RV042/WRV54G/WRV54G vpn tunnels/QuickVPN

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by drwphx, Jan 26, 2007.

  1. drwphx

    drwphx LI Guru Member

    Hi all -

    I have asked this question to Linksys Tech Support throught their email system. I am not very optomistic that they will be able to provide a good answer to my situation which is spelled out below.

    My situation is spelled out below:

    Office: WRV54G with Static IP Address using DSL.

    Home 1: RV042 with Dynamic IP Address provided through Cable Modem. I also have a WRT54G that I wish to remove router/DHCP functionality from and only leave the WAP and switch active. DHCP, if needed, will now be handled by the RV042. Most of the devices on this network have static private IP addresses.

    Home 2: WRV54G with Dynamic IP Address also provided through Cable Modem.

    I already have registered with dyndns.org to handle the dynamic IP issue.

    What I need is to have VPN Tunnels from Home 1 to Office and Home 1 to Home 2 with occasional need for a tunnel from Home 2 to Office. I will also need access to any of the networks from any other internet connection using QuickVPN Client. If it is too much of a problem to only occasionally set up a tunnel from Home 2 to the office, I can and will use a VPN Client on my notebook.

    I currently use QuickVPN to access the Office WRV54G and it works rock solid from everywhere I have ever tried it.


    I don't know if it is possible, but I also use a different client to access our Cisco Pix 515 VPN to get on a separate network for our company. This connection is a T1 from ISP. Is it possible to use this same client to attach to the Linksys VPN routers?

    I did notice that when I installed the WRV54G in the office, that I needed to change from Class C private IP addressing to Class A private IP addressing. Is this also the case with the RV042?

    Does all of this sound possible with the hardware that I have?

    Thank you all for any assistance you may be able to provide.

    Dan Walker
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    Here's a tutorial on vpn tunnel setup:


    As long as you use "quickvpn only" on a LAN that is using a WRV54G, incoming connections will be fine. The problem comes if you try to use a third part vpn client from "behind" a WRV54G; it won't work because the WRV54G is not NAT-T/GRE compliant by design; linksys was pushing quickvpn and designed the router to be "married" to quickvpn.

    You can connect "in" with a third part client from behind a "NAT-T/GRE compliant router" such as all of the RV0XXX routers or the WRV200/WRVS4400N/RVS4000 routers to a WRV54G; just remember "not" to be behind a WRV54G when initiating the connection. The only way to connect out with a third party client is to take the WRV54G offline and connect that computer directly to your modem :(

    A "definite" solution I have tested with continual success is to put a "NAT-T/GRE enabled router "in front" of the WRV54G and your problems are solved!! It doesn't have to be anything expensive; besides this format "is more secure" anyway because you now have distinctive separation between your "edge router" and your "internal lan" thus limiting direct exposure to the internet. I was using a Netgear DG834G (splendid performance) but have switched back to my PIX 501 for better firewalling. Any nat-t/gre enabled router will do. Have a look at this link because I compiled a link of routers that meet this requirement:


    Regarding your last question with your WRV54G, if you had to change your ip address from a class c to a class a, this means that you tried to set up quickvpn clients with "default" settings." As soon as I pull a WRV54G out of the box, the first thing I do is change the internal lan ip to something else, save, and "then" add my quickvpn clients. The WRV54G firmware is designed to force you to change your ip address because a lot of people leave the default lan settings ( when they install the router; so, if you and I both bought a WRV54G, and this feature wasn't enabled, and we tried to set a tunnel up between the two of us, the tunnel would fail because it we see our connection attempts as being "two computers on the same lan" and drop the connection request.

    So, in short, change the LAN ip address of your WRV54G's "before" you try to assign quickvpn accounts (trust me on this) :)

    Oh, here's a "BIG" gotcha; on the WRV54G you "can not" allow connections from vpn tunnels and quickvpn client access at the same time; it has to be "one or the other, not both!" This problem "does not" exist with the WRV200/WRVS4400N/RV0XX series router (possibly because of them being NAT-t/GRE compliant). Yep, that part truly sucks azz, and there doesn't appear to be any future proposed development work on the WRV54G.

    On the bright side, if you want to see how much of a workhorse the WRV54G is, take a look at an old Tolly Group report (this will make you feel better):


    By the way, if anyone is wondering how I manage to type all of this "gobbeldy-gook" it's because I've been typing for about 16 years and can get my thoughts out pretty quick :)

  3. drwphx

    drwphx LI Guru Member

    Hi Jay -

    Thank you for your reply. I also tend to get long winded when asking and replying to questions on forums.

    Please forgive my lack of knowledge on some of these issues, since I am fairly new to IP networking. I have been an IT Manager for the last 29 years, however, that has been in an I-Series/AS400/System3X environment. So I am still in a learning mode on some of this stuff.

