WRV200 VPN Problems

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by DerToob, Dec 13, 2006.

  1. DerToob

    DerToob LI Guru Member

    I have two WRV200 Router running...

    Connected on both sides with PPPoE and dynamic IP´s using DynDNS feature

    When the Tunnel is being started, the Tunnel Status on the VPN Summary page remains on "T" on both sides, even if the tunnel is beeing established (I can ping the router with it´s subnet ip and i can access my PC at home/office with VNC)

    But the connection is not stable.. the Tunnel hangs from time to time and can´t connect to the other side. I have to restart the Tunnel on both sides.

    I guess it´s a problem with dynamic IP?? The Router at my office restarted the VPN at 6AM today and the connection was broken...

    See attached files....

    Attached Files:

  2. HughR

    HughR LI Guru Member

    I suspect that that is the problem. I think that the key message in the log is on the home side:

    049 [Wed 06:02:10] packet from initial Main Mode message received on but no connection has been authorized

    I don't know how the GUI works but I know that, in the underlying code, policy is expressed in IP numbers. So I don't think that this node would pick up on the fact that the domain name of the other node is now bound to a different IP address. (Linksys or Openswan could have changed this aspect since I wrote the code but I doubt it.)

    It is possible to express policy (perhaps not in the GUI -- I haven't looked) without specifying the peer's IP address. This doesn't mix well with PreShared Key authentication, the only kind that the GUI supports. If your PSK is not specific to an IP address, it must be the only PSK (i.e. all your peers with unspecified IP addresses must use the same PSK to talk with you). This comes from a limitation of the IKE protocol.

    The underlying code supports RSA Signature Authentication. This has a bunch of nice properties, including a solution to the one-PSK-for-all problem. Unfortunately, even though the WRV200 manual mentions RSA Signature Authentication (obscurely), Linksys' GUI does not support it. In fact, when I asked about this, they said they had no intention of supporting it, so the manual was wrong.

    I am annoyed: I bought the router because the manual said that it supported this feature. I'll have to use a different router plus OpenWRT to get RSA Sig Authentication. I sure wish there was a project for 3rd party open firmware for this router (like OpenWRT). I'd be willing to help, but I'm not going to do the grunt work.

    If we could get around the GUI to get at a shell, we could use RSA Signature Authentication. Anybody got to the shell?

    Anyway, your immediate solution is either to leave the peer's IP address unspecified (in which case your node cannot initiate and all peers with unspecified IP addresses must use the same PSK) or to reload the policy (possibly by rebooting) whenever the peer gets renumbered.
  3. DerToob

    DerToob LI Guru Member

    Thanks for your explanation..

    I hope, linksys will solve the problem, soon... :cool:

    .... i´m still wondering, why the Tunnel Status does not change to "connected"....
  4. ifican

    ifican Network Guru Member

    Couple things for me, I would shut of DPD as it seems to cause more issues then its worth. I know dyndns is a nice feature but i dont know anyone that has gotten it to work the way its suppose to. I to have dynamic ip's at home and relatives. But realistically those IP's never change as long as the router stays connected and keeps renewing. So to test wether its dyndns or not, reconfigure the tunnel without dpd and use the ip address to check stability. If all else fails you can always go back to what it is now, which will leave you no more worse off then you are now.

    I suppose I should also say I have a wrv200 with the latest code connected to 2 ipsec tunnels continuously (as stated above) and occasionally pop in quickvpn tunnels with no issues. Will occasionally hang (not let me to the gui, once every 6-8 weeks) but network throughput never suffers and the tunnels stay up through it all.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice