RV082 VPN problems

[gentlemanRT]

Hello guys,
i have setup an RV082 useing Firmware 1.0.12. I have succesfuly configured the GroupVPN. I can establishe the VPN tunnel from an dial in connection to the rv082 when i creat an dummy tunnel with the ip of the dial-in connection.
Or without the dummy tunnel when i turn of the firewall.
When i do not use these workarounds the packet on port 500 to establishe the connection will be refused by the firewall. (Seen in the log file) does anyone have the same problem? does anyone fix it? i tryied to add the port in the Firewall Access rules but i can not add port 500 and 1701 there chause they are not in the drop down and i can not add them.
I hope so solve this problem soon thanks to you all!

 

[gacollier]

RT,

You'll have to use the "New Service" button to add the ports. Then they'll show up in the drop down list.

 

[gentlemanRT]

Good it idea. But the IPSec (UDP 500) and L2TP (UDP 1701) are allready defined in the Service Management! So i can not add them a second time. They are not visible in the Drop Down Menu of the Access Rule Setup.

 

[gacollier]

RT,

Just so I'm clear on this, you're saying that you're able to define the rule using the "service management" button, then press "Save Setting" then "Exit", but the new service isn't in the drop down list. Are you able to add any new rules through service management (regardless of port number), or is there a rule in place currently that you've defined in the past? If there is, we can telent into the router and change the config via OpenRG commands. Let me know.

 

[gentlemanRT]

IPSec (UDP500) and L2TP (UDP1701) are defined by factory default (in the Service Management) But they don´t appear in the drop down. I also couldn´t add them a second time is says that they are already defined.

I already tried to login useing telnet on port 8023 but í don´t now how change the OpenRG config there.that would be nice if you could help me with checking that out.
thanks
alex

 

[gentlemanRT]

{\alexander: When i use Group VPN and the try to login from an dialin internet with dynamic ip the connection to port 500 is refused
Cristina Borca: Thank you for contacting Linksys chat support.
Cristina Borca: Do you mean that you have configured the VPN settings on the router?
Cristina Borca: What VPN application on the other side of the network, is being used?
alexander: thats correct i have configured VPN. On the other side i have SSH Sentinel
alexander: when i configure a tunnel and set the Remote Gateway IP it works fine
alexander: i have added an dummy tunnel where i specified the remote gateway ip of the dialin system then i can connect to the Group VPN tunnel
Cristina Borca: So, the VPN connection is not working fine only when you use Group VPN on it?
Cristina Borca: Are you setting a domain for Remote Client Setup when you are using it?
alexander: i have used the email adresse for authentication... when i add the dummy tunnel with the ip of the other side the group vpn works fine
alexander: the problem is that vpn packet do not pass the firewall when there is no static ip specified in the VPN setup
Cristina Borca: Try forwarding port 500 on your router instead since the connection does not pass through properly.
alexander: put i can only forward port 500 to the internal LAN. put the VPN connection is only accepted on the external interface WAN1
alexander: i have already check that...
alexander: i tryied to change the access rules in the firewall setup but i can not choose port 500 for ip sec in the drop down menu
alexander: and if i try to add the port useing the service management but it see that there are the two ports already
alexander: button ;-)
Cristina Borca: Have you tried triggering port 500?
Cristina Borca: Trigger the port 500 instead under the Forwarding page which you may find from under Setup tab.
alexander: just a second i try it
alexander: still geting Connection Refused - Policy violation UDP 195.226.103.131:500->80.136.248.188:500 on ppp0
Cristina Borca: Try disabling the firewall of your router instead.
alexander: firewall disabled -> VPN connection established succesfuly
alexander: says my SSH Sentinel
Cristina Borca: So, is it connecting already?
alexander: alright when it firewall is disabled the vpn connection works fine and i can access my internal network from the vpn client pc
Cristina Borca: Thats good. Apparently, when firewall is enabled, since there's no specific IP specified, its having a hard time letting the connection pass through.
Cristina Borca: Is there anything else I can help you with?
alexander: put thats a big security hole ;-) the firewall should be enabled and only the ports for vpn should be open when an vpn is definied...
alexander: i think is an bug in the firmware of the router
Cristina Borca: You are correct. Well, perhaps you may try re-enabling it but disable SPI as well as block wan request.
Cristina Borca: You may also try updating the firmware of that router.
alexander: but with the dummy tunnel which i only used to specife the ip of the remote host it works fine.... i´m useing the newest 1.0.12 also tryied 1.0.11
alexander: and i can not select the ports 500 and 1701 in the access rules setup thats the next problem
Cristina Borca: At the moment, I am not aware of any problems with the firmware of the router. However, I believe that Linksys kept on updating it to fix any problem encoutered still.
Cristina Borca: Since you have the latest firmware already, I believe thats the best one to use for your router. I suggest that you just visit our website from time to time for any updates.
alexander: can you please give my problem to an firmware specialist to check it
alexander: i have already send many email to the german support but got no response
Cristina Borca: Yes, I'll try to forward your concern to higher management. But if I may suggest, you may want to email that concern to us also at support@linksys.com so that it will be forwarded to the right department for further checking.
alexander: ok please to so. i also will send an email too so we got this fixed! thank you very much!

