Solved

Need help establishing VPN Tunnel with Linksys, can't ping nor see remote computers

Posted on 2004-03-26
38
1,662 Views
Last Modified: 2010-04-12
I'm trying to establish a VPN tunnel with 2 Linksys VPN DSL routers to connect two workgroups. I followed linksys' directions, setting up each workgroup with a differet IP setup, one at 192.168.1.0 and the other at 192.168.2.0. Once I make the settings in the Linksys control panels, and click the "connect" button, I get a connection. But then I cannot see the computers on the other end of the connection and I cannot successfully ping either the other computers nor the other router. I've disabled the firewall in Linksys and have no software firewalls on any of the computers. Both workgroups are named "workgroup", all computers are running Windows XP Pro and have all the latest updates. Both groups are connected to the internet with DSL.
0
Comment
Question by:centralcity
  • 19
  • 17
  • 2
38 Comments
 
LVL 11

Expert Comment

by:infotrader
ID: 10693830
Have you tried establishing a two-way VPN tunnel?  Basically establish a VPN tunnel from RouterA to RouterB, and another one from RouterB to RouterA?

I am thinking that perhaps your request did go through, but it cannot find the proper route to come back to you.  If you cannot create a two-way VPN tunnel, perhaps you should try to find out what virtual IP address that the RouterB is assigning to routerA, and add a static route to route all traffics going to the 192.168.1.0 subnet to the virtual IP address of RouterA.

- Info
0
 

Author Comment

by:centralcity
ID: 10694752
I set up a two way tunnel just as described in the following Linksys KB article:

http://www.linksys.com/support/top10faqs/BEFSX41/Setting%20up%20a%20VPN%20tunnel%20between%20two%20BEFSX41%20routers.asp

Once I did that, I clicked on the connect button and got indication that both were connected.
As I understand it, that's all I should have to do. At that point, I should be able to see the computers on the remote network, but I can't. And I can't ping the opposite router or computers connected to it.

As an aside, I'm remotely controlling one of the remote computerw with pcanywhere so I can view and control both networks from one location, so I know I'm getting thru the internet on the pcanywhere.

Don't understand the question about the virtual ip address.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10736067
So connected appears on both routers? Can you do an ipconfig from the computer and post the results here?
0
 

Author Comment

by:centralcity
ID: 10736652
Here are the results of my ipconfig:

C:\>ipconfig

Windows IP Configuration
Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : dsl-verizon.net
        IP Address. . . . . . . . . . . . : 192.168.2.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.1

C:\>

0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10740783
Can you still get to the internet? I.E. ping www.cisco.com ? If you followed the directions on the link to the letter then only 192.168.2.7 will be able to use the tunnel. I do not know if you changed it to the whole subnet or just followed the directions. You might want to check that or post the config from router2
0
 

Author Comment

by:centralcity
ID: 10740831
I'm on the internet without problem. I've tried configuring the routers in both configurations: (1) set 192.168.x.0 so all computers on the workgroup should be able to use the tunnel and (2) 192.168.x.xx, where xx is a specific computer, so that only one computer on each end could access the tunnel. Cannot connect in either configuration.

Am I correct in my assumption that I should not have to configure anything on the individual computers?

BTW, Linksys has given me no help on this one, even though I've talked to four different techs.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10740866
Not surprising with them. No this should be a simple router to router tunnel. The routers will handle all the authentication routing etc. It should be set 192.168.2.x so that all the subnet can enter not 192.168.x.0 was this a typo?
0
 

Author Comment

by:centralcity
ID: 10740937
Here's what I was trying to say:

Local group:  Linksys IP 192.168.2.1

VPN Settings:  Local Secure Group:  192.168.2.0
Remote Secure Group:   192.168.1.0


Remote group:  Linksys IP:  192.168.1.1

VPN Settings:  Local Secure Group: 192.168.1.0
Remote secure group: 192.168.2.0

I show connected on the Linksys VPN page.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10741281
Do me a favor and do a router print from the workstation and post the results.
0
 

Author Comment

by:centralcity
ID: 10741781
Trying to figure out how to do that. If I do an Alt-PrintScrn, I can't paste the result here. If I highlight and paste, it does not paste the data contained within the boxes. I have jpgs of both router pages, but don't know how to get them to you.

Thanks for bearing with me.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10741836
No problem, for the route print you can route print >file.txt this will pipe it to the test file from there you can use notepad to copy and paste.
0
 

Author Comment

by:centralcity
ID: 10741943
Hopes this is ok, didn't set it up too nice, though. It doesn't show status of radio buttons, but they're all Enabled.
                                                               Firmware Versi

                                                  Broadband Firewall Router  
                            Security                         Restrict Applications                      Setup    Security                        Administration                                           Access    & Gaming
                   Firewall   VPN

               VPN                                                    Passthrough
                     IPSec Pass-Through:      Enabled   Disabled  (Enabled)
                     PPPoE Pass-Through:      Enabled   Disabled (Enabled)
                     PPTP Pass-Through:       Enabled   Disabled  (Enabled)
                   
        VPN Tunnel                          
                                              Tunnel 1   (Ruffoni)                     Select Tunnel Entry:  
                                               Delete       Summary                                                        
                     VPN Tunnel:             Enabled      Disabled   (Enabled)
                                              Ruffoni                     Tunnel Name:          
                   
             Local                            Subnet            Secure                                       Group:
                                              192  168  2    0                     IP:                       .    .    .
                                              255  255  255  0                     Mask:                     .    .    .
                   
            Remote                            Subnet            Secure                                       Group:
                                              192  168  1    0                     IP:                       .    .    .
                     Mask:                   255  255  255  0                                                 .    .    .
                   
            Remote                            FQDN          Security                                     Gateway:    Fully-Qualified        ruffmaytag.dyndns.or                                                                   Domain:
                   
                                              Disable                      Encryption:            
                                              Disable                      Authentication:        
                   
               Key                            Auto. (IKE)                                                     Management
                     PFS:                    Enabled      Disabled  (Enablee)
                                              1235                      Pre-shared Key:        
                                              3600                      Key Lifetime:                          Sec.
                   
            Status    Connected              
                     


                           Disconnect      View Log      Advanced Setting                      
       
                         
                                                  Save      Cancel                                                                                                                        Settings    Changes
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10742415
firmware needs to be 1.45.3 or later, I could not make out which version you are running. This setup all looks good.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10742425
What is the actual error message on the ping does it just time out or do you get an error message?
0
 

Author Comment

by:centralcity
ID: 10742896
The BEFSX41 (here) has firmware 1.50.9
The BEFVP41 V2 (remote) has firmware 1.00.12
According to Linksys support site, both are the latest.

When I try a ping, either through Linksys Diagnostic screen or from my computer in a command window, I just get time out.
Tried pinging both the remote router and the computers on the other end.

Don't remember if I mentioned it or not, but I can set up both routers to pass through, then set up a VPN server on a computer on the other end and a client on this end and get through ok. But I need the routers for multiples, as well as for security. (I'm also accessing the remote computer with pcanywhere, so I know it's possible to communicate, just cant do it through the Linksys tunnel
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10743520
Well after eliminating all the obvious let's look at some of the more obscure things. Did you manage to get a route print? Though if the router is not able to ping then I do not think it is with the individual workstations. Any manual routes added to the router? What kind of dsl modems are you using?
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10743524
If you do a tracrt to 192.168.2.1 where does it hang?
0
 

Author Comment

by:centralcity
ID: 10743844
Didn't understand your route print before. Here are the results of it:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 07 e9 64 e9 a2 ...... Intel(R) PRO/1000 CT Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.100        20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.2.0    255.255.255.0    192.168.2.100   192.168.2.100        20
    192.168.2.100  255.255.255.255        127.0.0.1       127.0.0.1        20
    192.168.2.255  255.255.255.255    192.168.2.100   192.168.2.100        20
        224.0.0.0        240.0.0.0    192.168.2.100   192.168.2.100        20
  255.255.255.255  255.255.255.255    192.168.2.100   192.168.2.100        1
Default Gateway:       192.168.2.1
===========================================================================
Persistent Routes:
  None


If I do a tracrt I get "tracrt is not recognized as internal or external command.

Locally I have a Fujitsu modem with 768/128 service thru Verizon
The remote has a Westel modem with 384/384 service thru verizon.
0
 
LVL 11

Expert Comment

by:infotrader
ID: 10744540
try tracert instead of "tracrt" :-)

- Info
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:centralcity
ID: 10745156
Here's the results of the tracert. 192.168.2.1 is my local router, 192.168.1.1 is the remote router
C:\DOCUME~1\EDJONE~1>tracert 192.168.2.1
Tracing route to 192.168.2.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.2.1
Trace complete.
C:\>tracert 192.168.1.1
Tracing route to 192.168.1.1 over a maximum of 30 hops
  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *     ^C
C:\>
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10758492
0
 

Author Comment

by:centralcity
ID: 10758581
And several emails, telephone calls and online conversations with numerous Linksys support personnel did not get me there!

I'll get to the remote location, change the BEFVP41 and let you know the results.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10759119
Thanks, it seems the linksys support has gone downhill
0
 

Author Comment

by:centralcity
ID: 10769294
I replaced the BEFVP41 with another BEFSX41. Same result. Called Linksys tech support. Said that that document was out of date and the BEFVP41 does work ok. Didn't have an answer for not being able to ping other than "it may be taking too much time to get all the way through". Said that since I was connected, "Linksys is providing the tunnel and that's all I can do".He recommended disabling the firewall on the routers (already done), allowing annon. internet requests (already done), and setting mtu to 1403. I did that and it did not help.

 He did say unofficially that I needed both to have "NetBIOS over TCP/IP" enabled which I had already done and that I should install UPNP through Control Panel, Add remove programs, windows setup, networking services. I did that but it din't help.

Right now, I'm at my wits end!!!!
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10770080
Ok, you have encryption disabled on the routers? No vpn client software on the computers and no personal firewalls on the computers? How familiar are you with perfmon? There is an icmp monitoring counter you can add and watch to see if it sends receives ping replies.
0
 

Author Comment

by:centralcity
ID: 10770474
I have encryption and authentication disabled. Using a preshared key with PFS enabled under "Key management". No vpn client software on any computer, no personal firewalls.
I'm not familiar with perfmon and don't have an icmp monitoring counter that I know of.

(It seemed to need the PFS enabled in order to connect. I disabled it and couldn't connect, when I reenabled it it connected immediately)
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10774205
Try adding this with a

route -p 192.168.1.0    255.255.255.0    192.168.2.191   192.168.2.100  
let me know if this works
0
 

Author Comment

by:centralcity
ID: 10774343
When I did it, it just returned the instructions for route. Should it be "route add -p ..........."? What's the purpose of the 192.168.2.191?
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10774375
Yes route add -p it is giving it a route to the other network.
0
 

Author Comment

by:centralcity
ID: 10774475
I get a "bad argument 192.168.2.191"
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10774557
Sorry one more time it should read
route -p add 192.168.1.0 255.255.255.0 192.168.2.1 192.168.2.100
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10774561
have not had my morning coffee yet :(
0
 

Author Comment

by:centralcity
ID: 10774655
C:\DOCUME~1\EDJONE~1>route add 192.168.1.0 255.255.255.0 192.168.2.1 192.168.2.100
ROUTE: bad argument 192.168.2.1
0
 
LVL 11

Accepted Solution

by:
ewtaylor earned 500 total points
ID: 10774837
route -p add 192.168.1.0 mask 255.255.255.0 192.168.2.1

This tells it to look for the 192.168.1.0 network on the gateway

0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10791166
You still with me?
0
 

Author Comment

by:centralcity
ID: 10792460
been really busy with some other stuff. will get back to you soon. Thanks for bearing with me
0
 

Author Comment

by:centralcity
ID: 10920674
EW, could you contact me directly at central.city-at-gte.net? I'd appreciate it. Thanks
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10928146
If you click on my name it gives you my email address in my profile.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now