• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

My VPN Hates me :(

Cogman

Cogman

Lifer
I'm trying to setup a VPN for my employer and I'm stumped. I don't know what I'm doing wrong, but apparently it is terrible.

On the local network, the VPN works just fine (But kind of defeats the purpose). However, whenever I leave the network I am unable to connect to the VPN. The network consists of an QWEST M-1000 and a linksys WRTG2 (Or something along those lines, definitely in the WRT family). I've tried demiliterizing the server, setting up port forwarding (For ports 1700 -> 1800) ect. No dice.

I'm not a networking guru, so is there something I'm missing? (I will be back at work tomorrow, so I don't have access to the routers where I am now).

My feelings are the the QWEST 1000 is giving me the biggest problems.
 
What's most likely is you have some kind of NAT going on. NAT and VPNs don't play nice together and there's more to it then forwarding ports. You need to forward IP PROTOCOL 50 (GRE) to the vpn endpoint.

This is not a tcp/udp port number, it is an IP protocol number. The symptoms of GRE getting lost or being natted are phase 2 completes but no tunnel or ESP traffic is moved.
 
Originally posted by: spidey07
What's most likely is you have some kind of NAT going on. NAT and VPNs don't play nice together and there's more to it then forwarding ports. You need to forward IP PROTOCOL 50 (GRE) to the vpn endpoint.

This is not a tcp/udp port number, it is an IP protocol number. The symptoms of GRE getting lost or being natted are phase 2 completes but no tunnel or ESP traffic is moved.
Click to expand...

Looks like I need to read up on GRE then. I know I saw the availability to forward GRE in the linksys router, so that is most likely where I'm going wrong. Thanks for the help (You can bet ill be back if that doesn't work 🙂). Dang it, Programmers aren't supposed to do networking administration. Guess that's what you get for working in a small company.
 
LOL! We keep any application people as far away from networking as possible. Their brain doesn't work in the flawless logic and conceptual thinking that networking requires.

😀
 
Originally posted by: spidey07
LOL! We keep any application people as far away from networking as possible. Their brain doesn't work in the flawless logic and conceptual thinking that networking requires.

😀
Click to expand...

😛 Flawless, More like "Poorly designed" What person in their right mind expects people to know protocol numbers in order to get something working 🙂. Enable protocol 7 to allow NAT to forward the GRE to the UDP. Dang you Acronyms and non descriptive numbers! 😀
 
generic routing encapsulation and user datagram protocol are extremely descriptive.

I didn't google, hope I got those right.
 
Originally posted by: spidey07
generic routing encapsulation and user datagram protocol are extremely descriptive.

I didn't google, hope I got those right.
Click to expand...

You where off by 3. GRE is protocol 47, not 50 🙂 But you got GRE and UDP right.
 
What kind of VPN are you trying to set up?
PPTP, L2TP, or IPSEC?
If it's PPTP, then it's Protocol 47 (GRE) that needs to be passed through. In SOHO routers, this is typically called "VPN Passthrough", although that can also refer to OUTGOING VPN connections. Some SOHO routers can handle inbound VPN connections (VPN server) and some can't. Often it's a crapshoot whether a particular firmware version of a particular SOHO router will work with a VPN server.

I've always had good luck with the low-end Netgear VPN routers, either as a site VPN or in passthrough mode:
Netgear FVS318

What's the VPN server? Are you using the Windows VPN server, or something else?

You mentioned two routers (?). What's the second router doing?
 
Originally posted by: RebateMonger
What kind of VPN are you trying to set up?
PPTP, L2TP, or IPSEC?
If it's PPTP, then it's Protocol 47 (GRE) that needs to be passed through. In SOHO routers, this is typically called "VPN Passthrough", although that can also refer to OUTGOING VPN connections. Some SOHO routers can handle inbound VPN connections (VPN server) and some can't. Often it's a crapshoot whether a particular firmware version of a particular SOHO router will work with a VPN server.

I've always had good luck with the low-end Netgear VPN routers, either as a site VPN or in passthrough mode:
Netgear FVS318

What's the VPN server? Are you using the Windows VPN server, or something else?

You mentioned two routers (?). What's the second router doing?
Click to expand...

Second router is DSL modem/router combo. Reading up on the internet, it has a transparency mode that I believe I want to enable (It currently isn't running in transparency mode)

VPN server is the one by Windows Server 2003. I believe I am using PPTP. Would a different firmware like Tomato be able to support inbound VPN forwarding? (If I can't get the cisco one working)
 
Originally posted by: Cogman
Originally posted by: RebateMonger
What kind of VPN are you trying to set up?
PPTP, L2TP, or IPSEC?
If it's PPTP, then it's Protocol 47 (GRE) that needs to be passed through. In SOHO routers, this is typically called "VPN Passthrough", although that can also refer to OUTGOING VPN connections. Some SOHO routers can handle inbound VPN connections (VPN server) and some can't. Often it's a crapshoot whether a particular firmware version of a particular SOHO router will work with a VPN server.

