?
Solved

VPN tunnel issue

Posted on 2006-04-01
28
Medium Priority
?
1,475 Views
Last Modified: 2011-10-03
I have two locations, each one has a Netpoia 33xx dsl box attached to a Linksys WRV54G. One location has 4 PC's and a Win2003 server, the other just has 2 PC's. I need to create a VPN tunnel between locations using the Linksys devices. I believe I have them configured correctly. I tried setting the Netopia to bridging using info I found on the Netopia site, however if I uncheck the IP Gateway box, I can't get to the internet. The IP scheme on one end is 192.168.1610 and the remote end is 192.168.163.0. The real IP address's for the Netopia is through PPOE to SBC. I picked the lowest usable address of the 255.255.255.248 subnet for a static IP on the Linksys. I have both WAN and LAN/Wireless routing set up so I can get to the internet from each end. I have the tunnels set correct on each end with security. If I do a whatsmyip from each location, it returns the real IP address that I have a ssigned the Linksys device. I can ping the Netopia and the SBC DNS entries from the Linksys, but cannot ping or traceroute from the Netopia's back to the Linksys. I need this to work by Monday. I've talked with Linksys support ..... no help there. They blame it on the Netopia setup.
0
Comment
Question by:JerryS39
  • 13
  • 13
  • +1
28 Comments
 
LVL 4

Expert Comment

by:miloudi
ID: 16352184
Hi,

Look at the bottom of this page:

http://www.dslreports.com/forum/remark,11662966~mode=flat

let me know if it helps...
0
 

Author Comment

by:JerryS39
ID: 16352438
Sorry that isn't exactly what i'm looking for.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16352508
Which Netopia 33xx do you have? i.e. what does  xx=

-On the unit I looked at (on-line manual) you need to enable "Bridged 1483" on the "DSL Line Configuration Screen" page to enable bridging. This is very important.

-If your WAN connection is configured with a public IP and whatismyIP returns that IP, as you have stated, the basic configuration should be fine.

-By IP Gateway, I assume you mean default IP gateway ? If so, you cannot remove this. That needs to be the gateway provided by your ISP.

->>"The real IP address's for the Netopia is through PPOE to SBC. I picked the lowest usable address of the 255.255.255.248 subnet for a static IP "
Do you have a true static IP? This is not common with a PPPoE connection. You have to be assigned a static IP you cannot simply choose one. SBC sometimes assigns a "sticky" IP. Is this the case? If so and you do not know the IP and/or gateway, re-enable the original NAT mode of the Netopia and go to whatismyIP to confirm the WAN IP. Then go to http://tstools.co.uk/ipcalc.php  and enter  <your IP>/29 and click calculate. The Gateway should be the "Host Min" .  IP's are usually assigned in blocks of 5. If so yours would be the 5 above the host min.

-As a next/first step, if you believe the above is configured properly, enable remote management of the Linksys unit/s in the administration section, and see if you can log on to the management console remotely using the WAN IP. If so you can continue to work on the VP part if not you need to get the basic set up corrected.

I know I have more questions than answers above, but knowing a little more we can continue.
--Rob

0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:JerryS39
ID: 16352568
One is a Cayman3546 WAN: ADSL LAN: 4-port Switch  OS is 6.4.0R2
The other is Netopia Model 3346N DSL Ethernet Switch  OS 7.4.0r6

The IP Gateway setting is a check box on the Configure - WAN  screen.

Yes they both get the public IP addrresses using PPOE

 One block is 104 - 111     the other is 208 - 215

When I change it to Bridged 1483 will the current IP address be assigned to the Linksys device if I have it configured to obtain it using PPOE information?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16352572
Jerry, looking at your other last question I guess the main issue here right now is what type of connection do you have. Is it static or Dynamic. we can deal with either way, but it needs to be handled differently. Also need to know Netopia model.
0
 

Author Comment

by:JerryS39
ID: 16352574
They are static IP's
The model numbers were at the top of my comment
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16352596
Whoops, you posted while I was posting last message.

>>"When I change it to Bridged 1483 will the current IP address be assigned to the Linksys device if I have it configured to obtain it using PPOE information?"
Yes put the Netopia in bridged mode and then configure the PPPoE section with your UserName and password. The Linksys should then obtain an IP automatically. I am assuming this is a dynamic IP, if it is a "sticky" simulated Static IP let me know.

>>"The IP Gateway setting is a check box on the Configure - WAN  screen."
On the router or Netopia? I don't see it on either.
Shouldn't have to configure anything on the Netopia once in bridge mode. There is "Gateway IP" in the network section of the set up page of the Linksys. This is the local/LAN IP you want to assign the router 192.168.16x.x
0
 

Author Comment

by:JerryS39
ID: 16352602
They each have a little different set of chices about ethernet bridge settings.
Neither seem to have the RFC-1483 Bridged Ethernet vcc1 choice, is that a selection on a different menu?

I have to sign off for a few hours, thanks for the help. And if you can get me to where I can select the 1483 instead of the PPP I can get these set up. If you would like to look at them live I will send you the IP address for each one to your email address.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16352612
If they are true static IP's, which would be assigned by the ISP, they should have given you the IP (possibly a group of 5), gateway, subnet mask and DNS server IP's. On the set up page choose Static IP and insert those values.

The concern I have is SBC, which we do not have here, sometimes uses what they call 'Sticky IPs". A Sticky IP is a dynamic IP using PPPoE, however they use a DHCP reservation to make sure you are always assign the same IP. If so that is fine, just use the PPPoE configuration with UserName and password, but when configuring the VPN use that IP.

Try enabling and using remote management page of the router as described above. If that is not working no point in going further, as it confirms the bridge mode is working and you have the correct IP.
--------------------------------
I just saw last message about the bridge mode. I'll look int that for you.
0
 

Author Comment

by:JerryS39
ID: 16352617
The one Netopia has the following choices under ethernet bridging:

        Enable Bridging Function   (i have it checked)

        Enable WAN to WAN Bridging    (not checked)

                       Ethernet 100BT (LAN)

       Enable Bridging on port  (i have it checked)

              PPP over Ethernet vcc1 (WAN)

      Enable Bridging on port   (i have it checked)

      Filter PPPoE Only   (not checked)


The other one has less info

                      Enable Bridging Function  (i have it checked)

                              PPP over Ethernet vcc1 (WAN)

                    Enable Bridging on Port   (not checked)

       
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 16352630
I am afraid the online manuals do not seem to show these options. They are likely older firmware versions.
I would recommend:
     Enable Bridging Function   (i have it checked)
as you have done but not enabling any others. Some of these units allow bridging between local subnets which is not what you want to do so I would NOT enable any other bridging options  such as  "Enable Bridging on port "

Glad to help but you may have to figure this part out on your own as I don't have any of these units or apparently up-to-date manuals.

I am out of here for a while as well but will check back. (-4 hours GMT here)

If you can get the bridging and remote management working I am willing to log on and check your VPN configuration if you like. E-mail address is on my profile.
0
 

Author Comment

by:JerryS39
ID: 16352980
thanks

I'll make the changes on the Netopia's and check with you in the morning.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16352990
Let me know how you make out.
--Rob
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16356930
Jerry,
The information you sent me I am afraid doesn't tell me much.
Have you confirmed on the Linksys end the WAN IP agrees with whatismyip ?
You also mentioned you cannot ping the Linksys. The Linksys will deny ICMP (ping) requests by default. For test purposes yo may want to disable "Block Anonymous Internet Requests" on the firewall configuration page to allow you to ping the devise.
--Rob
0
 
LVL 9

Expert Comment

by:cooledit
ID: 16358159
hi, there

Just a small information on Microsoft Networks. Kerberos uses UDP per default and that can be changed to TCP.

http://support.microsoft.com/?id=244474

Assuming the rest of your settings is ok I mean if you can ping the IP's and so on. try ythe Kerberos. Sorry gotta go the job is calling.


Cooledit

0
 

Author Comment

by:JerryS39
ID: 16366112
Well I managed to get the Netopia's into bridge mode and the Linksys have the PPOE assigned static address's. The VPN tunnel is defined, but It doesn't work. I try to ping an IP on the other end and get nothing, tried to ftp to the server on the other end and get nothing. From what I've read on this site, you shouldn't have any port forwarding going on either end ...... correct? The whole point of using these was the tunnel. Any pointers ...... I'd like to close this and award the points tonite.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16366526
>>"you shouldn't have any port forwarding going on either end ...... correct? "
Right.

If you disable ""Block Anonymous Internet Requests"" on the Linksys, can you ping it now?
Also best test once you think you have the VPN established is to ping the LAN side of the Linksys. This eliminates any routing or software firewall issues on the remote end for your initial testing.
0
 

Author Comment

by:JerryS39
ID: 16375592
I disabled "Block Anonymous Internet Requests" and yes I can ping it, but still no vpn as far as I can tell. The strange thing is I can manage one location over the internet using the 8080 port, but the other one won't let me in for some reason. However, going to dnsstuff and checking some things .... it says on a traceroute that the last couple routers are blocking access .... they look like they belong to SBC. I'll get you (RobWill) the ip address to you in an email and you can look at it.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16377817
Sounds like you may now have a basic connection if you can ping in both directions. Next is to get the VPN working. You say you can manage one router remotely but not the other. Do they both use 8080? Lots of routers use different WAN ports for that. As for tracert not working, that is often common with some routers, I wouldn't be concerned about that.

For the record, when the VPN is established, the Linksys VPN page opposite were it says status, will change from connect to disconnect. You can try clicking the connect 'button' to force a connection.
Must say though you can expect difficulties connecting these two different brands to create the tunnel. Once working there will be no problem but not surprised there are difficulties setting it up.
0
 

Author Comment

by:JerryS39
ID: 16377887
Yes both Linksys devices are set to 8080. Both ends say "waiting for connection". Trying disconnect then connect does not form a connection. Friday, I will probably reset / reconfigure the problem end. In the meantime, I have a third Linksys located at my house. I will try to set up a VPN betwen one or the other sites that are up. I will then try to connect using the Linksys QuickVPN software to see if eiter of them will let in a connection.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16377917
Jerry, when I posted above I was thinking you were using 2 different makes of routers. I turn 50 this month, I guess my mind is starting to go. <G>
Actually connecting should be quite easy with similar units once basic connection is made to WAN side. Very odd you can connect to one WAN interface but not the other. Sounds like something is still blocking the traffic at one end.
0
 

Author Comment

by:JerryS39
ID: 16390963
Tommorrow I will be back on site, so I will reset the Netopia and reconfigure it . then I will make sure the Linksys configuration is set to the recommendations you gave. If there is still the connectivity issues, i will call SBC to see if they are blocking any ports.
0
 

Author Comment

by:JerryS39
ID: 16407163
The Netopia has been reset. Both ends say "waiting for connection". I can connect using the QuickVPN client, but before I can do anything, it drops from the connection.
0
 

Author Comment

by:JerryS39
ID: 16408645
Thanks to RobWill, I have deduced what you really need in the WRV54G configuration to make the VPN work. Both ends now have a "Disconnect" button. If only there was true documentation from the manufacturers.

                                                            Thanks again,
                                                              JerryS39
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16409915
Glad to hear you have finally been able to resolve. Sorry I haven't been available much the last 2 days. I agree, documentation is pretty scarce, and Linksys support is non-existent.
Thanks for the points,
--Rob
0
 

Author Comment

by:JerryS39
ID: 16425818
RobWill,
            After testing the current config, the VPN is still not functioning. Sent you an email last nite. Let me know if you get it.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16427327
Jerry,
I see a few things when I log on. #1 is very important and is likely the problem
1)  !!!!  On  x.x.x.214 under VPN configuration You have used a subnet mask of 255.255.255.255 with subnet option. Needs to be changed to 255.255.255.0 The other router is fine.

Everything else looks OK, but you may want to look at changing:
2) Highly recommend upgrading firmware to newest version, I believe 2.37
3) You do not need IPSec, PPTP, L2TP forwarding enabled. Disable that. It is for use with a VPN server behind the router such as a Windows VPN server
4) Your pre-shared key contains alpha-numeric characters. I don't know for sure but most require ASCII. If working great, but if not try using 1-0 and A-F
5) You have Access Restrictions enabled, but allow everyone at all times. Since there are no filters, you may want to simply disable access restrictions
6)  In the VPN configuration under advanced options, you might want to try aggressive mode (on both) rather than main mode. Aggressive is slightly less secure, but it will usually negotiate a connection more easily
7)  Some very odd quirks, of some services not working, have been reported when you enable NetBIOS broadcast in the advanced VPN configuration. You might want to try disabling
8)  Noticed you have only 5 DHCP addresses allowed. Nothing to do with connection, but is that enough?

--Rob
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16427338
ps- If the above resolves the problem and there is no need for me to login again. Please change the access password.
--Rob
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question