centralcity
asked on
Need help establishing VPN Tunnel with Linksys, can't ping nor see remote computers
I'm trying to establish a VPN tunnel with 2 Linksys VPN DSL routers to connect two workgroups. I followed linksys' directions, setting up each workgroup with a differet IP setup, one at 192.168.1.0 and the other at 192.168.2.0. Once I make the settings in the Linksys control panels, and click the "connect" button, I get a connection. But then I cannot see the computers on the other end of the connection and I cannot successfully ping either the other computers nor the other router. I've disabled the firewall in Linksys and have no software firewalls on any of the computers. Both workgroups are named "workgroup", all computers are running Windows XP Pro and have all the latest updates. Both groups are connected to the internet with DSL.
ASKER
I set up a two way tunnel just as described in the following Linksys KB article:
http://www.linksys.com/support/top10faqs/BEFSX41/Setting%20up%20a%20VPN%20tunnel%20between%20two%20BEFSX41%20routers.asp
Once I did that, I clicked on the connect button and got indication that both were connected.
As I understand it, that's all I should have to do. At that point, I should be able to see the computers on the remote network, but I can't. And I can't ping the opposite router or computers connected to it.
As an aside, I'm remotely controlling one of the remote computerw with pcanywhere so I can view and control both networks from one location, so I know I'm getting thru the internet on the pcanywhere.
Don't understand the question about the virtual ip address.
http://www.linksys.com/support/top10faqs/BEFSX41/Setting%20up%20a%20VPN%20tunnel%20between%20two%20BEFSX41%20routers.asp
Once I did that, I clicked on the connect button and got indication that both were connected.
As I understand it, that's all I should have to do. At that point, I should be able to see the computers on the remote network, but I can't. And I can't ping the opposite router or computers connected to it.
As an aside, I'm remotely controlling one of the remote computerw with pcanywhere so I can view and control both networks from one location, so I know I'm getting thru the internet on the pcanywhere.
Don't understand the question about the virtual ip address.
So connected appears on both routers? Can you do an ipconfig from the computer and post the results here?
ASKER
Here are the results of my ipconfig:
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : dsl-verizon.net
IP Address. . . . . . . . . . . . : 192.168.2.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
C:\>
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : dsl-verizon.net
IP Address. . . . . . . . . . . . : 192.168.2.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
C:\>
Can you still get to the internet? I.E. ping www.cisco.com ? If you followed the directions on the link to the letter then only 192.168.2.7 will be able to use the tunnel. I do not know if you changed it to the whole subnet or just followed the directions. You might want to check that or post the config from router2
ASKER
I'm on the internet without problem. I've tried configuring the routers in both configurations: (1) set 192.168.x.0 so all computers on the workgroup should be able to use the tunnel and (2) 192.168.x.xx, where xx is a specific computer, so that only one computer on each end could access the tunnel. Cannot connect in either configuration.
Am I correct in my assumption that I should not have to configure anything on the individual computers?
BTW, Linksys has given me no help on this one, even though I've talked to four different techs.
Am I correct in my assumption that I should not have to configure anything on the individual computers?
BTW, Linksys has given me no help on this one, even though I've talked to four different techs.
Not surprising with them. No this should be a simple router to router tunnel. The routers will handle all the authentication routing etc. It should be set 192.168.2.x so that all the subnet can enter not 192.168.x.0 was this a typo?
ASKER
Here's what I was trying to say:
Local group: Linksys IP 192.168.2.1
VPN Settings: Local Secure Group: 192.168.2.0
Remote Secure Group: 192.168.1.0
Remote group: Linksys IP: 192.168.1.1
VPN Settings: Local Secure Group: 192.168.1.0
Remote secure group: 192.168.2.0
I show connected on the Linksys VPN page.
Local group: Linksys IP 192.168.2.1
VPN Settings: Local Secure Group: 192.168.2.0
Remote Secure Group: 192.168.1.0
Remote group: Linksys IP: 192.168.1.1
VPN Settings: Local Secure Group: 192.168.1.0
Remote secure group: 192.168.2.0
I show connected on the Linksys VPN page.
Do me a favor and do a router print from the workstation and post the results.
ASKER
Trying to figure out how to do that. If I do an Alt-PrintScrn, I can't paste the result here. If I highlight and paste, it does not paste the data contained within the boxes. I have jpgs of both router pages, but don't know how to get them to you.
Thanks for bearing with me.
Thanks for bearing with me.
No problem, for the route print you can route print >file.txt this will pipe it to the test file from there you can use notepad to copy and paste.
ASKER
Hopes this is ok, didn't set it up too nice, though. It doesn't show status of radio buttons, but they're all Enabled.
Firmware Versi
Broadband Firewall Router
Security Restrict Applications Setup Security Administration Access & Gaming
Firewall VPN
VPN Passthrough
IPSec Pass-Through: Enabled Disabled (Enabled)
PPPoE Pass-Through: Enabled Disabled (Enabled)
PPTP Pass-Through: Enabled Disabled (Enabled)
VPN Tunnel
Tunnel 1 (Ruffoni) Select Tunnel Entry:
Delete Summary
VPN Tunnel: Enabled Disabled (Enabled)
Ruffoni Tunnel Name:
Local Subnet Secure Group:
192 168 2 0 IP: . . .
255 255 255 0 Mask: . . .
Remote Subnet Secure Group:
192 168 1 0 IP: . . .
Mask: 255 255 255 0 . . .
Remote FQDN Security Gateway: Fully-Qualified ruffmaytag.dyndns.or Domain:
Disable Encryption:
Disable Authentication:
Key Auto. (IKE) Management
PFS: Enabled Disabled (Enablee)
1235 Pre-shared Key:
3600 Key Lifetime: Sec.
Status Connected
Disconnect View Log Advanced Setting
Save Cancel Settings Changes
Firmware Versi
Broadband Firewall Router
Security Restrict Applications Setup Security Administration Access & Gaming
Firewall VPN
VPN Passthrough
IPSec Pass-Through: Enabled Disabled (Enabled)
PPPoE Pass-Through: Enabled Disabled (Enabled)
PPTP Pass-Through: Enabled Disabled (Enabled)
VPN Tunnel
Tunnel 1 (Ruffoni) Select Tunnel Entry:
Delete Summary
VPN Tunnel: Enabled Disabled (Enabled)
Ruffoni Tunnel Name:
Local Subnet Secure Group:
192 168 2 0 IP: . . .
255 255 255 0 Mask: . . .
Remote Subnet Secure Group:
192 168 1 0 IP: . . .
Mask: 255 255 255 0 . . .
Remote FQDN Security Gateway: Fully-Qualified ruffmaytag.dyndns.or Domain:
Disable Encryption:
Disable Authentication:
Key Auto. (IKE) Management
PFS: Enabled Disabled (Enablee)
1235 Pre-shared Key:
3600 Key Lifetime: Sec.
Status Connected
Disconnect View Log Advanced Setting
Save Cancel Settings Changes
firmware needs to be 1.45.3 or later, I could not make out which version you are running. This setup all looks good.
What is the actual error message on the ping does it just time out or do you get an error message?
ASKER
The BEFSX41 (here) has firmware 1.50.9
The BEFVP41 V2 (remote) has firmware 1.00.12
According to Linksys support site, both are the latest.
When I try a ping, either through Linksys Diagnostic screen or from my computer in a command window, I just get time out.
Tried pinging both the remote router and the computers on the other end.
Don't remember if I mentioned it or not, but I can set up both routers to pass through, then set up a VPN server on a computer on the other end and a client on this end and get through ok. But I need the routers for multiples, as well as for security. (I'm also accessing the remote computer with pcanywhere, so I know it's possible to communicate, just cant do it through the Linksys tunnel
The BEFVP41 V2 (remote) has firmware 1.00.12
According to Linksys support site, both are the latest.
When I try a ping, either through Linksys Diagnostic screen or from my computer in a command window, I just get time out.
Tried pinging both the remote router and the computers on the other end.
Don't remember if I mentioned it or not, but I can set up both routers to pass through, then set up a VPN server on a computer on the other end and a client on this end and get through ok. But I need the routers for multiples, as well as for security. (I'm also accessing the remote computer with pcanywhere, so I know it's possible to communicate, just cant do it through the Linksys tunnel
Well after eliminating all the obvious let's look at some of the more obscure things. Did you manage to get a route print? Though if the router is not able to ping then I do not think it is with the individual workstations. Any manual routes added to the router? What kind of dsl modems are you using?
If you do a tracrt to 192.168.2.1 where does it hang?
ASKER
Didn't understand your route print before. Here are the results of it:
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 07 e9 64 e9 a2 ...... Intel(R) PRO/1000 CT Network Connection - Packet Scheduler Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.255.0 192.168.2.100 192.168.2.100 20
192.168.2.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.100 192.168.2.100 20
224.0.0.0 240.0.0.0 192.168.2.100 192.168.2.100 20
255.255.255.255 255.255.255.255 192.168.2.100 192.168.2.100 1
Default Gateway: 192.168.2.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
If I do a tracrt I get "tracrt is not recognized as internal or external command.
Locally I have a Fujitsu modem with 768/128 service thru Verizon
The remote has a Westel modem with 384/384 service thru verizon.
==========================
Interface List
0x1 ..........................
0x2 ...00 07 e9 64 e9 a2 ...... Intel(R) PRO/1000 CT Network Connection - Packet Scheduler Miniport
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.255.0 192.168.2.100 192.168.2.100 20
192.168.2.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.100 192.168.2.100 20
224.0.0.0 240.0.0.0 192.168.2.100 192.168.2.100 20
255.255.255.255 255.255.255.255 192.168.2.100 192.168.2.100 1
Default Gateway: 192.168.2.1
==========================
Persistent Routes:
None
If I do a tracrt I get "tracrt is not recognized as internal or external command.
Locally I have a Fujitsu modem with 768/128 service thru Verizon
The remote has a Westel modem with 384/384 service thru verizon.
try tracert instead of "tracrt" :-)
- Info
- Info
ASKER
Here's the results of the tracert. 192.168.2.1 is my local router, 192.168.1.1 is the remote router
C:\DOCUME~1\EDJONE~1>trace rt 192.168.2.1
Tracing route to 192.168.2.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.1
Trace complete.
C:\>tracert 192.168.1.1
Tracing route to 192.168.1.1 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * ^C
C:\>
C:\DOCUME~1\EDJONE~1>trace
Tracing route to 192.168.2.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.1
Trace complete.
C:\>tracert 192.168.1.1
Tracing route to 192.168.1.1 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * ^C
C:\>
I think you need to get rid of the befvp41 router and replace it with another befsx41 router
http://kb.linksys.com/cgi-bin/om_isapi.dll?clientID=652305&QuestionText=how%20to%20setup%20a%20router%20to%20router%20vpn%20tunnel&SelectName1=&advquery=%5bs%5d%5bRank%2c%2050%3a%5bSum%3a%20how%20to%20setup%20a%20router%20to%20router%20vpn%20tunnel%5d%5bMerge%3a%20%5bThesaurus%3a%20how%20to%20setup%20a%20router%20to%20router%20vpn%20tunnel%5d%5d%5d&infobase=linksysrev.nfo&record={3F2}&softpage=IKW_ENU_JDo cView
http://kb.linksys.com/cgi-bin/om_isapi.dll?clientID=652305&QuestionText=how%20to%20setup%20a%20router%20to%20router%20vpn%20tunnel&SelectName1=&advquery=%5bs%5d%5bRank%2c%2050%3a%5bSum%3a%20how%20to%20setup%20a%20router%20to%20router%20vpn%20tunnel%5d%5bMerge%3a%20%5bThesaurus%3a%20how%20to%20setup%20a%20router%20to%20router%20vpn%20tunnel%5d%5d%5d&infobase=linksysrev.nfo&record={3F2}&softpage=IKW_ENU_JDo
ASKER
And several emails, telephone calls and online conversations with numerous Linksys support personnel did not get me there!
I'll get to the remote location, change the BEFVP41 and let you know the results.
I'll get to the remote location, change the BEFVP41 and let you know the results.
Thanks, it seems the linksys support has gone downhill
ASKER
I replaced the BEFVP41 with another BEFSX41. Same result. Called Linksys tech support. Said that that document was out of date and the BEFVP41 does work ok. Didn't have an answer for not being able to ping other than "it may be taking too much time to get all the way through". Said that since I was connected, "Linksys is providing the tunnel and that's all I can do".He recommended disabling the firewall on the routers (already done), allowing annon. internet requests (already done), and setting mtu to 1403. I did that and it did not help.
He did say unofficially that I needed both to have "NetBIOS over TCP/IP" enabled which I had already done and that I should install UPNP through Control Panel, Add remove programs, windows setup, networking services. I did that but it din't help.
Right now, I'm at my wits end!!!!
He did say unofficially that I needed both to have "NetBIOS over TCP/IP" enabled which I had already done and that I should install UPNP through Control Panel, Add remove programs, windows setup, networking services. I did that but it din't help.
Right now, I'm at my wits end!!!!
Ok, you have encryption disabled on the routers? No vpn client software on the computers and no personal firewalls on the computers? How familiar are you with perfmon? There is an icmp monitoring counter you can add and watch to see if it sends receives ping replies.
ASKER
I have encryption and authentication disabled. Using a preshared key with PFS enabled under "Key management". No vpn client software on any computer, no personal firewalls.
I'm not familiar with perfmon and don't have an icmp monitoring counter that I know of.
(It seemed to need the PFS enabled in order to connect. I disabled it and couldn't connect, when I reenabled it it connected immediately)
I'm not familiar with perfmon and don't have an icmp monitoring counter that I know of.
(It seemed to need the PFS enabled in order to connect. I disabled it and couldn't connect, when I reenabled it it connected immediately)
Try adding this with a
route -p 192.168.1.0 255.255.255.0 192.168.2.191 192.168.2.100
let me know if this works
route -p 192.168.1.0 255.255.255.0 192.168.2.191 192.168.2.100
let me know if this works
ASKER
When I did it, it just returned the instructions for route. Should it be "route add -p ..........."? What's the purpose of the 192.168.2.191?
Yes route add -p it is giving it a route to the other network.
ASKER
I get a "bad argument 192.168.2.191"
Sorry one more time it should read
route -p add 192.168.1.0 255.255.255.0 192.168.2.1 192.168.2.100
route -p add 192.168.1.0 255.255.255.0 192.168.2.1 192.168.2.100
have not had my morning coffee yet :(
ASKER
C:\DOCUME~1\EDJONE~1>route add 192.168.1.0 255.255.255.0 192.168.2.1 192.168.2.100
ROUTE: bad argument 192.168.2.1
ROUTE: bad argument 192.168.2.1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You still with me?
ASKER
been really busy with some other stuff. will get back to you soon. Thanks for bearing with me
ASKER
EW, could you contact me directly at central.city-at-gte.net? I'd appreciate it. Thanks
If you click on my name it gives you my email address in my profile.
I am thinking that perhaps your request did go through, but it cannot find the proper route to come back to you. If you cannot create a two-way VPN tunnel, perhaps you should try to find out what virtual IP address that the RouterB is assigning to routerA, and add a static route to route all traffics going to the 192.168.1.0 subnet to the virtual IP address of RouterA.
- Info