vpn linksys router. 1

[spivy66]

Has any one setup a linkysys vpn router to windows 2000???,This is driving me nuts,I have tried everything.I open ports 1723,47,50,500, i created policity thew the secpol.msc and when i try to ping i get negotating ip security.i have ipsec enabled,ok here my setup..
LAN 1 ..a linksys router ( standard,not vpn) my internal gatway is xxx.168.1.1.dhcp is off so my first machine behind the firewall is xxx.168.1.2 and so on
LAN2....a linksys vpn router,,my internal gateway is xxx.168.100.1 same thing dhcp is turned off, and first pc starts with xxx.168.100.2.......................with all this say on both sides i have port forwarding on or port triggering on 1723,47,50,500(i heard these ports had to be open..,on my standard linksys router side i created shared keys accordign to linksys website ( secpol.msc..and when i acitivate it i get negotating ip security,please soem 1 help me, its greatly apresheated.. DAN

 

[jcwebb]

No, I'm not giving up. Eventually I will have to others in my company up and running on our VPN and I would much rather have my learning curve be with another technically competent user like yourself, than with some of our less technical users; also this way I'm not under the gun time-wise (sorry if you are).
With respect to your Dynamic filter that uses Kerberos, I have one in my policy as well that I cannot delete, but it is also NOT active (Checked).

Looking at your NetDiag output, I see the following differences between your IPSec filters and mine:
1. (This may be important) Your Offer #0 and #2 have been changes to include the tag "With PFS" so they match mine; but your Offer #1 and #3 which used to match mine, now start with AH (Authentication Header) instead of ESP which they previous did and mine do.
2. (Probably not important) For each of my Offers, the ReKey is 900 Sec, where yours are 3600.

I don't know how to change the above, I may poke around a little bit and see if I can figure it out; alternatively, I am (for our internal use) looking for a method to send an IPSec policy to another user, if I figure that out first, I'll adjust my policy to match your setting and send it to you to try out.

Finally, you indicated that the logs look OK. I am attaching a segment of the log from our VPN router (IP Addresses and domains changed to protect the innocent) so you can compare it's output to yours.

VPN Log
System Up Time: 7 days 00:17:33
.com 80
2002-11-21 16:04:10 @out 192.168.1.110 4171 mail.mailserve.net 110
2002-11-21 16:04:48 @out 192.168.1.125 3613

