Can't Establish a VPN connection between 2 D-Link DFL 300 Routers.
Posted on 2006-04-19
I have been trying unsuccessfully for months to establish a VPN connection between 2 D-Link DFL 300 routers. Ideally, I would be able to establish a router to router tunnel, but I would be willing to create a tunnel using the Windows XP Client to the DFL-300 router (Home to the Office) and then setting up a second tunnel going the other way from the Office's Windows XP client machine to the Home DFL-300 if I can get this to work. I have not had success setting up a VPN with either IPSec or PPTP. The documentation with this router is abysmal, only covers setting up a static IP to static IP tunnel, and this router has been discontinued by D-Link and is no longer supported. PPTP wasn't even in the original firmware and was added as an afterthought, with no documentation.
My Setup (at the office).
-DFL 300 is configured for an Internal Interface (LAN) and DMZ. Internal Interface is 192.168.1.1, and DMZ is 192.168.2.1. Both have 255.255.255.0 as netmask. NAT is enabled on both (the D-Link faq didn't say anything about turning off NAT when connecting 2 routers with a VPN).
-One server running Win2k Server with the service pack updates, and 3 NICs. We have 6 REAL IPs provided by our ISP. We have one domain and our server is the only domain controller.
-NIC1) Has 2 IPs assigned to it, the first, 192.168.2.10, is used as our mail server. The second, 192.168.2.11, is used for our website. This subnet goes to our DMZ.
Within the DFL 300, we have 2 virtual servers assigned, Mapping External IP #1 to 192.168.2.10 (mail), and Mapping External IP #2 to the website. Our router is configured so that its external IP address is the same as the websites (External IP #2, which is mapped to 192.168.2.11 internally).
-NIC2) Has 1 IP assigned to it, which is on a different subnet (192.168.1.X). All of the computers on the local LAN point to this IP for DNS. This 192.168.1 subnet makes up our lan.
-NIC3) We're not really using at this point.
Virtual Server 1 - Maps External IP #1 to the DMZ address of the Mailserver
Virtual Server 2 - Maps External IP #2 to the DMZ address of the Webserver
Virtual Server 3 - Maps External IP #3 to the Internal (LAN) address of our Server. This was only mapped to attempt to allow an Incoming Policy for access to the LAN from the Home.
External to DMZ: permits services from Outside to Virtual Server 1 and Virtual Server 2.
Incoming: permits services from Outside to Virtual Server 3.
My Home setup is simple, on a cable modem with DHCP enabled (the router is the same brand, DFL 300).
The home local IP is set up as 192.168.0.10 (different subnet than the office). While I can easily get a connection through the IPSec VPN option by using a preshared key (this must be initiated from the home, since it is DHCP), I am *usually* unable to ping a computer behind the office LAN. I have this 192.168.0.10 home computer added to the external group within the router. I've even added it into the internal group as well. Sometimes I am able to get a ping response from the home computer to a computer on the LAN, after resetting both routers, and/or making changes that I can't pinpoint--it seems random. Occasionally, I can even ping the home computer on the 192.168.0.10 ip from within the LAN. However, this is rare.
I have tried to set up a WindowsXP client IPSec VPN from the home into the office DFL 300, with no success. I get a negotiating IP security message when I try to ping the office LAN from the home--even when the home router is removed and I am plugged directly in to the Cable Modem.
When I do a portscan on the IPSec 1701 port from behind the office firewall on the LAN, it comes back closed. I believe IKE does the same, and have had similar problems with PPTP. I don't know if my whole issue is related to closed ports, crappy router firmware, or this author's limited IT skillset.
I keep thinking that this could be a port issue, or an issue because our router's external IP is being forwarded to the DMZ while we are trying to use this same IP to connect to the internal LAN of the office from home. The home router is using the External IP address #2 as the external gateway (this is the Office router's IP). I think I have my subnets correctly... the home router points to 192.168.1.0, and the office router points to 192.168.0.0.
I'm outta ideas. Can anyone point me in the right direction?