Solved

Windows 2003 L2TP/IPSec behind Linksys WRV54G router

Posted on 2003-12-09
38
6,218 Views
Last Modified: 2010-05-18
I have a Windows 2003 server set to accept incoming VPN connections. The server is behind a brand new Linksys Wireless-G VPN Broadband router. I am trying to connect remote users to the VPN server using L2TP/IPSec connection with encryption and Certificate authentication.

I have created the Self-Signed certificate in the server.
Ports 4500, 1723, 47-50, 500 & 1701 TCP/UDP are forwarded to the local server IP
Set the server to accept Incoming Connections & set up the allowed users.
Setup Server Local Security Policy->IP Security Policies. Here I created a new policy named L2TP the is Assigned. It has dynamic filter list, Filder Action is set to Default Response, Authentication method is my certificate and a preshared key as second option, no tunnel endpoint, All connection types.

On the client side I have the default XP VPN connection service.
I have Custom setting enabled in Security Tab
I am using optional encryption
EAP protocol:
          Use a certificate in this computer
          Use simple cert. selection
          Validate server cert.
          Trusted RCA is my Certificate Authority (The Win2003 server) Certificate
In Networking I have L2TP/IPSec VPN

When I try to connect from another PC inside the LAN I get this warning:
A certificate can not be found to be used with EAP.

I have tried using the Pre-Shared key instead of the certificate from the LAN PC, and the connection does not go thru. It times out. The Event Viewer->Security log show a sucessful login.

As you can see I am failing to connect from the inside, have not tried it from the outside.

The router has VPN tunneling, but the documentation is non-existant and the Linksys site KB is even more confusing. I read the article about Configuring IPsec Between a Microsoft Windows 2000 or XP and the BEFVP41, and Setting up a VPN tunnel between two BEFSX41 routers but did not get any insight.

Obviously the router is capable of VPN connections. How do I use the tunnels to connect to the server.

What are my choices? Can I use PPTP instead of L2TP? Can I use the router as the IPSec endpoint instead of the VPN server?


Your suggestions are welcome!

0
Comment
Question by:Brainstormer
  • 21
  • 10
  • 4
  • +1
38 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9911250
i think you can do any of them (pptp or l2tp), just config linksys to do it. for ipsec, linksys has dedicate option for it, for l2tp, you may use port forwarding and even port trigger. make your choice, then lets go on the topic.

as for the official documentaionf of your router, you can download it at ftp://ftp.linksys.com/pdf/wrv54g_ug.pdf. more over, you may get a lot of linksys relevant technical posts at http://www.broadbandreports.com/sitesearch, keyword is certainly "linksys"

hope it helps,
bbao
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 9912287
How can I configure the Linksys WRV54G router to accept incoming VPN connections from a roaming laptop?

I managed to use PPTP VPN using the Windows 2003 in DMZ, but the firewall got flooded with security warnings. I got 30 messages for just overnight. I can not allow that!

Can I make the router as VPN endpoint using the tunneling? How to configure:

Local Secure Group
Remote Secure Group
Remote Secure Gateway
Key Management

to accept incoming VPN connections from dynamic IPs?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9912324
just make sure this at first, are you sure your roaming laptop can connect the vpn server well with direct ethernet connection? then we go on to use linksys to isolate them into different kind of world.
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 9914760
yes, the laptops connect to the vpn server using PPTP when inside the LAN.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9918376
your Linksys WRV54G router supports PPTP PassThrough, so just enable it at VPN screen of admin console.

download user manual at  ftp://ftp.linksys.com/pdf/wrv54g_ug.pdf.
goto page 31, it gives detail instruction.
btw, be sure you should enable firewall at first. see page 30.

hope it helps,
bbao
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 9920492
The manual says:

Remote Security Gateway. The Remote Security Gateway is the VPN device, such as a second VPN Router, on the remote end of the VPN tunnel. Enter the IP Address of the VPN device at the other end of the tunnel. The remote VPN device can be another VPN Router, a VPN Server, or a computer with VPN client software that supports IPSec. The IP Address may either be static (permanent) or dynamic (changing), depending on the settings of the remote VPN device. Make sure that you have entered the IP Address correctly, or the connection cannot be made. Remember, this is NOT the IP Address of the local VPN Router, but the IP
Address of the remote VPN Router or device with which you wish to communicate.

I want to enable L2TP VPN so that the laptop  can connect to the router and create a secure VPN connection with the router as end-point. The laptop has a dynamic IP. How do I enter that in the Remote Security Gateway if it changes constantly? The manual is not clear. I want the tunnel to accept connections from any external IP.

I have left it at 0.0.0.0 with 0.0.0.0 subnet. Unfortunately I can not test it as I am inside the LAN.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9920729
i dont think your laptop is a Remote Security Gateway, it is a VPN client. hmm, i think what you should refer is "VPN PassThrough/L2TP PassThrough" at page 31, not Remote Security Gateway.
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 9920896
Quote:

*****
The remote VPN device can be another VPN Router, a VPN Server, or a computer with VPN client software that supports IPSec
*****

That laptop has Windows XP VPN client software. It supports PPTP, L2TP/IPSec.

0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9921113
oh! i think we got in an incorrect approach. let me explain it. your VPN server is behind the linksys, your VPN channel should be connected between your remote laptop and the internal VPN W2K server, not the linksys. right? so i think you should forget the VPN section of linksys, what we should do on the linksys is to allow it to forward incoming VPN traffic to your internal server. this should be done at Port Forwarding section, at page 37. go ahead.

hope it helps,
bbao
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 9921470
I have scrapped the idea of the Windows 2003 VPN server. I tried to open the ports, allow PPTP, L2TP, IPSec via the router and it did not work. It only worked if the Win 2003 server is exposed in DMZ. When exposed in DMZ, the firewall got flooded with attacks. We have other things in that server, like http/mail server software and other sensitive data, and I do not feel comfortable having the server exposed even with the firewall/antivirus running. The Apache and mail server software functions thru the router port forwarding, which provides a layer of protection against attacks.

I am trying to implement the VPN tunneling options of the router, so we forget the Windows 2003 VPN server. I posted a comment about this before, maybe I was not very clear about it.

The router implements L2TP/IPSec with pre-shared key VPN. The router documentation is not very clear about how to do this with an external dynamic IP address.

I appologize for the confusion.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9921716
oh, sorry, i forget what was in your first post, heeh, EE always lead me to read your last post. ;-)

ok, it is really strange that why linksys does not work on port forwarding but the DMZ host function works. i use linksys too, it works fine, can do anything i want at home.

so i would assume that you have some wrong parameters at other sections that may effect port forwarding... hmm, your router supports Remote Router Access, if you dont mind, i can try remote access your router to diagnose it?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9922144
do you know netmeeting? every windows box has it. with it, we can see each other's screen as well as talk/chat with each other, so i can help you directly to set your router. you know, it needs so many time to type keyboard for a quite simple action of checking. of course, it is safe since you can control and see all, :-)
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9926377
hi Brainstormer, i believe the following two KB articles would helpful to your situation. btw, dont forget they are official answer, hehe ;-))

http://kb.linksys.com/cgi-bin/om_isapi.dll?&infobase=linksysrev.nfo&record={434}&softpage=IKW_ENU_JDocView
http://kb.linksys.com/cgi-bin/om_isapi.dll?&infobase=linksysrev.nfo&record={4C9}&softpage=IKW_ENU_JDocView
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9926403
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9926420
sorry, just noticed EE can not generate right links for my URLs above, you should copy and paste each line to the address bar.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9926516
i know you have tried some ports mentioned in the above links, such as, 47, 50, 500, 1723 and 1701, but i am not sure if your settings are matched with each other and compatibile with your router. so i still suggest you read them anyway.
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 9928054
I was able to get an Indian guy from Linksys support that spoke decent English and was able to answer most of my questions.

My router currectly does not allow Incoming VPN connections to its tunnels unless it's a static IP address as of firmware 2.03. However he said the options will be implemented in the next firmware release.

While that comes out, I have to implement VPN thru the router. He recommended opening the ports I already have opened. Guess I will be playing with VPN connections from home this weekend.


Thanks for your help,
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9928090
got an idea, you can use port triggering to pass around it... if you want have try, i may help you do it.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 6

Author Comment

by:Brainstormer
ID: 9929416
I am not sure if Port Triggering is the correct way to go. I have Port Range Forwarding enabled to forward connections to the internal IP of VPN server.

My knowledge about Port Triggering is that it would just open the router ports if a request comes, but it needs to be triggered from an inside application, such as File Transfer of MSN Messenger.

If a request comes from outside for a VPN connection, how would the router know where to send the data packets. There are 5 PC in the LAN.

Linksys tech said I can use either Port Range or Port Triggering, but not both. The VPN connection times out at authentication. Since the connection fails from outside, but works from inside, I thinks either the encryption  or authentication is failing to forward correctly at router level. This may be a firmware problem.

I have remote access to the Windows 2003 server, so I will test the VPN from home this weekend.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9929528
"If you are using PPTP for inbound VPN through the linksys, you need to have IP Protocol 47 forwarded through the router to the endpoint also. I am certain that particular router is incapable of forwarding protocols inbound other than TCP (6), UDP (17), or ICMP (1); as such, you will NOT be able to forward to your VPN endpoint inside the LAN. The only way to make PPTP inbound work involves making the linksys (or another machine on the public internet) the VPN endpoint, if that is a possibility. Please note that the PPTP passthrough option on most consumer-level routers is for OUTBOUND passthrough, not INBOUND (they're entirely different) - most people assume this works both ways, and it clearly does not

Another (better but more involved) option, if you need to have a VPN server, is to use L2TP/IPsec instead - open UDP ports 500, 1701, and 4500 in and out to your VPN server (or put it in a DMZ). The only new "requirement" is that your VPN server support NAT-T L2TP/IPsec. Windows Server 2003 supports this, as does any *nix OS that can run Super Free/SWAN. You will not be able to use a Windows XP, Windows NT, or 2000 box (server or client) as the endpoint. The Microsoft NAT-T patch for these operating systems is client-only. Another note on Windows and VPN - only Windows Server 2003 supports IPSec tunnels; Windows 2000 and Windows NT Server RRAS support L2TP/IPSec only."

quoted from http://www.extremetech.com/article2/0,3973,1341810,00.asp

so i think the following should work:

http://kb.linksys.com/cgi-bin/om_isapi.dll?&infobase=linksysrev.nfo&record={3F0}&softpage=IKW_ENU_JDocView

hope it helps,
bbao
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 9941810
I will consider this question closed as I have not found a solution to this router VPN unless in DMZ. I will have to solve my problem using Terminal Services.

The tech support suggested me to wait until the new firmware comes out. That will have access from any IP, not just by static.

Thanks for your help.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9942698
have you tried the method (port triggering) in my last post? i think i should work.
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 9943980
I tried it, did not work. :-(
I will use Terminal Services for now.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9943999
:(
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9944063
it is really strange that why yours wont work at all. my linksys work perfect, including port forwarding, port triggering, upnp, filters and dmz. :)
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 10055523
Brainstormer, how are things? you know, the question is still open... :)
0
 
LVL 6

Author Comment

by:Brainstormer
ID: 10055894
I had great expectations for Firmware 2.10 for the Linksys WRV54G. Unfortunately the upgrade had everything but the updated feature for the VPN connection. I spoke to Linksys customer service representative, which AGAIN promised that the next firmware will have "Accept from Any IP" feature in it. Until then I will keep this thread open for other possible solutions.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 10056191
ok, i will keep your thread too. i still think we can solve it by port forwarding and triggering. the key issue is around Protocol 47. when i get new idea, i will tell you asap and hope you may work with me, ok?

talk to you later,
bbao
0
 
LVL 2

Expert Comment

by:SoundDoc
ID: 10068530
Just ran across this while trying to solve the same problem.
I've tried a few linksys's and have run into the same thing.
I've tried 5 befsr41's, everything worked fine until firmware upgrade a month ago, now any that have been upgraded no longer work. 2 befw11s4's worked fine, after firmware update, stopped working.
And the kicker was the 2 befsv41 VPN Routers that stopped worked as soon as firmware was upgraded. (That will teach me to send a junior tech to upgrade firmware without testing 1 unit first).
After the first w11s4 failed, I bought a wrt54g, and out of the box it doesnt work.

It looks like they broke it in firmware, and have yet to fix it. Luckly I have the ability to downgrade the firmware on all the hardware (except for the new wireless router) and I'm waiting like the rest for the fix.

SD
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 10069280
SoundDoc, thnaks for your comment. you have so many linksys boxes available for test, hehe. :)

>> I've tried 5 befsr41's, everything worked fine until firmware upgrade a month ago,

even with enabling VPN pass thru and port forwarding? you mean the remote computer could access internal VPN server(s) very well BEFORE firmware upgraded?

>> now any that have been upgraded no longer work.
>> 2 befw11s4's worked fine, after firmware update, stopped working.

whats your problematic firmware versions of befw11s4 and wrt54g?

regards,
bbao
0
 
LVL 2

Expert Comment

by:SoundDoc
ID: 10076042
Yes, even with enabling VPN passthough they are no longer working. I've tried DMZ'ing the server, opening every port to the server, no luck at all. From looking at the server logs, the connections are being made, and authenication begins, properly, but the router drops the windows authentication username and password from the data before it gets to the server and it just hangs until timout waiting for authentication. From what I've been able to gather, Linksys says they made a change to the VPN in the newer firmware that only allows connections from static IP's (According to them). They are apparently aware of the issue and working to add the ability to turn this new "feature" off, since apparently the didn't think that anyone would ever use a router on a dynamic ip.... (Sarcasm of course, and I still wonder how much of that is true, how would they tell?) As for the harware that now no longer works, I havn't found a version of the wrt54g bios that does work, I believe the problem has existed since day 1 with these routers, but as for the befsr41's, the befsx41's, and the befsv41's, (I think I got all the numbers right) I found a site: http://www.drabo-com.de/page13919.htm By googling befvp41 firmware 1.40.4 (just incase the link doesn't work) and was able to download the working versions for the following routers:

befvp41 fw 1.40.4 : http://www.drabo-com.de/befvp41_1404.zip
befsx41 fw 1.43.3 : http://www.drabo-com.de/befsx41_1453_fw.zip
befsr41 fw 1.44.2 : http://www.drabo-com.de/befsr-fw-1442.zip

I didn't upgrade the befw11s4's as they dont need pptp access, but there are older bios versions availiabe at that site for them as well. Don't be worried about the lanngage the site's in, they are the english bios files.

I hope this gets a few more routers working again, and solves a few peoples questions. Lets hope there next firmware version corrects a few bugs, and doesn't introduce any more.

SD

(just read over a couple messages before posting....... Guess this is where I heard about the static ip thing..... Thanx Brainstormer, read through these last night, memorys not that sharp)
0
 
LVL 2

Accepted Solution

by:
SoundDoc earned 200 total points
ID: 10076158
Going back to your very initial question Brainstorm, If the router was working properly and the tunnels passed information properly, all you would need to do go get pptp vpn connections going is to enable wan requests, allow pptp and passthrough, and forward port 1723 to your server with routing and remote access configured. I haven't setup the ipsec passthrough actually yet, but it should be the same, ipsec passthrough enabled, cert server setup, and port 1721 (500 as well?) I believe.

It sounds as is your initial configuration is fine, but the router is the source of all your problems, as running in the DMZ makes it work properly. (havent' tried running a server in the dmz of that router, the other ones didn't work in the dmz though).

And to BBAO, as  yet, all these routers worked fine with pptp vpn connections BEFORE the bios upgrade, configured just as Brainstormer had them.

I guess the only real answer Brainstorm is to wait, or get a different router that does work for the time being.

SD
0
 

Expert Comment

by:chinnygtp
ID: 11826381
Anyone able to succeed with this yet? I've got firmware ver 2.02.xx and it's still not letting my pptp connection through to a 2000 Server....
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 11826503
chinnygtp, what does your pptp connection refer to? incoming traffic or outgoing traffic?

SoundDoc, i am going to get a wrt54g for my office, what is the latest firmware version of it? thanks.
0
 
LVL 2

Expert Comment

by:SoundDoc
ID: 11830253
This question was closed, but I'll answer what I can here.
The Wrt54G with the newest firmware 2.04.4 still DOES NOT work for incomming pptp or L2tp connections.
I tossed the idea of getting it going, and I'm using 2 of them now just as a wireless access point. (cheaper than a standalone WAP).

As for a router, I have gone with a Watchguard Firebox X router. Much more powerfull and configurable, night and day between the products. No problems whatsoever.

As for price, its a bit more, but a watchguard SOHO router is more in the price range of a wrt54g, and would work as well.

In between the WRT54G and getting the firebox, I used a old p75 I had kicking around, threw 2 nics in it and ran ClarkConnect home on it. worked fine, and is quite good for a office type setup.

Hope this helps.

sd
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 12522883
SoundDoc, thanks for your comment, although my reply is late, hehe. ;))

i just upgraded my WRT54G with the latest firmware Version: v3.01.3, but it seems still does NOT properly forward L2TP request (port 1701) to the internal L2TP server behind WRT54G...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now