http://www.foo.com

80
2002-11-21 16:10:17 @in 99.99.99.99 500 123.45.678.90 500
2002-11-21 16:10:17 IKE[1] Rx << Delete ISAKMP_SA : cookie ca9f950c cc70c928 | 672bdc96 c8fcd25d
2002-11-21 16:10:17 IKE[1] Tx >> Delete ISAKMP_SA : cookie ca9f950c cc70c928 | 672bdc96 c8fcd25d
2002-11-21 16:10:18 IKE[1] is requested by 192.168.1.2
2002-11-21 16:10:18
2002-11-21 16:10:18 IKE[1] Tx >> MM_I1 : 99.99.99.99 SA
2002-11-21 16:10:18 IKE[1] Rx << MM_R1 : 99.99.99.99 SA, VID
2002-11-21 16:10:18 IKE[1] ISAKMP SA CKI=[8be597b4 64503845] CKR=[8ddd9625 f79c11ae]
2002-11-21 16:10:18 IKE[1] ISAKMP SA DES / SHA / PreShared / MODP_768 / 3600 sec (*3600 sec)
2002-11-21 16:10:18 IKE[1] Tx >> MM_I2 : 99.99.99.99 KE, NONCE
2002-11-21 16:10:19 IKE[1] Rx << MM_R2 : 99.99.99.99 KE, NONCE
2002-11-21 16:10:19 IKE[1] Tx >> MM_I3 : 99.99.99.99 ID, HASH
2002-11-21 16:10:19 IKE[1] Rx << MM_R3 : 99.99.99.99 ID, HASH
2002-11-21 16:10:19 IKE[1] Tx >> QM_I1 : 99.99.99.99 HASH, SA, NONCE, KE, ID, ID
2002-11-21 16:10:19 IKE[1] Rx << QM_R1 : 99.99.99.99 HASH, SA, KE, NONCE, ID, ID, NOTIFY
2002-11-21 16:10:19 IKE[1] Tx >> QM_I2 : 99.99.99.99 HASH
2002-11-21 16:10:19 IKE[1] ESP_SA 3DES / SHA / 3600 sec (*3600 sec) / SPI=[d3e8906a:7fed37ce]
2002-11-21 16:10:19 IKE[1] Set up ESP tunnel with 99.99.99.99 Success !
2002-11-21 16:10:19
2002-11-21 16:11:18 @out 192.168.1.118 2402 264.142.88.43 80
2002-11-21 16:13:09 IKE[73] QM : IPsec SA time out
2002-11-21 16:13:09 IKE[73] Tx >> Delete ESP_SA : spi = a1ae2309
2002-11-21 16:13:24 @out 192.168.1.116 2206 mail.mailserve.net 110
2002-11-21 16:24:40 @in 99.99.99.99 500 123.45.678.90 500
2002-11-21 16:24:40 IKE[1] Rx << QM_I1 : 99.99.99.99 HASH, SA, KE, NONCE, ID, ID
2002-11-21 16:24:40 IKE[1] Tx >> QM_R1 : 99.99.99.99 HASH, SA, NONCE, KE, ID, ID
2002-11-21 16:24:40 IKE[1] Rx << QM_I2 : 99.99.99.99 HASH
2002-11-21 16:24:40 IKE[1] ESP_SA 3DES / SHA / 900 sec (*900 sec) / SPI=[a06b7c18:db7427e5]
2002-11-21 16:24:40 IKE[1] Set up ESP tunnel with 99.99.99.99 Success !
2002-11-21 16:24:40


Hope you can make some sense of this and it is helpful!

John

 

[jcwebb]

Dan,
Did some further poking around on my IPSec setup and discovered where my 900 sec rekey vs. your 3600 rekey value is set.

The more interesting issue is that the other values in the same setting DO NOT include an Authentication Header Integrity check. This may be how I am able to negotiate a key exchange from behind an NAT router where the IP header of the packet containing the authentication is not what the Win2K client 'thinks' it is (99.99.99.99 vs. 192.168.0.2) and could explain why you can't get by ISAKMP Phase I negotiation, and get Authenitication errors when working from home.


To get to the settings,
1. Edit your IPSec Policy
2. Select either of your 2 active rules (Outgoing or Incoming), these should be set to 'Require Security
3. Edit the rule, your are now in a Dialog Box titled 'Edit Rule Properties' with five tabs.
4. Select the 'Filter Action' Tab, the radio button selected should be for 'Require Security'.
5. Highligt the selection 'Require Security' and select the Edit botton.
6. You are now in a dialog box titled 'Require Security Properties' with two tabs: 'General' and 'Security Methods'
7. Select the 'Security Methods' Tab; Negotiate Security radio button should be selected and only the 'Session key Perfect Forward Secrecy' checkbox should be checked.
8. The settings window titled 'Security Method preference order:' in the middle of the dialog should read:
Type AH Integrity ESP Confidential ESP Integrity
Custom <None> 3DES SHA1
Custom <None> 3DES MD5
Custom <None> DES SHA1
Custom <None> DES SHA1
(I have omitted the Key Lifetime column)

If not, you can select each individual line entry and push the 'Edit' button to bring up a dialog box titled 'Modify Security Method'; from there select the radio button 'Custom (for expert users) and push the settings button under that entry to bring up a dialog box titled 'Custom Security Method Settings'.

From the Custom Security Method Settings dialog box, ensure the checkbox for 'Data and Address integrity without encryption (AH) is NOT checked; Check (if necessary) the 'Data integrity and encryption (ESP)' checkbox and select the appropriate Integrity algorithm and encryption algorithm in the drop down boxes. For session key settings, check Generate a new key every: [100000] Kbytes and check Generate a new key every [3600] seconds (or other settings as you desire).

*** Notice and Disclaimer *** (Sorry Guys)
The above process describes how my IPSec 'Require Security' Filter Action settings are now, and to my knowledge how they were configured 'out of the box' on my Win2K Pro OS as installed by Gateway. Everything, including (and especially) the &quot;Custom (for expert users)&quot; were not changed by me or to my knowledge anyone else. The laptop was delivered directly to me from Gateway and was not put through any company setup or configuration process.

Please also note that the above settings appear to disable checking of the Authentication Header integrity. I have speculated that this is necessary for operability behind a NAT router, but do not know this for sure. The impact this has on the overal security of the system, if any, I do not have the knowledge or training to estimate. USE THESE SETTINGS AT YOUR OWN RISK

That being said, Good Luck!

John

 

[spivy66]

this is my newest settings, my failure count is going up in the ipsecmon command,,from the failures and the log on the firewall do u think that both ends are trying to handshake? maybe that error is throwing us both off,and it could be sumthing eles ( local)..well iam still banging on this thing,,talk ya soon

IP Security test . . . . . . . . . : Passed
Local IPSec Policy Active: 'Vpn'
IP Security Policy Path: SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{6A8EAB58-23FA-497D-9898-70082C70DEAA}

There are 2 filters
No Name
Filter Id: {EC52B094-1927-4EB8-9876-B81491ED4537}
Policy Id: {883AA067-3032-4172-9A92-FE24CFD17B9F}
IPSEC_POLICY PolicyId = {883AA067-3032-4172-9A92-FE24CFD17B9F}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 4
Offer #0:
ESP[ 3DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #1:
ESP[ 3DES MD5 HMAC]
Rekey: 900 seconds / 100000 bytes. With PFS.
Offer #2:
ESP[ DES SHA1 HMAC]
Rekey: 900 seconds / 100000 bytes. With PFS.
Offer #3:
ESP[ DES MD5 HMAC]
Rekey: 900 seconds / 100000 bytes. With PFS.
AUTHENTICATION INFO Count = 1
Method = Preshared key: mykey
Src Addr : 192.168.1.2 Src Mask : 255.255.255.255
Dest Addr : 192.168.100.0 Dest Mask : 255.255.255.0
Tunnel Addr : 24.186.245.180 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: Yes
Flags : Outbound
No Name
Filter Id: {9C226A92-5B60-4090-B543-6AC31390EE9D}
Policy Id: {0D64E83E-BC27-47D4-A0C1-C0756BE00643}
IPSEC_POLICY PolicyId = {0D64E83E-BC27-47D4-A0C1-C0756BE00643}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 4
Offer #0:
ESP[ 3DES SHA1 HMAC]
Rekey: 3600 seconds / 100000 bytes. With PFS.
Offer #1:
ESP[ 3DES MD5 HMAC]
Rekey: 900 seconds / 100000 bytes. With PFS.
Offer #2:
ESP[ DES SHA1 HMAC]
Rekey: 900 seconds / 100000 bytes. With PFS.
Offer #3:
ESP[ DES MD5 HMAC]
Rekey: 900 seconds / 100000 bytes. With PFS.
AUTHENTICATION INFO Count = 1
Method = Preshared key: mykey
Src Addr : 192.168.100.0 Src Mask : 255.255.255.0
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 192.168.1.2 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: Yes
Flags : Inbound


The command completed successfully

 

[spivy66]

John your not gonna beleive it,but,,yes we sort of got it to work,hehe, ok...here the thing,,on my vpn router side(befvp41)..it shows status connect but .i cant ping from there to here using 192.168.1.2 and the other way around when i try to ping on the non vpn router side i get netgotiating security still,but...i do c ont he ipsecmon tool....
Oakley main modes 33.(and counting)
Oakley quick main modes 33 (counting)
Bad SPI packets sent 4( has not gone up)

with knowing this,,spi is disables on both side of the router,,so i guess we got a little further here,,i also enabled netbois on the vpn router side,,..what i really wanta do here is have access to print and share files through the vpn( obvisiously) but also sign on my domain as well, and i think all that will come togeher once i can ping the end point...ok well ,thanks again,and were almost there..Dan

 

[jcwebb]

Dan,
Looking at your NetDiag output, your &quot;inbound&quot; (second) tunnel does not appear to properly configured to reflect your Win2K address.

YOURS
-----------
Src Addr : 192.168.100.0 Src Mask : 255.255.255.0
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 192.168.1.2 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: Yes
Flags : Inbound
MINE
----------
Src Addr : 192.168.1.0 Src Mask : 255.255.255.0
Dest Addr : 192.168.0.2 Dest Mask : 255.255.255.255
Tunnel Addr : 192.168.0.2 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: Yes
Flags : Inbound

Note the difference in the Destination Address and Destination Mask

Your &quot;outbound&quot; tunnel appears OK tho'.

John

 

[spivy66]

John i got it to work 100%,,,but for some reason different settings for yours,ok here goes when i told you that i had....

winxp--befvp41

source address &quot; MY IP ADDRESS&quot;
destination is set to subnet and its xxx.168.100.0

befvp41--winxp

source address is setup to subnet and its xxx.168.100.0
destination &quot; MY IP ADDRESS&quot;



well that didnt work so what i found out with some messin around is that the sourse address which i had was on &quot;MY IP ADDRESS&quot; ... wrong ...it had to be set as &quot;ANY IP ADDRESS&quot; this goes for both filters,,now iam not sure if this is risky or not cause ont he any ip,,but i can ( non vpn routher side) ping and c all net work drives printer ecton the vpn router side.,,BUT i cannot not getinto the vpn setup 192.168.100.1 ( not sure why) i also wanted to add on the vpn routher side can only ping my machine( the none vpn router side,that i setup the policey) is this normal?,,they( vpn router side) cannot ping any other machine but this one?...

 

[jcwebb]

Dan,
Not sure what effect it would have to set up the filters as you indicated on the security of the system. Obviously, someone would still have to know your pre-shared key to hack into your system. Still using &quot;any IP address&quot; rubs me the wrong way...
As far as accessing the router setup via the Tunnel, try

http://192.168.100.1:8080.

I know that I access it from the LAN side without the &quot;:8080&quot;, but I just tried it via the VPN tunnel but could only get in with port 8080 specified (Without the tunnel established you would use the external IP address xx.186.245.180:8080 of course)

As far as pinging other machines on the non-router side, I believe they can't do it normally. It may be possible to set up your Win2K machine for internet connection sharing and try to turn it into a router, but probably much easier and more reliable to just install a second linksys router on your end.

This would be especially true if you have your VPN router tunnel configured as I do (above), where the remote secure group is a particular IP address 192.168.1.2 (not a subnet) and the remote secure gateway is the IP address assigned to your (non-vpn) router that connects to your cable modem.

Some additional thoughts on your need to use &quot;Any IP Address&quot; on your IPSec filters as opposed to my configuration (and as illustrated in the Linksys appendix for doing this):

1. Are your subnet masks set up the same on the router and in your IPSec filter?

2. I had some confusion in ensuring that during the setup of my filters keeping the right rules selected for the right filters. It is entirely possible to have the same filter rule applied to both the incoming and outgoing filter, and one of your filter rules not used at all.
From the &quot;VPN Properties&quot; dialog box there is a sub-window titled IP Security rules which contains headings of 'IP Filter List'; 'Filter Action'; 'Authentication Methods';'Tunnel Setting';'Connectin Type' with entries of &quot;Winxp->befvp41&quot; (checked), &quot;befvp41->winxp&quot; (checked) and &quot;<Dynamic>&quot; (un-checked).
Selecting either of the two checked filter lists and the Edit button brings up a dialog box titled &quot;Edit Rule Properties&quot; with 5 tabs including IP Filter List which has a sub-window titled 'IP Filter Lists:' and contains all the filters on the machine, with radio buttons beside each one. It is entirely possible to select the befvp41->winxp filter list to the rule winxp->befvp41 and vice-a-versa or both to the same rule.

Glad to hear you are operational though!

John