall but I can't seem to pinpoint where (the basic firewall is running and the logs aren't really showing anything).

    I honestly have to say, this smc router is a good compliment to the wrv because it (smcbr18vpn) has one com port to allow for a failsafe dialup or ISDN connection if broadband fails. One thing this router has in common with Linksys is shitty tech support. I talked to an SMC tech and the guy told me SMC does not support any of their routers if you connect another router (SMC or otherwise) to the original SMC product.

    Of course, being the "sumbitch" that I am I asked him "Is it because the router can't handle the additional traffic or is it because the current level of tech support isn't trained to troubleshoot such a configuration?" After a few minutes of going in circles (he told me I wasn't connecting the router properly and that's why I couldn't connect to the internet although I'd gotten the tech support number from their website) he admitted he didn't know how to troubleshoot such a configuration and SMC doesn't support their products when it gets that intricate.

    So, it's down to the Linksys family. Any ideas?

  2. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Obvious (?) question....did you turn on VPN passthrough on the SMC? I believe that VPN passthrough will take precedence over any port forwarding (or virtual DMZ or whatever) rules you may have on the SMC and this will be a problem. Even if you forward all the traffic from the Internet to your WRV54G, the IPSec Application Layer Gateway (ALG) functionality of your SMC will take over and try to passthrough the IPSec traffic to the correct host. (This is not because I have any special knowledge of how SMC routers work but because I've played with similar scenarios to this before but with the exceptions/assumptions that I am making noted below:)

    I'm reading from your explanation that you are trying to VPN to the WRV54G from an Internet client using QuickVPN while your WRV54G is behind the SMC. Since you're on an ADSL connection then you are likely Port Address Translating to a single IP address on your SMC for outbound connections to the Internet. Similarly, inbound connections to your WRV54G will need to be forwarded from the SMC as they arrive on the SMC's WAN interface. Since QuickVPN uses TCP Port 443 to exchange credentials during phase IKE Phase I (vs. the usual ISAKMP on UDP Port 500), the most obvious solution is to forward TCP port 443 to the WRV54G. Even if you do that though, since TCP port 443 is used by S/HTTP and not normally used for an IPSec VPN, your SMC has no way of "knowing" that the WRV54G is an IPSec server and the ALG will not properly work. Thus, after successful completion of IKE Phase I, when the Internet VPN client starts lobbing IPSec packets ( TCP or UDP ports to forward) at your SMC in order to complete IKE Phase II, your SMC does not "know" where to forward the IPSec traffic to because it is unaware that there is an IPSec server sitting behind it and won't make a translation to the WRV54G.

    If the WRV54G was a traditional IPSec server this wouldn't be a problem. I am currently running a similar setup on my home network but I am using my Cisco PIX 501 on an ADSL connection as the IPSec VPN server (so no pass through problems) and passing through all PPTP VPN requests to an internal WRT54GS running Sveasoft's "Talisman" firmware. When the PIX sees the responses to the TCP Port 1723 traffic (PPTP's "Phase I") from the WRT54GS, it caches its IP address and then knows to direct the subsequent GRE (General Routing Encapsulation) packets used by PPTP's "Phase II" to the WRT54GS when they arrive on the WAN interface fo the PIX. [sidebar: The PIX 501's ALG for PPTP VPN traffic pass through is through the "fixup protocol pptp" command.]

    Anyway, this all remains guess work on my part but I'm (guessing) that it's pretty close to the right answer.

  3. DocLarge

    DocLarge Super Moderator Staff Member Member


    thanks for the response. I forwarded ports 443 initially when I started working on this a few days ago. VPN pass thru was the first thing I enabled figuring it was "common sense." However, after the first hour when the most "logical" settings didn't work, it left me in a "hit and miss" mode for a few days (ulitmately causing me to post last night).

    After having gone through enough scenarios with this, my current hypothesis is either the SMC is blocking packets or the wrv can't interprete packet requets due to NAT between itself and the SMC (I even set the wrv to router mode to see what effect that would have).

    I'd originally gone with the same setup "but" with the WRV54G in front. The problem with this is the wrv's WAN ip kept expiring every 3 minutes. When it doesn't have any other routers connected to it, the WAN would normally expire every 3 days (I had to release/renew every so often to keep the connection up.) I believe this has something to do with my having a statically assigned ip address from isp. My guess is if I have it changed back to dhcp I may be able to switch the routers around.

    I'll let you know...

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice