vpn linksys router. 1

[spivy66]

Has any one setup a linkysys vpn router to windows 2000???,This is driving me nuts,I have tried everything.I open ports 1723,47,50,500, i created policity thew the secpol.msc and when i try to ping i get negotating ip security.i have ipsec enabled,ok here my setup..
LAN 1 ..a linksys router ( standard,not vpn) my internal gatway is xxx.168.1.1.dhcp is off so my first machine behind the firewall is xxx.168.1.2 and so on
LAN2....a linksys vpn router,,my internal gateway is xxx.168.100.1 same thing dhcp is turned off, and first pc starts with xxx.168.100.2.......................with all this say on both sides i have port forwarding on or port triggering on 1723,47,50,500(i heard these ports had to be open..,on my standard linksys router side i created shared keys accordign to linksys website ( secpol.msc..and when i acitivate it i get negotating ip security,please soem 1 help me, its greatly apresheated.. DAN

 

[JeremyMordkoff]

I'm guessing the win2k server is behind router 1

router 2 should not need any tweaking...it's initiating everything anyway (I assume).

router 1 needs to allow ports 1723, 47 and 500 and PROTOCOL 50.

That being said, I would get a second VPN linksys router instead.

 

[EddieVenus]

just make sure that you are not forwarding those ports on the VPn router, just on the standard one. Then all you should have to do is match *exactly* what is said from the VPN router setup to the win2k setup. I.e. 1 host is not the same as a subnet with only 1 host in it. despite the fact that logically is sounds the same, the configs have to match. as in 1 secure subnet on lan a , 1 secure subnet on lan b. etc etc.

 

[jcwebb]

My first tip is to run 'ipsecmon' on the win2K machine. This will tell you if you get a tunnel established. Just because you are unable to browse the network doesn't mean your problem is with the VPN.

Also, I don't think you need to open any ports on your VPN router since you want the _router_ to handle the secure packets, not pass them on. On the client (win2k) side, I am also not sure that you need to 'open' those ports. On my Netgear router I don't need to do anything special, it just passes the packets through without sending them to a particular machine on it's subnet. In the case of my (Netgear) router, to 'open' a particular port on the router is to set up a static route to a particular machine on the subnet so that a machine on the far side of the router can initiate a conversation with that machine just by calling in on that particular port. Not sure if the Linksys (non-vpn) router differentiates this way and will block certain ports from all traffic or open it to pass through with NAT translation without static routing, but if it is a static route and it is routing to the wrong machine, then it will screw up your tunnel.

As far as pinging a machine on the LAN side of the VPN router, it typically takes me more than 4 pings. Either issue the ping command several times, or set your count higher (ping -n 12)

If you can, you may also want to eliminate the router on your end temporarily and see if it helps. In my case, I use the router on my end so the rest of the PC's on my home network can access the internet, but I can hook up directly to my cable modem for a few hours before the riot starts -- Unless a bid is close to ending on E-Bay


My setup is as follows, perhaps this will help:

I have a linksys BEFVP41 on server / LAN side, and a Netgear RP114 NAT router / cable modem on the win2K client side. I did not have to open or static route any ports on either side. The VPN router has a static IP and my cable modem is dynamically assigned but changes very rarely. Because the IP address on my end changes so rarely I treat it as if it's fixed in the VPN setup and code it in. (E.G. the VPN router is configured to have a remote secure group of 192.168.0.2 because that is my only Win2K client that needs to connect back to the office; and has a remote gateway IP address that matches that assigned by my cable ISP.) My IPSEC outgoing filter tunnel is named Win2K->BEFVP41 and the tunnel filter IP address is that of the VPN router; my incoming IPSEC tunnel is named BEFVP41->Win2K and the tunnel filter address is 192.168.0.2.
Note also that in setting up the filters, the 'default' authentication method in both filters of Kerberos had to be removed so that only the 'preshared key' method existed. (Perhaps is just has to be first, so it is preferred but I removed it.)

Hope this helps. Please let me know how this works. Also, once you do get this running, please use IPSecMon to keep watch the amount of traffic you have when you're connected but 'idle'. I posted a little earlier about what seems like unusually high traffic back and forth when I'm not transferring any files, etc. in the range of 5+ MB/hour.

John Webb

 

[spivy66]

Ok i understand what you said, tonight iam going to play around with ipsec again ,but if you get a chance and you have some time can you look at this url (

http://www.linksys.com/support/support.asp?spid=86

) and tell me if this is right cause i have created the ipsec tunnel about 6 times on my win2k box and i got the info from there..and if that is right then i dont know.lol ok lets just say that my internal ip address for my win2k ( the vpn router side) box is xxx.168.100.2 and its gateway is xxx.168.100.1 when i setup the ipsec filtering when i create the win2k-->befvp41...i know the source address is " my ip address" the destination ip is what now? cause i had it setup as ip xxx.168.100.0 submask 255.255.255.0 cause i have 2 machine on the vpn router side ..is this making sence?. lol
sorry for all the typing ,but heres my setup in FILTER PROPERTIES.



winxp--befvp41

source address " MY IP ADDRESS"
destination is set to subnet and its xxx.168.100.0

befvp41--winxp

source address is setup to subnet and its xxx.168.100.0
destination " MY IP ADDRESS"


thanks again,and i will try this out ,and will let you know how it goes,and as allways thank you for your help.

 

[jcwebb]

What you have described looks like it should work as far as the IP Filter Settings. Note however, one level "up" from the dialog box on which you configure the "My IP Address", on the dialog box titled 'Edit Rule Properties' is a tab labeled 'Tunnel Setting' (On Step 7 of setting up Tunnel 1 and Step 6 of setting up Tunnel 2 per the linksys instructions you referenced); it is here that you set in the actual IP addresses of the VPN and your Win2K client. Note that you would enter xxx.168.1.2 for your BEFVP41->WinXP tunnel, not the public address assigned to your (non-VPN) router. For the other tunnel (WinXP->BEFVP41) you would have the actual public IP address listed (e.g. xx.58.76.223) because the VPN router is decryping the packets going that way. If you decide to bypass your non-vpn router and connect your WinXP machine directly to your cable/dsl modem for troubleshooting, then the public IP would for your machine would replace the private one above. I apologize if I'm being redundant or stating what is obvious, but I'd rather over-communicate than leave you stuck.

Good Luck!

John

 

[jcwebb]

One more thing...
The Linksys tutorial shows the "Mirrored" option checked for the filter setup. (Same step in which you set "My IP Address&quot This may also be the default. During some stage of my stumbling around to get my setup working, I cleared this option so that the Mirror Setting = No; not sure why, perhaps some advice combing through newsgroups...
While typing my previous response I went back and turned the "Mirrored" to Yes; this did not disconnect my tunnel, so I did not mention that difference in my response.
HOWEVER, after finishing lunch, I find my tunnel disconnected, perhaps unable to negotiate the next key exchange. I reset my Mirror on both filters to No and my tunnel re-established itself. Don't know enough about VPNs and what the mirror setting does to definitively state it was the actual value of the Mirror setting, or merely that in changing my IPSec setting I caused the tunnel to bootstrap itself. In any case, I am running happily without the Mirror settings enabled, so you may want to try that as well.

John

 

[spivy66]

hey i tired it,i did everything you said even the mirrored.once i try to ping usesing ping xxx.168.100.1 -t i get down the page fast to not even slow is Negotiating ip security, so i dontk now what iam doign wrong here, and i even ran ipsecmon and its blank but on the bottom right it says oakley main modes 9 and dow the list it says Authentication Failures..also wanta to add when in the IP securiy rules when i disable( unchecking the box) win2k-->befvp41 my Negotiating ip security turn to request timeout but not when i disable the befvp41-->win2k..i dont know if that might help u,but it also seem like its not even getting there.and the same thing with my non vpn router disconnected..very weird

 

[spivy66]

I also ran this for you maybe this might help,i use a exe call netdiag, and this is what i came up with ,,it says basically everything looks ok, liek i said in my last post when i ping the ip address of xxx.168.100.1 it come back with negotiating ip security... instantly i mean instantly but here it is ,,thanks

IP Security test . . . . . . . . . : Passed
Local IPSec Policy Active: 'vpn'
IP Security Policy Path: SOFTWARE\Policies\Microsoft\Windows\IPSec\Po
cal\ipsecPolicy{7A69C9A1-ADE9-4AA7-9BCC-A6E3695C8644}

There are 2 filters
No Name
Filter Id: {4B109FFB-BE2A-4FD3-A1D5-9C8323362257}
Policy Id: {FEA4B865-5117-48CC-8EDB-B6AD9D97F13B}
IPSEC_POLICY PolicyId = {FEA4B865-5117-48CC-8EDB-B6AD9D97F13B}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 4
Offer #0:
ESP[ 3DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes.
Offer #1:
ESP[ 3DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #2:
ESP[ DES MD5 HMAC]
Rekey: 0 seconds / 0 bytes.
Offer #3:
ESP[ DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
AUTHENTICATION INFO Count = 1
Method = Preshared key: g7zfp5w
Src Addr : xxx.168.1.2 Src Mask : 255.255.255.255
Dest Addr : xxx.168.100.0 Dest Mask : 255.255.255.0
Tunnel Addr : xx.186.245.180 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: Yes
Flags : Outbound
No Name
Filter Id: {555E7021-702A-43D8-84BD-6F3E193AFF36}
Policy Id: {B8F2A667-5946-4B31-847B-A25924DCF063}
IPSEC_POLICY PolicyId = {B8F2A667-5946-4B31-847B-A25924DCF063}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 4
Offer #0:
ESP[ 3DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes.
Offer #1:
ESP[ 3DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #2:
ESP[ DES MD5 HMAC]
Rekey: 0 seconds / 0 bytes.
Offer #3:
ESP[ DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
AUTHENTICATION INFO Count = 1
Method = Preshared key: g7zfp5w
Src Addr : xxx.168.100.0 Src Mask : 255.255.255.0
Dest Addr : xxx.168.1.2 Dest Mask : 255.255.255.255
Tunnel Addr : xxx.168.1.2 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: Yes
Flags : Inbound


The command completed successfully

 

[ucallwa]

IF you are using a Nortel client, here is what will work for you:
With Nortels latest client, users started droping like every 5 minutes that were using certain routers (which were a lot that are out there) so Nortel is suggesting to the companies to turn on NAT for users that are behind a router. Every router out there handles IPSec passthrough differently, Yes in the old days that is all you would be using is IPSec, but with Nortel 4.x it is able to use NAT. If you want to fix your problem quickly without having to do a lot, then go into your routers settings and disable IPSec Passthrough. Now this is only for the conditions above, but I support aver 1500 users with VPN and using the Nortel Client this will work.

Alot of folks out there are stating that the OS is messing you up and not the router - this may be true with ppptp (not sure we dont use it - not secure enough) but I can tell you first hand with IPSec and Nortel, it is all in the router - Check every routers home page out, then check out the latest bios updates, they are all adding more support for vpn one way or another.

 

[spivy66]

i usea linksys router , i dont use nortel,if you would like to find out what my problem is you can read above to the above posts , thanks for your help...dan

 

[spivy66]

jcwebb if u get this,i have some updated info which is making no sence to me but...
After begin on the phone with linksys for an hour,they told me that the setup i have will not work.he told me that the only way it will work if i disconnect the standard router to my win2k box because in the ipsec tunneling config i cannnot use for the setting BEFVP41->WinXP the ip xxx.168.1.2(local machine) beacuse the vpn end point can not see that ip address...they said i would have to use my isp assigned address and hook up my cable modem right into my win2k box, then on my vpn router side i would have to config the remote ip address to my isp assigned ip address and also changed the subnet mask to what my isp gave me as well,,( that's retarted ,so that mean i have no protection)...does this makes any sence to you?

 

[jcwebb]

Sorry for the delay in posting..., busy weekend and I was at a customer's site all day.

You are correct, the linksys tech you got gave you bad advice. More precisely, what they told you will work, but you can do it with a non-VPN router on one end. I am doing it that way. During my start up period with the router I called Linksys twice, first time I got a very helpful tech. who was very willing to help, but not if I was trying to do my initial configuration via a dial-up connection. I was told they don't support dial-up connections. When I got back to my hotel where I had high speed internet access, I couldn't get back to that tech. The one I ended up with told me they only support (Linksys) VPN router to (Linksys) VPN router and they provide no support for a software IPSec endpoint. You apparently ended up somewhere between the two.

As far as running it as they suggested, direct to the cable router, it can be done that way with any number of software firewalls for protection against hackers, but should not be necessary.

My VPN configuration screen looks like:

Tunnel 1 (John)
This Tunnel: (*) Enable ( ) Disable
Tunnel Name: John
Local Secure Group: Subnet IP: xxx.168.1.0
Mask: 255.255.255.0
Remote Secure Group: IP Addr: xxx.168.0.2
Remote Security Gateway: IP Addr: 123.456.789.123 (As assigned by my ISP to my Netgear RP114 NAT Router)

Encryption: ()DES (*)3DES ()Disable
Authentication: ()MD5 (*)SHA ()Disable

Key Management: Auto (IKE)
[X] PFS (Perfect Forward Security)
Pre-Shared Key: [mysecretkey]
Key Lifetime: [3600]

A couple of additional suggestions / questions:
1. Who is your cable ISP? Some ISP's block IPSec packets to 'residential' service customers and require them to upgrade to 'business' service.
2. Set up your router for remote access (be sure to change the password from 'admin') and log onto your router remotely. What do the logs on the router indicate about attempted connections? Try to initiate the connection from the router back to your Win2K client. If that fails, what does the router log indicate?
3. Since you are getting authentication errors, per IPSecMon you may want to temporarily remove all authentication and encryption from the tunnel (remember to disable encryption and authentication on both the router and the IPSec client).

I haven't used NetDiag previously, so I am not familiar with what the output you posted means, but I will dowload the utility and give it a shot.

