cancel
Showing results for 
Search instead for 
Did you mean: 

VPN through router failure - config. question

N/A

VPN through router failure - config. question

Hi,

I've just had ADSL activated and everything's working fine except for the (rather important) ability to establish a VPN tunnel to my company's network.

I'm using a Line One wireless router with just one laptop 'attached' to it. When I try to use my VPN client (AT&T net client V. 5.09.2) to tunnel through I get a loop from 'talking to VPN server' - negotiating encryption keys - authenticating with the VPN server' and then back round the same loop ad infinitum.

The router has VPN capability but I think, from reading various things, that this is related to me creating a VPN at 'this end' so I've left the VPN option off currently as I don't think it's relevant to what I'm trying to achieve? (I've tried with it on and spent hours changing settings in the router but wasn't getting anywhere).

I phoned F9 support who suggested asking the question here but also talked about assigning one of my four IP addresses (the third in the range) to the VPN client and doing nothing to the router. I've tried to do that but am not at all sure how to or what I'm doing really!

Any pointers / advice on how to resolve this would be very much appreciated!

Thanks

Mike
50 REPLIES
N/A

VPN Problems

Hello Good morning,

OK, Yes! this is a complex situation and a difficult one to troubleshoot (diagnose) properly but here are a couple of things I suggest you need to check. 1) Ask your company or systems administrator what special requirements they have for inbound VPN connections? even make a check list of them and go home and check them off if it will help! 2) Check you have enabled VPN pass through on your ADSL router i.e. ensure the correct ports allow VPN through or to put it another way that your router isnt blocking you from establishing a VPN connection. 3) Ensure you are using a single IP address which is visible as the VPN server will require this inorder to form the connection (routers usually have x2 IP address's one on the internal side of your network and one external IP public facing).

**The problem here sounds less too do with the actual VPN and tunneling or the router but far more to do with an issue of AUTHENTICATION i.e your connection is NOT being validated due to a problem with the encrypted keys or session keys. The connection will not be completed until the encryption is completed correctly. To put it into a more simple example its just like your username & password are invalid or not recognised as the encryption is failing here by the sound of it. All else may well be OK but for the encryption issue. You would be advised to try and find out what method or means of encryption IS being used here to validate you as a user or your VPN connection. I cannot really think of anything more that might help.

Best Regards
Cool Ivan
N/A

VPN through router failure - config. question

Hi,

Thanks for your reply.

I have a lot of information on what the VPN from the company side is expecting now but I'm not remotely familiar with 'this stuff' so I'm not sure what I'm doing when it comes to opening ports on the router unfortunately.

There's a table in the router setup called 'Virtual server' into which I've been putting all the port numbers which might be relevant against the IP address of the PC (I tried the IP address of the router but then the connection didn't work so guessed that this was not the thing to do!).

I've made the LAN IP Address field in the router setup the same as the 'router address' that F9 tells me (of the 4 addresses they've told me about). This connects fine and the PC is then allocated the next IP since I've put the DHCP range on the router down to just that IP address - this latter is the one F9 told me to use as it is 'spare'. Is this right?

Thanks
N/A

VPN through router failure - config. question

I think, if you've got a block of 4 IP addresses assigned to you, then the "Virtual Server" stuff in the router is of no consequence.

Of the 4 addresses, only the middle two may be assigned to devices; of these the first address is assigned to both the WAN and the LAN interfaces of the router (which is what you seem to have done) and the other usable address is used by your PC.

With this configuration, if you can see an option on the router for "NAT" it should be switched off. You're using a No-NAT configuration.

With this set-up, the router should be pretty much transparent; the only thing to consider is whether the router has any firewall options which may be preventing data reaching your PC. And, of course, any firewall software on the PC itself.
N/A

More

Hello again,

Yep! I agree with all that Task has outlined above as regards the IP address's and your settings for DHCP & No-NAT's but I re-iterate what I said before I think the problem is one of authentication. However being a wireless ADSL router you should also check your settings for WEP (thats Wireless Equivelant Privacy) these settings are for security (wep is a security protocol). When you install a wireless device such as a wireless router the W.E.P settings are set-up as just plain default settings (very basic settings so you can use the device).

But the problem which is well known and well recognised is that the basic or default WEP settings are wide open and extremely insecure. Inother words you must change the basic WEP settings to ensure your LAN (network) is NOT visable or hackable from other people. (In other words check to see if your device does indeed use WEP and if it does then you may well need to make some changes to ensure your systems remain secure) WEP is different from a firewall (its a seperate subject / technology) or software firewalls such as ZoneAlarm for example.

**It sounds like your doing really well to try and sort out this problem but also sometimes its also kinder to yourself to admit that your out of your own depth on this possibly? and that perhaps it might be better to get some assistence from someone who is more experienced in configuring routers and wireless devices. No! disrespect intended, I just know how it feels to struggle along with something without getting it working as you want it to be. I wonder if someone in your companies IT team might come out to help you with the last bits??

**The problem here is that if you dont have the indepth technical understanding of the technologies being used its very hard to get things working or make a solid diagnosis of the real problems. As you just wont appreciate the issues involved. Again NO! disrespect intended. Its just we all have limits to our own knowledge and its sometimes valuable to recognise when one has come up against such limits.

Ivan
N/A

More

Hello again,

Yep! I agree with all that Task has outlined above as regards the IP address's and your settings for DHCP & No-NAT's but I re-iterate what I said before I think the problem is one of authentication. However being a wireless ADSL router you should also check your settings for WEP (thats Wireless Equivelant Privacy) these settings are for security (wep is a security protocol). When you install a wireless device such as a wireless router the W.E.P settings are set-up as just plain default settings (very basic settings so you can use the device).

But the problem which is well known and well recognised is that the basic or default WEP settings are wide open and extremely insecure. Inother words you must change the basic WEP settings to ensure your LAN (network) is NOT visable or hackable from other people. (In other words check to see if your device does indeed use WEP and if it does then you may well need to make some changes to ensure your systems remain secure) WEP is different from a firewall (its a seperate subject / technology) or software firewalls such as ZoneAlarm for example.

**It sounds like your doing really well to try and sort out this problem but also sometimes its also kinder to yourself to admit that your out of your own depth on this possibly? and that perhaps it might be better to get some assistence from someone who is more experienced in configuring routers and wireless devices. No! disrespect intended, I just know how it feels to struggle along with something without getting it working as you want it to be. I wonder if someone in your companies IT team might come out to help you with the last bits??

**The problem here is that if you dont have the indepth technical understanding of the technologies being used its very hard to get things working or make a solid diagnosis of the real problems. As you just wont appreciate the issues involved. Again NO! disrespect intended. Its just we all have limits to our own knowledge and its sometimes valuable to recognise when one has come up against such limits.

Ivan
N/A

VPN through router failure - config. question

Thanks to both of you for taking the time to provided thishelpful input Smiley

No offence taken whatsoever regarding this being a teeny bit tricky and requiring knowledge! I tried getting tech support from my company to assist but their basic (and final!) premise is that they dont support vpn through routers. Now I'm pretty much 100% certain that this can be made to work so I'm persevering (and also trying to get the router supplier to assist). I entirely agree that doing it myself is not the best option though!

Having said that. I''m using WPA-PSK to secure the wireless n/w itself and also have assigned MAC address control restricted to just the one PC and that's all working fine (presumably that would have nothing to do with the VPN failing to work?) . The local n/w and access out via F9 is all fine and consistently works properly.

I also have ZoneAlarm running but have tried dropping it temporarily each time I change something (ie. OFF completely) AND putting this PC in the DMZ zone of the router, again temporarily.

The IP address on the router is consistently the one I was told by F9, as is it's LAN IP, so that seems fine. Same applies to the laptop IP, which is now consistenly set at the 'spare' one F9 told me - so again, the IP setup looks correct from what you're both saying.

One thing I haven't tried - since I can't find an option anywhere (!) is specifically telling the router that it's NO NAT. The connection protocol is PPPoA and I'm assuming that I can't change that - but the only place I can see 'NO NAT' is under alternate protocols like 'Ethernet over ATM' where there are options for dynamic and static IP as well as for NAT and NO NAT.

The last thing which is not apparent to me is where the firewall settings in the router are. Though I'd have thought that if I've put the laptop in the DMZ these should have no bearing anyway.

So as Cyteck says it definitely seems to come down to authentication, or the failure thereof. Can either of you tell me whether I SHOULD have to fiddle with the VPN settings in the router? I've tried this (but of course!) but it seems to me that they're for when the router is acting as the server end of a VPN, not the client. However, if I look at my vpn client logs for a successful dial connection I can see all the encryption protocols etc. so I've set all the vpn stuff in the router to match that. The one thing I can't set, since I don't know it, is the preshare key for IKE - but then the VPN client doesn't normally seem to send or need that so this points me back to my 'all this vpn stuff in the router is irrelevant' conclusion!

Ho hum - steep learning curve - and if I could beam a networking guru down here to fix it and cease learning I'd be entirely happy about that!!! :-)

I have a fallback position of buying an ADSL modem and using that for access to my company network (naiive assumption that this will just work out of the box acknowledged!) - I just really don't want to as it would be annoying to have to plug things in when I have a perfectly functional wireless n/w throughout the house now!

Mike
N/A

VPN through router failure - config. question

I agree with you about the wireless settings: if you're able to access the Internet when you're not trying to do the VPN thing, then the wireless settings are all OK.

I reckon if your router is set up with No-NAT, then the DMZ setting is irrelevant, and all the VPN settings should be switched off -- you want the router to simply relay packets, not to manipulate them at all (which is what it has to do if NAT is involved). For you, the router is neither a client nor a server. You want it to be a piece of clear glass, absolutely transparent.

I suppose you could try something like Shields UP! with its scanning of the particular ports which have been mentioned to you for your VPN connection, to see if the router is allowing those straight through to your PC. In your case, unlike the normal use of Shields UP!, you want the ports to be open...

For what it worth (and it's not much) I tried pinging your router's IP address (the one which ends in 129) and I received responses. When I moved on to the PC's address (ending 130) I received no responses at all. So either the router isn't passing the ICMP messages, or the PCs configured to drop them.
N/A

Yet more on VPN

Hi Mike,

I think its a very strange and pretty unhelpful company that asks you to attempt to gain access to their network (I'm assuming your trying to work out of the office such as at home,etc) demands a VPN connection then leaves you high and dry without offering any support just because the connection happens to travel through a router, sorry! but what kind of P*** poor excuse is that?? What an abismal load of tosh!!!!! honestly the lazy so and so's. Very poor show if you ask me they just dont want to get off their big fat *rases and do something useful.

**If I can dig it out of the back of my brain, as far as I recall VPN's use something called L2TP (thats Layer Two Tunnelling Protocol), L2TP uses a different form of technology from most ordinary point to point (P2P) internet connections. L2TP forms a secure encrypted tunnel across the public internet and so ensures a much higher level of security through which any data you send or receive travels. I have a feeling that the encryption required to form (create) the tunnelling to the VPN server uses a session key or key for the connection itself and its at this point where the authentication falls down. So your problem as far as I can tell from the information you've give so far is NOT to do with the router itself (it might be either a setting in the VPN client software i.e. the AT&T software or possibly a VPN setting in the wireless router) But the router itself sounds like its functioning OK. It definately sounds more & more like settings issue (something needs the correct settings or settings changing).

**No! DONT buy a new ADSL modem I doubte that will solve the problem that you've got and anyway sometimes throwing money at the problem is NOT the answer, the answer no matter how painful is to resolve the problem your faced with now, that way you learn from the experience and solve the problem for good.

**Where are you based?, if your NOT far away I might be willing to come and try to help you out if I can. I live in Leeds West Yorkshire but am mobile. Let me know.

Best Regards Ivan Cool
N/A

VPN through router failure - config. question

Hello again,

I'm going to try 'Shields up later and see if I glean anything from that. I spotted that I couldn't ping my PC from 'outside' - don't understand that one as that's definitely its address and I'd dropped all the firewalls I could find at the time I tried it! The vpn client does have a two way dialogue with the vpn server so it can clearly 'see' the laptop - though I realise that the lack of ability to ping it externally might well be an issue in some way.

It seems the 'VPN enable' checkbox in the router is relevant since with it off I receive an error that "......you may be behind a firewall" after a very long time (from the VPN client) whereas with it checked (and no vpn settings other than that in the router) I receive a different message " Error 118! No response from IPSEC terminator during authentication". Some progress :-)

In defence of the company - it's me who chooses to live in the middle of nowhere miles from an office and they would, I'm sure, be more supportive if I hadn't chosen to over-complicate things by having a router and sticking with F9 rather than just taking a modem and a BT install. I sort of guessed that might be the response when I called the helpdesk but I was hoping to get a 'helpful' helpdesk person rather than the one I got who reeled off the official 'rules' - may try again tomorrow :-)

What you're saying about L2TP sounds about right - I've been reading about it and trying to do things in the router related to it (without success - obviously!). I've played with a few settings in the vpn client but it's all a bit time-consumng as the permutations are rather extensive between 'change x in the client' / change y in the router / do this all again with x changed again, etc.

I agree about not getting a modem - it's a last resort. (I was trying to explain the concept of 'getting it right' to my girlfriend in justification of spending about 24 REAL hours so far on this! ) Also, the router' and BT point are in the attic - would make the modem a little tricky to use :-)

Would you seriously consider having a look at it? I'm in Low Bentham, North Yorkshire, just South of Ingleton off the A65 - about 45 miles from Leeds. I'd also be more than happy to bring the kit over 'there' if that would be sufficiently similar conditions in terms of what it would be plugged into.

Off to have a go with 'Shields Up' now.

Thanks again to both for all your assistance!

Mike
N/A

VPN through router failure - config. question

Hi,

Right - I've played with Shields Up! a bit and seem to be a bit on the overly secure side.

For a start the only IP address I can probe is the router's and then all ports are stealthed apart from 113, which is merely closed.

I then tried dropping Zonelabs firewall entirely and probing Port 500 and it STILL appeared closed. (To reiterate, Shields Up! is probing the router address).

Hmm....so how do I open port 500, the IPSEC one. I've tried various things to do with virtual servers in the router with no difference.

Mike
N/A

IPSEC

Hello Again Mike,

After all you've said so far I still personally think the problem is related to authentication and now specifically too do with IPSEC. IPSEC is being used as an alternative method of authentication over the connection (that is instead of W.E.P) IPSEC is probably considered more secure but unfortunately although I have studied IPSEC its not been in great depth and it was some time ago. Its yet another MS related technology introduced with windows 2000 some years ago and unless you deal with networking on a regular basis its probably quite obscure too most ordinary users.

IPSEC is used to provide authentication & secure communiactions, I strongly suspect that it is infact a problem with IPSEC where its all falling down. As Task said earlier in this thread your router needs to be like a clear pane of glass letting light through in both directions hence NO-NAT option. If you have fixed IP's and you can ping the router your NOT far off I'd say. As for port 500 have you checked this is specifically for IPSEC (which it might be of course). As I dont know your router in detail I couldnt comment on how you open port 500 if closed (but my guess is that there will be a setting some where that enables this port & IPSEC pass through).

**Yes! I'd be prepared to do you a visit thats not a problem, the problem might be finding the time though.

Ivan Cool
N/A

IPSEC

Hello Again Mike,

After all you've said so far I still personally think the problem is related to authentication and now specifically too do with IPSEC. IPSEC is being used as an alternative method of authentication over the connection (that is instead of W.E.P) IPSEC is probably considered more secure but unfortunately although I have studied IPSEC its not been in great depth and it was some time ago. Its yet another MS related technology introduced with windows 2000 some years ago and unless you deal with networking on a regular basis its probably quite obscure too most ordinary users.

IPSEC is used to provide authentication & secure communiactions, I strongly suspect that it is infact a problem with IPSEC where its all falling down. As Task said earlier in this thread your router needs to be like a clear pane of glass letting light through in both directions hence NO-NAT option. If you have fixed IP's and you can ping the router your NOT far off I'd say. As for port 500 have you checked this is specifically for IPSEC (which it might be of course). As I dont know your router in detail I couldnt comment on how you open port 500 if closed (but my guess is that there will be a setting some where that enables this port & IPSEC pass through).

**Yes! I'd be prepared to do you a visit thats not a problem, the problem might be finding the time though.

Ivan Cool
N/A

VPN through router failure - config. question

Yes, very strange that the address being seen by "Shields Up!" is the router's address and not your PC's. Any website which shows the IP address you're using should be reporting the PC's address; the router should be "invisible".

This, to me, suggests the router's still using NAT under the covers, and this is not what you want for your particular configuration.

Can you point us to any online documentation for this router which we might take a look at? What's its make and model number?
N/A

VPN through router failure - config. question

For what it's worth, I did an nmap scan on that port 500:
    [root@mickey task]# nmap -sX -P0 -p 500 <PC's address>

    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    Interesting ports on <vapours PC> (<PC's address>):
    Port State Service
    500/tcp open isakmp

    Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds