Windows 2003 L2TP/IPSec behind Linksys WRV54G router

I have a Windows 2003 server set to accept incoming VPN connections. The server is behind a brand new Linksys Wireless-G VPN Broadband router. I am trying to connect remote users to the VPN server using L2TP/IPSec connection with encryption and Certificate authentication.

I have created the Self-Signed certificate in the server.
Ports 4500, 1723, 47-50, 500 & 1701 TCP/UDP are forwarded to the local server IP
Set the server to accept Incoming Connections & set up the allowed users.
Setup Server Local Security Policy->IP Security Policies. Here I created a new policy named L2TP the is Assigned. It has dynamic filter list, Filder Action is set to Default Response, Authentication method is my certificate and a preshared key as second option, no tunnel endpoint, All connection types.

On the client side I have the default XP VPN connection service.
I have Custom setting enabled in Security Tab
I am using optional encryption
EAP protocol:
          Use a certificate in this computer
          Use simple cert. selection
          Validate server cert.
          Trusted RCA is my Certificate Authority (The Win2003 server) Certificate
In Networking I have L2TP/IPSec VPN

When I try to connect from another PC inside the LAN I get this warning:
A certificate can not be found to be used with EAP.

I have tried using the Pre-Shared key instead of the certificate from the LAN PC, and the connection does not go thru. It times out. The Event Viewer->Security log show a sucessful login.

As you can see I am failing to connect from the inside, have not tried it from the outside.

The router has VPN tunneling, but the documentation is non-existant and the Linksys site KB is even more confusing. I read the article about Configuring IPsec Between a Microsoft Windows 2000 or XP and the BEFVP41, and Setting up a VPN tunnel between two BEFSX41 routers but did not get any insight.

Obviously the router is capable of VPN connections. How do I use the tunnels to connect to the server.

What are my choices? Can I use PPTP instead of L2TP? Can I use the router as the IPSec endpoint instead of the VPN server?


Your suggestions are welcome!

LVL 6
BrainstormerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
i think you can do any of them (pptp or l2tp), just config linksys to do it. for ipsec, linksys has dedicate option for it, for l2tp, you may use port forwarding and even port trigger. make your choice, then lets go on the topic.

as for the official documentaionf of your router, you can download it at ftp://ftp.linksys.com/pdf/wrv54g_ug.pdf. more over, you may get a lot of linksys relevant technical posts at http://www.broadbandreports.com/sitesearch, keyword is certainly "linksys"

hope it helps,
bbao
0
BrainstormerAuthor Commented:
How can I configure the Linksys WRV54G router to accept incoming VPN connections from a roaming laptop?

I managed to use PPTP VPN using the Windows 2003 in DMZ, but the firewall got flooded with security warnings. I got 30 messages for just overnight. I can not allow that!

Can I make the router as VPN endpoint using the tunneling? How to configure:

Local Secure Group
Remote Secure Group
Remote Secure Gateway
Key Management

to accept incoming VPN connections from dynamic IPs?
0
bbaoIT ConsultantCommented:
just make sure this at first, are you sure your roaming laptop can connect the vpn server well with direct ethernet connection? then we go on to use linksys to isolate them into different kind of world.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

BrainstormerAuthor Commented:
yes, the laptops connect to the vpn server using PPTP when inside the LAN.
0
bbaoIT ConsultantCommented:
your Linksys WRV54G router supports PPTP PassThrough, so just enable it at VPN screen of admin console.

download user manual at  ftp://ftp.linksys.com/pdf/wrv54g_ug.pdf.
goto page 31, it gives detail instruction.
btw, be sure you should enable firewall at first. see page 30.

hope it helps,
bbao
0
BrainstormerAuthor Commented:
The manual says:

Remote Security Gateway. The Remote Security Gateway is the VPN device, such as a second VPN Router, on the remote end of the VPN tunnel. Enter the IP Address of the VPN device at the other end of the tunnel. The remote VPN device can be another VPN Router, a VPN Server, or a computer with VPN client software that supports IPSec. The IP Address may either be static (permanent) or dynamic (changing), depending on the settings of the remote VPN device. Make sure that you have entered the IP Address correctly, or the connection cannot be made. Remember, this is NOT the IP Address of the local VPN Router, but the IP
Address of the remote VPN Router or device with which you wish to communicate.

I want to enable L2TP VPN so that the laptop  can connect to the router and create a secure VPN connection with the router as end-point. The laptop has a dynamic IP. How do I enter that in the Remote Security Gateway if it changes constantly? The manual is not clear. I want the tunnel to accept connections from any external IP.