I've always had good luck with the low-end Netgear VPN routers, either as a site VPN or in passthrough mode:
Netgear FVS318

What's the VPN server? Are you using the Windows VPN server, or something else?

You mentioned two routers (?). What's the second router doing?
Click to expand...

Second router is DSL modem/router combo. Reading up on the internet, it has a transparency mode that I believe I want to enable (It currently isn't running in transparency mode)

VPN server is the one by Windows Server 2003. I believe I am using PPTP. Would a different firmware like Tomato be able to support inbound VPN forwarding? (If I can't get the cisco one working)
Click to expand...

If your router is compatible with Tomato, it should. Tomato (using a modified version) has a built in VPN but I'm not sure if that would help you or not (See the Tomato forum at www.linksysinfo.org for information on mods).

 
Originally posted by: Cogman
Second router is DSL modem/router combo. Reading up on the internet, it has a transparency mode that I believe I want to enable (It currently isn't running in transparency mode)
Click to expand...

If you are going through a double NAT, then you are definitely going to have problems with your VPN. What are the WAN and LAN subnets of each router?
 
Originally posted by: drebo
If you are going through a double NAT, then you are definitely going to have problems with your VPN. What are the WAN and LAN subnets of each router?
Click to expand...
Yeah, I doubt that the VPN packets are going to get through a double-NAT successfully.

If I'm reading your setup right, you'd want:

Telco
!
DSL Modem/Router (in Transparent Bridging mode, so the router is disabled. Also be sure any firewall on the DSL Modem is disabled. The last Qwest DSL modem I dealt with had a firewall enabled even in Transparent Bridging mode.)
!
Linksys Router (TCP Port 1723 forwarded to VPN Server and VPN passthrough enabled)
!
VPN Server
 
Originally posted by: Cogman
255.255.255.0 for both. (I believe, I can't verify as the office is a bit too far away)
Click to expand...

By subnet, I meant the subnet, not the subnet mask...although if the mask is 255.255.255.0 on both, I'd wager that you have RFC 1918 addresses on both sides of your router, which means that you are NATing twice.
 
Ok, so here is what i've done thus far. I've disabled the linksys router as a DHCP server in hopes to bypass the NAT. Now the QWEST router is doing all the serving for me.

However, I still can't access the dang VPN. Even when I plug the server directly into the router/modem it won't allow me to log into the VPN.

I've enabled all VPN forwarding protocols and ports, placed the computer into a DMZ, and still no dice. Any other hints?

(I should also note that I brought in another hub to see if it was connecting correctly. I went from laptop -> second hub -> linksys router -> vpn server with absolutely no problem. I'm starting to believe the problem has to reside somehow with the Qwest router.

One other issue. QWests router connects through PPPOA (Not PPPOE) which means that in its default setup, the linksys router is unable to connect to the internet (If I put the QWEST M1000 into bridge mode). Hence the odd setup.
 
Cogman, you may be able to perform the PPPoA on the quest router while still providing a public IP to your own router. I know that there are a number of Westell and Motorola modems that function that way. This would cause the quest router to not be performing NAT at all, which would take it entirely out of the loop as far as VPN passthru goes.
 
Originally posted by: drebo
Cogman, you may be able to perform the PPPoA on the quest router while still providing a public IP to your own router. I know that there are a number of Westell and Motorola modems that function that way. This would cause the quest router to not be performing NAT at all, which would take it entirely out of the loop as far as VPN passthru goes.
Click to expand...

I've been looking for an option to do just that, but I can't seem to find anything. It allows me to disable the NAT, but that just results in the internet being unavailable.
 
When you put a DSL modem into Transparent Bridging mode, you usually put a second router behind it and set up the second router to supply the login credentials to the DSL provider. You can also use a desktop PC to do this, but that means that PC has to stay up on to keep the connection for any other PCs on the network.
 
Originally posted by: RebateMonger
When you put a DSL modem into Transparent Bridging mode, you usually put a second router behind it and set up the second router to supply the login credentials to the DSL provider. You can also use a desktop PC to do this, but that means that PC has to stay up on to keep the connection for any other PCs on the network.
Click to expand...

Ok, so I've got the bridge into transparent mode. The linksys router has the Static IP now, I had confirmed earlier that it was working correctly. So now all that leaves is that Verisons wireless 3G networking stuff is not working at all. Would that be correct?
 
I got it! Whoot! This thing was way too miserable to get going, but now it is. The final step which I forgot to do was enable port forwarding. Once that was in place it was smooth sailings. Thanks all for the help!
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top