Linksys WRV54G and Windows 2000 Server 4

[AndyJG]

Hi, I'm trying to establish a VPN connection using PPTP through a Linksys WRV54G router. I have enabled PPTP pass-through and port forwarded TCP 1723 to the server. When I try to connect it waits at 'Verifying username and password'. If I DMZ the router to the server then everything works, however it is not very secure.
Any ideas would be appreciated.
Andy

 

[woody76]

Same here - tried to telnet to many different ports and had no luck. Also upgraded to latest firmware and tried it with the VPN firewall wide open and it made no difference.

Must be some way to get this puppy connected!

Thanks for the help!

 

[gacollier]

Gentlemen,

You could try this. Head to this website:

http://www.atelierweb.com/pscan/

Download the portscanner and run it against the WAN and LAN ports of your router. If somethings running on a port, that package will find it.

Good luck.

 

[AndyJG]

Hi there, I should get your name so I don't have to say Hi there. Anyway, I did as you suggested and lo and behold port 2555 comes up interesting. When I telnet to that port it connects, blank screen and when i hit enter i get the following:

HTTP/1.1 500 Internal server error
DATE: Fri, 19 Mar 2004 21:20:15 GMT
SERVER: OpenRG/3.2.20 UPnP/1.0 OpenRG/3.2.20
CONNECTION: close


Connection to the host lost.

Any ideas now?

Thanks so much for all your help. I'm sure we can get this going.

Andy

 

[AndyJG]

BTW, The port scanner says this port is "Compaq WPC" if that helps.

Andy

 

[gacollier]

Andy,

First off the name is Greg.

Follow this link for more info on the WRV54G:

http://www.seattlewireless.net/index.cgi/LinksysWrv54g

It looks as if TCP port 2555 is the UPnP HTTP server.

With the RV082 (my unit) I can telnet to port 8023 to make command line changes. It would appear the telnet is turned off by default on your unit. We can likely turn it back on as it's inherent to OpenRG. Let me ask this, when you export yuor configuration fvor the unit, is the file it creates readable? You should have something like this:

(rg_conf
(system
(serialno(DEZ003######))
(version(10007))
(release(Dec 2 2003))
(mac_cur(36:b8:##:##:##:##))
(distribution(DIST=IXDP425_NETKLASS))
(log
(login_success(1))
(login_fail(1))
(conf_change(1))
(system_errors(1))
)
(contact())
(location())
(name(RV082_00:0c:41:91:0f:b4))
(boot
(failure_boots(0))
)....

If it is we may be able to open telnet by modifying this file then importing it back into the router. If we can do this, you'll want to backup the original config in case we screw something up given that we're on unchartered ground here.

 

[AndyJG]

Hi Greg, yep already been to that site.
The configuration file does look like what you show. Also, I see the telnet ports 23,8023 and 992 in the configuration. Will I be able to change the configuration from remote as I am not at the site?
Thanks,
Andy

 

[gacollier]

Andy,

Actually, we can probably make the changes right to the config file without using telnet.

Do you have the remote configuration rule open for the router? (i.e. you can get to the web interface from the WAN side) If yes, then you can do it remote, if no then you'll have to either open it or go in from the LAN side.

If you can get to the config file and modify it do this...

From the web interface, create a forwarding rule called GRE for all ports using the TCP protocol. (Don't worry, we'll be changing this once inside the router)

In the config file look for this:

(-############
(name(GRE))
(description(GRE))
(trigger
(0
(protocol(17))
(src...

(-########## will be a service number) Replace (17) or (6) with (47).

Import the new config. Cross your fingers. Try the VPN.

 

[AndyJG]

Hi Greg,
The last time I forwarded all ports (0-65535) both tcp/upd, I lost remote control. Not sure I should forward all ports.
What do you think?

 

[AndyJG]

Also, will this affect the forwarding of normal tcp ports required for http,ftp....

 

[AndyJG]

One more thing, is this not the same as DMZ to the server?

Andy

 

[gacollier]

Andy,

Good point. Definately don't forward all the ports. Given that GRE is portless, (I think this is what may hose the whole deal), it shouldn't matter. When you create the forward service just use port 47 and we'll see what happens.

Well hopefully if this works your router will only be forwarding IP packets identified as protocol 47 regardless of port, meaning only those packets will forward through. Quite a bit more secure than opening the whole system to the Internet.

I know this is late in the game for this suggestion, but you know you could accomplish the same thing by putting the PPTP server on the DMZ and enable "PPTP Filter" on the DMZ'ed adapter. Only PPTP/GRE ports would be open on the server.

Greg

 

[AndyJG]

Hi Greg, Just to let you know I haven't had a chance to try this yet. Probably won't until Wednesday now. Have you had any luck with setting up a VPN tunnel on this router?
Thanks,
Andy

 

[AndyJG]

Hi Greg!!

I was able to try this out and guess what.... IT WORKED!!!!

You are the BEST!!!

Thanks so much, would still like to establish a tunnel next if possible.

Andy

 

[woody76]

Hey Andy, can you give me the details of which solution worked, and what steps you followed? Was it the forwarding of GRE, or did you use the secondary IP in the DMZ.

Thanks (both) for all the efforts to get this working! I can't wait to get out to our office and try this out!

Cheers -

Dave!

 

[AndyJG]

Hi Dave,

Create a forwarding rule using either TCP/UDP or both. Name the rule GRE. Use port 47.

Go into Config management on the WRV54G and download the current config. Make a backup just in case something goes wrong. Edit this file and look for "GRE". Replace the protocol numbers (6) or (17) with 47. Save this file and Upload it back to the router. Now it should work. BTW, everytime you change any of the port fowarding options, you will have to re-do this fix as the protocol numbers default back to 6 or 17.

Let me know how you made out.

 

[woody76]

Please ignore the last post - I tried out the instructions and I am IN!!!!

Thanks again!

 

[gacollier]

Andy/Woody...

I would have bet good money that that deal wouldn't have worked... HA! Very nice. Now call Linksys and let those clowns know as well!

Catch you guys later.

 

[AndyJG]

Hi Greg,

Have you had any luck with the VPN tunnel on this router?

I've configured it according to Linksys instructions, and only get as far as "Negotiating IP Security" when pinging the router's LAN IP.

Any thoughts on this one?

Thanks,

Andy

 

[gacollier]

Andy,

Sorry, I must not have read the last few lines of your second to last post.

Yes, I currently have my router (RV082, but similar to yours) set up with IKE/IPsec tunnels to 4 sites. What type of tunnel are you trying to establish? (LAN to LAN or Client to LAN)

 

[AndyJG]

Hi Greg,

I'll settle for Client to LAN right now. It's the same system as before.. Windows 2000 Server behind WRV54G and I would like to connect from home using XP or 2000 Pro. I've configured a security policy from XP with the one suggested by Linksys. When I ping the LAN Network address I get "Negotiating IP Security" 4 times with no response. Do I have to use a special client software package?

Andy