I have left it at 0.0.0.0 with 0.0.0.0 subnet. Unfortunately I can not test it as I am inside the LAN.
0
bbaoIT ConsultantCommented:
i dont think your laptop is a Remote Security Gateway, it is a VPN client. hmm, i think what you should refer is "VPN PassThrough/L2TP PassThrough" at page 31, not Remote Security Gateway.
0
BrainstormerAuthor Commented:
Quote:

*****
The remote VPN device can be another VPN Router, a VPN Server, or a computer with VPN client software that supports IPSec
*****

That laptop has Windows XP VPN client software. It supports PPTP, L2TP/IPSec.

0
bbaoIT ConsultantCommented:
oh! i think we got in an incorrect approach. let me explain it. your VPN server is behind the linksys, your VPN channel should be connected between your remote laptop and the internal VPN W2K server, not the linksys. right? so i think you should forget the VPN section of linksys, what we should do on the linksys is to allow it to forward incoming VPN traffic to your internal server. this should be done at Port Forwarding section, at page 37. go ahead.

hope it helps,
bbao
0
BrainstormerAuthor Commented:
I have scrapped the idea of the Windows 2003 VPN server. I tried to open the ports, allow PPTP, L2TP, IPSec via the router and it did not work. It only worked if the Win 2003 server is exposed in DMZ. When exposed in DMZ, the firewall got flooded with attacks. We have other things in that server, like http/mail server software and other sensitive data, and I do not feel comfortable having the server exposed even with the firewall/antivirus running. The Apache and mail server software functions thru the router port forwarding, which provides a layer of protection against attacks.

I am trying to implement the VPN tunneling options of the router, so we forget the Windows 2003 VPN server. I posted a comment about this before, maybe I was not very clear about it.

The router implements L2TP/IPSec with pre-shared key VPN. The router documentation is not very clear about how to do this with an external dynamic IP address.

I appologize for the confusion.
0
bbaoIT ConsultantCommented:
oh, sorry, i forget what was in your first post, heeh, EE always lead me to read your last post. ;-)

ok, it is really strange that why linksys does not work on port forwarding but the DMZ host function works. i use linksys too, it works fine, can do anything i want at home.

so i would assume that you have some wrong parameters at other sections that may effect port forwarding... hmm, your router supports Remote Router Access, if you dont mind, i can try remote access your router to diagnose it?
0
bbaoIT ConsultantCommented:
do you know netmeeting? every windows box has it. with it, we can see each other's screen as well as talk/chat with each other, so i can help you directly to set your router. you know, it needs so many time to type keyboard for a quite simple action of checking. of course, it is safe since you can control and see all, :-)
0
bbaoIT ConsultantCommented:
hi Brainstormer, i believe the following two KB articles would helpful to your situation. btw, dont forget they are official answer, hehe ;-))

http://kb.linksys.com/cgi-bin/om_isapi.dll?&infobase=linksysrev.nfo&record={434}&softpage=IKW_ENU_JDocView
http://kb.linksys.com/cgi-bin/om_isapi.dll?&infobase=linksysrev.nfo&record={4C9}&softpage=IKW_ENU_JDocView
0
bbaoIT ConsultantCommented:
sorry, just noticed EE can not generate right links for my URLs above, you should copy and paste each line to the address bar.
0
bbaoIT ConsultantCommented:
i know you have tried some ports mentioned in the above links, such as, 47, 50, 500, 1723 and 1701, but i am not sure if your settings are matched with each other and compatibile with your router. so i still suggest you read them anyway.
0
BrainstormerAuthor Commented:
I was able to get an Indian guy from Linksys support that spoke decent English and was able to answer most of my questions.

My router currectly does not allow Incoming VPN connections to its tunnels unless it's a static IP address as of firmware 2.03. However he said the options will be implemented in the next firmware release.

While that comes out, I have to implement VPN thru the router. He recommended opening the ports I already have opened. Guess I will be playing with VPN connections from home this weekend.


Thanks for your help,
0
bbaoIT ConsultantCommented:
got an idea, you can use port triggering to pass around it... if you want have try, i may help you do it.
0
BrainstormerAuthor Commented:
I am not sure if Port Triggering is the correct way to go. I have Port Range Forwarding enabled to forward connections to the internal IP of VPN server.

My knowledge about Port Triggering is that it would just open the router ports if a request comes, but it needs to be triggered from an inside application, such as File Transfer of MSN Messenger.

If a request comes from outside for a VPN connection, how would the router know where to send the data packets. There are 5 PC in the LAN.

Linksys tech said I can use either Port Range or Port Triggering, but not both. The VPN connection times out at authentication. Since the connection fails from outside, but works from inside, I thinks either the encryption  or authentication is failing to forward correctly at router level. This may be a firmware problem.

I have remote access to the Windows 2003 server, so I will test the VPN from home this weekend.
0
bbaoIT ConsultantCommented:
"If you are using PPTP for inbound VPN through the linksys, you need to have IP Protocol 47 forwarded through the router to the endpoint also. I am certain that particular router is incapable of forwarding protocols inbound other than TCP (6), UDP (17), or ICMP (1); as such, you will NOT be able to forward to your VPN endpoint inside the LAN. The only way to make PPTP inbound work involves making the linksys (or another machine on the public internet) the VPN endpoint, if that is a possibility. Please note that the PPTP passthrough option on most consumer-level routers is for OUTBOUND passthrough, not INBOUND (they're entirely different) - most people assume this works both ways, and it clearly does not

Another (better but more involved) option, if you need to have a VPN server, is to use L2TP/IPsec instead - open UDP ports 500, 1701, and 4500 in and out to your VPN server (or put it in a DMZ). The only new "requirement" is that your VPN server support NAT-T L2TP/IPsec. Windows Server 2003 supports this, as does any *nix OS that can run Super Free/SWAN. You will not be able to use a Windows XP, Windows NT, or 2000 box (server or client) as the endpoint. The Microsoft NAT-T patch for these operating systems is client-only. Another note on Windows and VPN - only Windows Server 2003 supports IPSec tunnels; Windows 2000 and Windows NT Server RRAS support L2TP/IPSec only."

quoted from http://www.extremetech.com/article2/0,3973,1341810,00.asp

so i think the following should work:

http://kb.linksys.com/cgi-bin/om_isapi.dll?&infobase=linksysrev.nfo&record={3F0}&softpage=IKW_ENU_JDocView

hope it helps,
bbao
0
BrainstormerAuthor Commented:
I will consider this question closed as I have not found a solution to this router VPN unless in DMZ. I will have to solve my problem using Terminal Services.

The tech support suggested me to wait until the new firmware comes out. That will have access from any IP, not just by static.

Thanks for your help.
0
bbaoIT ConsultantCommented:
have you tried the method (port triggering) in my last post? i think i should work.
0
BrainstormerAuthor Commented:
I tried it, did not work. :-(
I will use Terminal Services for now.
0
bbaoIT ConsultantCommented:
:(
0
bbaoIT ConsultantCommented:
it is really strange that why yours wont work at all. my linksys work perfect, including port forwarding, port triggering, upnp, filters and dmz. :)
0
bbaoIT ConsultantCommented:
Brainstormer, how are things? you know, the question is still open... :)
0
BrainstormerAuthor Commented:
I had great expectations for Firmware 2.10 for the Linksys WRV54G. Unfortunately the upgrade had everything but the updated feature for the VPN connection. I spoke to Linksys customer service representative, which AGAIN promised that the next firmware will have "Accept from Any IP" feature in it. Until then I will keep this thread open for other possible solutions.
0
bbaoIT ConsultantCommented:
ok, i will keep your thread too. i still think we can solve it by port forwarding and triggering. the key issue is around Protocol 47. when i get new idea, i will tell you asap and hope you may work with me, ok?

talk to you later,
bbao
0
SoundDocCommented:
Just ran across this while trying to solve the same problem.
I've tried a few linksys's and have run into the same thing.
I've tried 5 befsr41's, everything worked fine until firmware upgrade a month ago, now any that have been upgraded no longer work. 2 befw11s4's worked fine, after firmware update, stopped working.
And the kicker was the 2 befsv41 VPN Routers that stopped worked as soon as firmware was upgraded. (That will teach me to send a junior tech to upgrade firmware without testing 1 unit first).
After the first w11s4 failed, I bought a wrt54g, and out of the box it doesnt work.

It looks like they broke it in firmware, and have yet to fix it. Luckly I have the ability to downgrade the firmware on all the hardware (except for the new wireless router) and I'm waiting like the rest for the fix.

SD
0
bbaoIT ConsultantCommented:
SoundDoc, thnaks for your comment. you have so many linksys boxes available for test, hehe. :)

>> I've tried 5 befsr41's, everything worked fine until firmware upgrade a month ago,

even with enabling VPN pass thru and port forwarding? you mean the remote computer could access internal VPN server(s) very well BEFORE firmware upgraded?

>> now any that have been upgraded no longer work.
>> 2 befw11s4's worked fine, after firmware update, stopped working.

whats your problematic firmware versions of befw11s4 and wrt54g?

regards,
bbao
0
SoundDocCommented:
Yes, even with enabling VPN passthough they are no longer working. I've tried DMZ'ing the server, opening every port to the server, no luck at all. From looking at the server logs, the connections are being made, and authenication begins, properly, but the router drops the windows authentication username and password from the data before it gets to the server and it just hangs until timout waiting for authentication. From what I've been able to gather, Linksys says they made a change to the VPN in the newer firmware that only allows connections from static IP's (According to them). They are apparently aware of the issue and working to add the ability to turn this new "feature" off, since apparently the didn't think that anyone would ever use a router on a dynamic ip.... (Sarcasm of course, and I still wonder how much of that is true, how would they tell?) As for the harware that now no longer works, I havn't found a version of the wrt54g bios that does work, I believe the problem has existed since day 1 with these routers, but as for the befsr41's, the befsx41's, and the befsv41's, (I think I got all the numbers right) I found a site: http://www.drabo-com.de/page13919.htm By googling befvp41 firmware 1.40.4 (just incase the link doesn't work) and was able to download the working versions for the following routers:

befvp41 fw 1.40.4 : http://www.drabo-com.de/befvp41_1404.zip
befsx41 fw 1.43.3 : http://www.drabo-com.de/befsx41_1453_fw.zip
befsr41 fw 1.44.2 : http://www.drabo-com.de/befsr-fw-1442.zip

I didn't upgrade the befw11s4's as they dont need pptp access, but there are older bios versions availiabe at that site for them as well. Don't be worried about the lanngage the site's in, they are the english bios files.

I hope this gets a few more routers working again, and solves a few peoples questions. Lets hope there next firmware version corrects a few bugs, and doesn't introduce any more.

SD

(just read over a couple messages before posting....... Guess this is where I heard about the static ip thing..... Thanx Brainstormer, read through these last night, memorys not that sharp)
0
SoundDocCommented:
Going back to your very initial question Brainstorm, If the router was working properly and the tunnels passed information properly, all you would need to do go get pptp vpn connections going is to enable wan requests, allow pptp and passthrough, and forward port 1723 to your server with routing and remote access configured. I haven't setup the ipsec passthrough actually yet, but it should be the same, ipsec passthrough enabled, cert server setup, and port 1721 (500 as well?) I believe.

It sounds as is your initial configuration is fine, but the router is the source of all your problems, as running in the DMZ makes it work properly. (havent' tried running a server in the dmz of that router, the other ones didn't work in the dmz though).

And to BBAO, as  yet, all these routers worked fine with pptp vpn connections BEFORE the bios upgrade, configured just as Brainstormer had them.

I guess the only real answer Brainstorm is to wait, or get a different router that does work for the time being.

SD
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chinnygtpCommented:
Anyone able to succeed with this yet? I've got firmware ver 2.02.xx and it's still not letting my pptp connection through to a 2000 Server....
0
bbaoIT ConsultantCommented:
chinnygtp, what does your pptp connection refer to? incoming traffic or outgoing traffic?

SoundDoc, i am going to get a wrt54g for my office, what is the latest firmware version of it? thanks.
0
SoundDocCommented:
This question was closed, but I'll answer what I can here.
The Wrt54G with the newest firmware 2.04.4 still DOES NOT work for incomming pptp or L2tp connections.
I tossed the idea of getting it going, and I'm using 2 of them now just as a wireless access point. (cheaper than a standalone WAP).

As for a router, I have gone with a Watchguard Firebox X router. Much more powerfull and configurable, night and day between the products. No problems whatsoever.

As for price, its a bit more, but a watchguard SOHO router is more in the price range of a wrt54g, and would work as well.

In between the WRT54G and getting the firebox, I used a old p75 I had kicking around, threw 2 nics in it and ran ClarkConnect home on it. worked fine, and is quite good for a office type setup.

Hope this helps.

sd
0
bbaoIT ConsultantCommented:
SoundDoc, thanks for your comment, although my reply is late, hehe. ;))

i just upgraded my WRT54G with the latest firmware Version: v3.01.3, but it seems still does NOT properly forward L2TP request (port 1701) to the internal L2TP server behind WRT54G...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.