 

[gentlemanRT]

thats what linksys said ;-)

 

[gacollier]

RT,

Typical conversation with Linksys. First off, I have 4 RV082's and none of them have an IPSec port or L2TP configured standard. Have you tired creating a rule that opens UDP port range 501 - 502 and UDP 1700 - 1702? You can also try creating a new rule for an unused UDP port, call it "IPSec2" for grins. Now, tlenet to the router using port 8023. Once in the router do this:

Type: rg_conf_print /service
Record the service id number

Next type: rg_conf_print /service/-##########/trigger/0/dst/start

(######### is the service ID number)

You should get (start (###)) where ### is the port number you specified earlier.

It that happens, next type:

rg_conf_set /service/-#########/trigger/0/dst/start/ 500

Do the same thing for the /end

Now head back to your web interface and see if you can select "IPSec2" and if it is port 500.

 

[gentlemanRT]

I had 1.0.11 and 1.0.12 installed and in both firmware revisions i had it by default. It also gaves me an error message when i use and port range 499-503 i already tried that. also another name did´nt work. that was the first workaround i tried ;-)

i will try the openRG hacking this evening cause work is waiting already ;-)

 

[gentlemanRT]

Type: rg_conf_print /service
Record the service id number

i tried it and got:
(service)
returned 0

 

[gacollier]

RT,

The reason you received "(service) returned 0" is because you don't have "extra" (non default) services added to the router under service management. Let me ask this again, can you add any new services under "Service Management" regardless of protocol or port. (ie. TCP port 100 to 100)?

 

[gentlemanRT]

I will reset the router complet to factory default. At the moment i can not add any custom port to the "Service Management" I can add and save but if i exit and come back to service management its gone!

 

[gacollier]

Yeah, it definately sounds like the router is screwed up.

Good luck.

 

[gentlemanRT]

Factory defaults loaded ;-) now i can add ports but only ports that arn´t defined by factory default.

So can please provided my step by step how to change it useing openrg

thanks
alex

 

[TobyHynes]

All,
I dont know if this is he correct forum for my issue but here it goes.

Issue: installing linksys rv082 with minimal lan reconfiguration.

company "A" has a T1 pluged into a watchguard firebox that has been configured to the hilt with static routes forwarding,etc. Also 1 DSL line that has been unused for
1 year, I have 5 public static address for each line.

so I have my A records, mx records pointed at .197 address which is configured on the firebox wan side, then the firebox nats the addresses to a 192.168.1.x and forwards the smtp,citrix,web,http ports to the correct servers.

I have been asked to install this rv082 unit behind the firebox, and also plug in the DSL into wan2 port for failover. If there is anybody out there that I can roll a few questions at, it would be greatly appreciated.

-Toby Hynes

 

[gentlemanRT]

v1.0.11 2004/01/15
1. Support "NAT Loopback" functionality.
Purpose: It allows LAN-side users accessing LAN-side server by
typing WAN IP address.
2. Support IPSec interoperability with SSH Sentinel VPN Client in both Main and Aggressive modes. Purpose: It allows users using SSH client to connect to RV082 through Group VPN tunnel(Aggressive mode).
Note: Older firmware worked with SSH only in Main mode.
3. Web-UI modification:
Added 3 pre-defined service ports, PPTP(1723), IPSec(500) and
L2TP(1701), in Service list on the "Setup -> Forwarding" screen.
Purpose: It allows user to host PPTP server at LAN network by configuring this Forwarding page.


This is the changelog for 1.0.11 i think you do not have to problem to add the ports in the service management before this firmware release.

 

[gacollier]

RT,

Do this...

From the web interface, create a forwarding rule called GRE for port 47 using the TCP protocol. (Don't worry, we'll be changing this once inside the router)

Once at the command prompt in the router via telnet you should have a prompt like this:

SME100>

Now type/enter:

rg_conf_print /service

You should see your GRE service. Next type/enter:

rg_conf_print /service/-########/trigger/0/protocol

(where -######## is the service number for your GRE rule)
You should get "(protocol (6))" returned.

If you do, next type/enter:

rg_conf_set /service/-#######/trigger/0/protocol/47

Now, if you exit the telnet session and open the web interface and go to forwarding and view the frwarding table you shuld see "GRE" or "GRP" where "TCP" used to be. Now try to VPN through the router and let me know what happens.

 

[gentlemanRT]

I have flashed the new 1.1.1 Firmware into my RV082. I can now add the L2TP and IPsec ports to the access rules of the firewall. but it did not chance anything. The still get
"connection refused - Policy violation" in the route log.
Any ideas?!
thanks
alex

 

[gentlemanRT]

The Problem is fixed in firmware 1.1.4 which will be relased today on

http://www.linksys.com

!!!

 

[Webmeisterus]

Hooray!

I've been trying to get a post 1.1.1 firmware out of Linksys for weeks! They've consistently insisted no such firmware existed.

I'll be very happy indeed to see an update that addresses this VPN problem.