Don't give up the ship!

John

 

[spivy66]

ya know i did think about that at one time that my isp might be blocking ipsec..( cablevision) but havent really thought into it that much ,and about the logs i did check them before which i should of told you.my vpn router is looking to come into my standard router on port 500 and same with my out going port,,but last night ( i didnt write down the error message ,but it said some thing about the ike , and i also want to add as a test i made my machine dmz host plus i opened port 0-25000 ( 5 min for testing )but ill get the error for ya,,once again your help is greatly apresheated.
DAN

 

[spivy66]

lastest,,i dont think this matter tho,but my isp( cablevision blocked ports 80,8080,(web) thats why i cant use my router remote,but i have a coworker on the other side to read me the log file and like i said in my above post its looking to get through port 500 but i guess never gets though or whatver eles reason its not working,,,

 

[spivy66]

on the ip security montior i have 65 oakley main modes and thats it,,,so iam lost here and the logs say that looking at port 500 on both sides,

 

[jcwebb]

I had a chance to review your NetDiag output (above) and compare it to mine. Very cool utility! Thanks for pointing it out to me. (For everyone else it is a download from Microsoft as a 'Resource Kit')

Anyway, looking at the output it appears to me that you may have left the 'default' authentication method of "Kerberos" in your filters. Note that for both tunnels, there is a group of lines:
PHASE 2 OFFERS Count = 4
Offer #0:
ESP[ 3DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes.
Offer #1:
ESP[ 3DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #2:
ESP[ DES MD5 HMAC]
Rekey: 0 seconds / 0 bytes.
Offer #3:
ESP[ DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
AUTHENTICATION INFO Count = 1

Offer #0 and Offer #2 do not include the additional tag of "With PFS". All of my lines include this tag. Try re-checking the authentication method of both filters. It appears that you only have the 2 filters enabled, but if you don't find any other authentication methods in the two filters that are part of your assigned policy, check for other active policies or other filters that may be part of the 'vpn' policy.

 

[spivy66]

hey John if your talking about the filiters in the " ip security "it wont let me remove the Dynamic default response which has the Kerberos , the remove button is not in black where i can remove it its shaded out, but i will check at home why i only have two methods active in authentication,,thanks ,,and i will get this thing working if it's the last thing i do

 

[spivy66]

Hey john ,i cant believe u havent giving up on me.cause iam about to give up on myself=),ok the reason y i was not getting
the PFS on all 4 offers is cause i had to choose ( for some reason and i dont know)under the filter action i had to choose
Request security (Optional) not the request security standard..so now my output looks like this
Local IPSec Policy Active: 'vpn'
IP Security Policy Path: SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{B9E2EF08-5DFA-447B-B955-243D77016E90}

There are 2 filters
No Name
Filter Id: {4B109FFB-BE2A-4FD3-A1D5-9C8323362257}
Policy Id: {CDF2066C-E8CE-4697-9FAA-E0652B51E65D}
IPSEC_POLICY PolicyId = {CDF2066C-E8CE-4697-9FAA-E0652B51E65D}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 4
Offer #0:
ESP[ 3DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #1:
AH[ SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #2:
ESP[ DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #3:
AH[ MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
AUTHENTICATION INFO Count = 1
Method = Preshared key: mykey
Src Addr : 192.168.1.2 Src Mask : 255.255.255.255
Dest Addr : 192.168.100.0 Dest Mask : 255.255.255.0
Tunnel Addr : 24.186.245.180 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: Yes
Flags : Outbound
No Name
Filter Id: {555E7021-702A-43D8-84BD-6F3E193AFF36}
Policy Id: {A737FAF1-87CC-4C42-85A4-C05FD8E30FAB}
IPSEC_POLICY PolicyId = {A737FAF1-87CC-4C42-85A4-C05FD8E30FAB}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 4
Offer #0:
ESP[ 3DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #1:
AH[ SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #2:
ESP[ DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #3:
AH[ MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
AUTHENTICATION INFO Count = 1
Method = Preshared key: mykey
Src Addr : 192.168.100.0 Src Mask : 255.255.255.0
Dest Addr : 192.168.1.2 Dest Mask : 255.255.255.255
Tunnel Addr : 192.168.1.2 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: Yes
Flags : Inbound


The command completed successfully


and................my logs look good tho,and they look like there both trying to get in on port 500, so i opened the port on the standard router side,,,help me,,lol,,still not working,,and on the ipsecmon...oakley main modes is at like 500 and counting( i left it on for a few hours) and thats it everthing eles is all zero's,. so if your not sick of me allready=)....any more ideas?

 

[spivy66]

I got home from work now its says oakley main modes 0 and the
Authentication Faliures 1,990 and counting....iam just giving you as much info as i have,,sorry to be a pain =)