    I guess I really don't have a problem with using QuickVPN as my client for the situation that I described in my original post. I really has worked very well from anyplace that I have needed to use it. I just thought that maybe the client that I use for the PIX firewall would also work with the linksys products. This would just be one less client that I would have to keep on my desktop. I also use some other VPN clients to access other networks for some of our business partners. I just need to make sure to only open one of them at a time.

    As far as having to change to to a Class A IP address scheme. I just remember that when I enabled VPN, prior to setting up any QuickVPN users, it forced me into the 10.x.x.x addressing, rather that the 192.168.x.x that I was already using on the network. Since I was using DHCP for all of my users at that time, it really wasn't that big a deal. The only static IP addresses that I had were some printers using JetDirect interfaces. Since the RV042 that I will install in one of my home networks is going to be in the 192.168.x.x range and it looks like the WRV54G may need to be in the 10.x.x.x range, I hope they can still be connected using a VPN Tunnel. I will just make sure that the Class A that I have at our other house uses a different subnet than the one at my office.

    None of these three routers will be behind any other router. I do have the WRT54G that I will be using only as a WAP and switch. This will be connected behind the RV042.

    I am now hoping that what you said towards the end of your reply doesn't mean what I think it means.

    You said that I can't have a VPN Tunnel active between the 2 routers, RV042 and WRV54G, and also connect to the WRV54G from, say a Hotel, using QuickVPN. Is this what you are saying. If so, could I connect to the RV042 and since it is connected to the WRV54G's then access the networks at those 2 locations?

    Like I said before, please forgive my ignorance. I am only now in the middle of taking some courses in Cisco Networking.

    One last issue that I didn't bring up before. We do have a Cisco 515 Pix that we use as an VPN access point for the management network into 3 of our networks. Do you know if it is possible a tunnel between the RV042 and the PIX?

    Thank you again for all of your help.

  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    I'll have to check and see if it's possible to do this with these two routers, because I've never tried this with either of them. Some SOHO routers are capable of this, but not all are.

    Stay tuned...

  5. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Hey Dan. I replied to a PM that DocLarge (Jay) sent me about QuickVPN functionality. The short story is that if you use QuickVPN to access the WRV54G or RV042, themselves connected to one another with a site-to-site VPN, you will only be able to access the network behind the QuickVPN gateway. You will NOT be able to access the partner gateway's internal networks across the site-to-site VPN. Jay is absolutely correct.

    The logic is thus:
    The MS PPTP Client *CAN* access the far side of the site-to-site VPN between my RV042 and a customer's PIX, but the QuickVPN client can't. Not a problem, per se, except one of design. Since the QuickVPN client connection is designed just to tunnel to the gateway's internal network, the IPSec policies that it creates on its Windows host reflect this fact. Also, since it does not obtain an IP address from the RV042 host, there's no way to manually change the Windows client's routing table (ie: route add...) to make the RV042 the default gateway.

    The MS PPTP client on the other hand obtains an IP address from the VPN gateway. I set up the Windows PPTP client with the default settings. If you go into the TCP/IP Settings of the PPTP client connection you see (Properties/Networking/TCP-IP/Advanced) that the “use default gateway on remote network†is checked. Thus, by default, the MS PPTP client will tunnel *all* of its IP traffic through the VPN since the RV042 is its default gateway. This means that when the packets arrive at the RV042, the RV042 will consult its routing table, and since its routing table will include the remote gateway's internal network, it will route the packets through the site-to-site VPN.

    I checked my logic out by conducting a simple test.
    - I disconnected my computer from my home LAN;
    - made a dialup connection to the Internet;
    - Connected to my RV042 via PPTP -- could ping both remote g/ws' internal Nets;
    - disconnected PPTP VPN;
    - Connected to my RV042 via QuickVPN -- could NOT ping either remote g/ws' internal nets.

    ...so there you go.

    On your other questions:
    - The Linksys boxes do not support the Cisco IPSec VPN Client
    - The Linksys boxes will connect quite happily to a Cisco PIX 515

  6. drwphx

    drwphx LI Guru Member

    RV042/WRV54G VPN Tunnel/QuickVPN

    Jay & Eric -

    Thank you for all your help.

    I don't think this will be that much of a limitation.

    It just seems to mean that I will have to decide which of the 3 networks that I need to work on and make a QuickVPN connection to that network.

  7. DocLarge

    DocLarge Super Moderator Staff Member Member


    Eric has got 15+ years or real world experience designing networks and fixing these types of problems. Him being a legitimate CISCO man doesn't hurt, either... :) :)

    Us "young 'uns (Toxic, Kspare and myself) have got some time behind us too, but it's good to bounce things off Eric at times...

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice