Link to home
Start Free TrialLog in
Avatar of sjeprises
sjeprises

asked on

RV042 and Quick VPN

I just got the Linksys RV042. Thought the QuickVPN would be simple to implement. Alas, it's not. I have upgraded the firmware and done everything Linksys says to do on their (limited) support page. I get the tunnel, but I always get the Network Gateway did not respond. Trying to connect remotely from an XP Pro box, if that matters. Anybody with experience with this box? Thanks.
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sjeprises
sjeprises

ASKER

I have a cable modem hooked to the RV042. The RV is 192.168.3.x so as not to interfere. Linksys also has a laundry list if items to insure connection, and I have done all of those. I still get a tunnel into thye RV. It activates the policy and then verifies the network. Its then (after about 4-5 minutes) that I get the "The remote gateway is not responding. You will now be disconnected." I can remotely hook into the Linksys, so I know the address is OK. I am continuing to tinker.
When the QuickVPN connects, can you ping the LAN side of the RV042 and some remote device to verify you have connectivity, if only for a minute? If so it may be your MTU (Maximum Transmission Unit) packet size is too large. Have a look at the following links regarding MTU issues and how to tweak for optimum performance, basically reduce in steps to 1300 to see if there is any improvement. This should be done on the client machine and client router.
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnslow.htm

ps- There are no satellite connections involved here are there?
sjeprises, forgot to mention you should try disabling any software firewalls on the client and machine you are trying to connect to as well, just while testing. If they pose a problem you can configure for the appropriate services later.
Rob -

It never says I'm connected. I just get past policy verification when I get diconnected at network verification. All firewalls on both ends are disbled for testing. ARRRGH!
Can you verify the RV042 has public IP and you are connecting to it. To do so from the site where the RV042 is go to http://www.whatismyip/com  Verify the return IP is the one you are trying to connect to with the QuickVPN and also it is the WAN port of the RV042 and not the modem.

Also for test purposes can you connect the remote/client computer directly to the Internet bypassing the router? Make sure you enable the Windows firewall, and disable file and print sharing for this, so you are less susceptible to attack.
I have a 24.15.152.xxx for my router address. I can access the router from the web, so I know that's right. When I change the address thru QuickVPN (as a test) I get an instant disconnect, so I'm doing something right (I think). Is there anything on the network side of the router that could need changing? I can use my Remote Desktop within the network, so That part is working. Maybe I should bypass QuickVPN and setup a tunnel? What do you think?
>>"Is there anything on the network side of the router that could need changing? "
No, at least not at this point. The Quick VPN should be able to make a connection the RV042 without a network even being connected. Based on what you have described above, I would say the RV042 end is set up correctly.

The only other possible problem I can see is the IPSec packets being blocked at the remote site and not allowing the connection to complete. If you could test without a router at the client site that would eliminate most problems. It is possible, although very rare, that the ISP does not support IPSec.

As for "bypassing" the QuickVPN.....I haven't had much in the way of problems without in numerous locations but lots of folks have. You can connect directly using remote desktop by enabling port forwarding on port 3389. This is not as secure. The other option is to create a Windows VPN tunnel by creating a Windows VPN server at one end and using the Windows VPN client at the other. An excellent site with good detail for the different scenarios is:
http://www.onecomputerguy.com/networking.htm

Another secure option is a new VPN client/server called Hamachi. It doesn't require any port forwarding and is quite easy to set up:
http://www.hamachi.cc
I am using Comcast and haven't found anything about them blocking ipsec, but you never know. Please elaborate on testing with no router on client side. I'm confused. Are you saying to just connect to the modem and bypass the router on the client side altogether? Thanks for all the help, by the way!
>>"I am using Comcast and haven't found anything about them blocking ipsec, but you never know."
Unlikely they would block it.

>>"Are you saying to just connect to the modem and bypass the router on the client side altogether?"
Yes, just as a test. Make sure you enable the Windows firewall and best to turn of file and print sharing to protect yourself. When you start the QuickVPN client the firewall will likely ask you if you want the application to be allowed Internet access, choose yes.

>>"Thanks for all the help, by the way!"
You are very welcome. Curious as the ultimate solution.


Just got off live chat with Linksys: Useless. Here is a snippet from the security log:
Connection Refused - Policy violation    UDP 69.156.123.24:6881->24.15.152.10:57524 on ixp1
Mar 14 09:45:15 2006    Connection Accepted    TCP 82.3.80.113:1610->24.15.152.10:57524 on ixp1
Mar 14 09:45:15 2006    Connection Refused - Policy violation    UDP 84.179.224.xx:56559->24.15.152.xx:57524 on ixp1
Mar 14 09:45:16 2006    Connection Refused - Policy violation    UDP 201.58.71.xx:6881->24.15.152.xx:57524 on ixp1
Mar 14 09:45:17 2006    Connection Refused - Policy violation    UDP 84.179.224.xx:56559->24.15.152.xx:57524 on ixp1
Mar 14 09:45:19 2006    Connection Refused - Policy violation    UDP 88.218.1.xx:6881->24.15.152.xx:57524 on ixp1

Also the Linksys site says:

"The remote gateway is not responding.  You will now be disconnected, please try again later:"

This prompt will appear when the IPSec tunnel can be established, but the remote router cannot be reached.  Check that you are not using the same subnet as the remote network (i.e., if your local network is on a 10.252.240.x subnet, the remote network cannot use the same 10.252.240.x subnet).  Then, restart the client computer and try establishing a connection again.

My router is now 10.0.01 and the remote is 192.168.1.0

Any more thoughts?

To me the following:
Mar 14 09:45:15 2006    Connection Accepted    TCP 82.3.80.113:1610->24.15.152.10:57524 on ixp1
Mar 14 09:45:15 2006    Connection Refused - Policy violation    UDP 84.179.224.xx:56559->24.15.152.xx:57524 on ixp1

indicates the basic connection is initiated but incomplete due to policy violation, which would probably be due to blocked IKE encryption. This could be due to the remote/client end problems such as the remote router. This is why i was suggesting trying a direct connection to the mode. Sounds like the RV042 end is OK as you have a public IP on the router (no modem interference), you have different subnets, and the client is finding the RV042 as indicated by the "connection accepted".

The policy violation could also be due to incorrect UserName and or password.
I will try the client to modem next. But to you, the RV042 looks like it's doing its job? If the client modem is the problem, how would I go about connecting in Hotels and such, where I cannot control the firewall? Doesn't that defeat the purpose? I have reset the router to defaults and re-entered the user/password so that is an unlikely cause. Looks like the client router is next best bet.
Actually that is the problem, many networks will not support a VPN client of any sort. This can be due to many issues; older routers do not support VPN traffic, some newer routers have to have that feature enabled, some locations intentionally block all network traffic except port 80 and 443, and few larger public areas use proxy servers. For now I am just suggesting as a process of elimination to find where the problem lies.
I was at a hot spot and found the following:
When I logged onto my RV042 with QuickVPN I got the same messages, and was going to be disconnected. Instead of clicking OK, I pinged the RV042 and a few PC's on the LAN. The response was "Negotiating IP Security". As soon as I disconnected I, obviously, got a timeout error. I found that "odd".
I haven't seen it with the QuickVPN client, but I have seen where you have a TCP/IP connection but because the encryption protocol negotiations have not completed you cannot communicate. I wonder if this was the case in your situation.
Turned off DHCP last night on the RV042. Set a static address on the host computer and it went through like a champ. Turned DHCP back on and I get stuck at the networking screen. I guess it would have been nice to know. That being said, do I have to use another router after the RV042 to achieve DHCP? There are not too many computers, but static always sucks, to me. My exact configuration is a Cayman modem, RV042 and a switch and wireless router that feed off the RV042. Is it possible to have the RV042 lead directly to the wireless and have that do DHCP services? Any thoughts would be appreciated.
That is very bizarre. You turned off DHCP on the LAN connecting and it worked? Shouldn't have anything to do with it. I have set up more than a dozen RV042's and DHCP is enabled on every one of them.
Switching off DHCP should require a reboot of the router, could that have possibly been what repaired it. Have you tried re-enabling DHCP to see if it breaks again?

As for inserting the wireless between the router and the RV042, that can work, but you may have a hard time connecting to the host computer where both routers will be performing NAT (Network Address Translation). Actually you should be able to disable DHCP on the RV042, enable on the wireless, connect one of the LAN ports of the wireless to one of the LAN ports of the RV042, ignore the wireless WAN port and WAN configuration, set the LAN IP of the wireless to an address in the same subnet as the RV042's LAN IP. This makes the Wireless a simple access point. Then connect your switch or wired connections to the LAN ports of the RV042. The wireless users would connect through the wireless routers, and you may have a hard time connecting to them if you need to remotely. However the wired users should get a DHCP address from the wireless unit, where it is the only DHCP server, and still connect directly to the RV042.
ps- Thanks for the points sjeprises,
--Rob
I got the idea about DHCP from the linksysinfo.org forum http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=11664 which states:

ON THE WRV54G/RV0XX ROUTERS:
1) Setup Page
Internet Connection Type: Automatic Configuration (DHCP)
MTU: Auto
DHCP Server: Disable


I'm up dreaming about this damn box at night. I have to get it working soon.

You deserve the points for hanging with me!
>>"DHCP Server: Disable "
I'd be curious if re-enabling breaks it.
FYI- I have turned off DHCP and was able to connect. The only other "not out of the box" setting I had was a static address to the PC I want to remote to. I removed that and will try again. Also, I copied a snippet of the log for the past 2 days. It shows connecting on a different port. Any thoughts?
Log:
Mar 14 10:26:14 2006    Connection Refused - Policy violation    TCP 71.57.61.18:1477->24.15.152.xx:443 on ixp1
Mar 14 10:27:14 2006    Connection Refused - Policy violation    TCP 71.57.61.18:1478->24.15.152.xx:443 on ixp1
Mar 15 04:27:32 2006    Connection Accepted    UDP 71.57.61.18:500->24.15.152.xx:500 on ixp1
Mar 15 04:30:41 2006    Connection Accepted    UDP 71.57.61.18:500->24.15.152.xx:500 on ixp1

All accepted connections have been on UDP:500.
The connecting client uses any randomly available outgoing port, to some degree. This is typical of most services, however it must connect to the appropriate incoming port at the host end, 80 for standard HTTP, etc.    Quick VPN uses TCP 443 SSL (Secure Sockets Layer) protocol, to establish and authenticate the connection, and UDP port 500 to negotiate the IKE encryption protocol. If you have the latest version of the client it will resort to port 60443 if 443 is in use by another service.

Let me know if it still works if you re-enable DHCP.
Thanks,
--Rob
Hey Rob,

Just an update. Installed the RV042 in its final location, without a hitch. Quick VPN did what it was advertised on the first try. Thanks for helping and listening to me whine. I'm sure I'll be bugging you again.

Scott
Glad to here it is working properly. Thanks for the update,
--Rob