?
Solved

Can't Establish a VPN connection between 2 D-Link DFL 300 Routers.

Posted on 2006-04-19
2
Medium Priority
?
295 Views
Last Modified: 2010-04-12
I have been trying unsuccessfully for months to establish a VPN connection between 2 D-Link DFL 300 routers.  Ideally, I would be able to establish a router to router tunnel, but I would be willing to create a tunnel using the Windows XP Client to the DFL-300 router (Home to the Office) and then setting up a second tunnel going the other way from the Office's Windows XP client machine to the Home DFL-300 if I can get this to work.  I have not had success setting up a VPN with either IPSec or PPTP.  The documentation with this router is abysmal, only covers setting up a static IP to static IP tunnel, and this router has been discontinued by D-Link and is no longer supported.  PPTP wasn't even in the original firmware and was added as an afterthought, with no documentation.

My Setup (at the office).
-DFL 300 is configured for an Internal Interface (LAN) and DMZ.  Internal Interface is 192.168.1.1, and DMZ is 192.168.2.1.  Both have 255.255.255.0 as netmask.  NAT is enabled on both (the D-Link faq didn't say anything about turning off NAT when connecting 2 routers with a VPN).  
-One server running Win2k Server with the service pack updates, and 3 NICs.  We have 6 REAL IPs provided by our ISP.  We have one domain and our server is the only domain controller.

-NIC1) Has 2 IPs assigned to it, the first, 192.168.2.10, is used as our mail server.  The second, 192.168.2.11, is used for our website.   This subnet goes to our DMZ.  
Within the DFL 300, we have 2 virtual servers assigned, Mapping External IP #1 to 192.168.2.10 (mail), and Mapping External IP #2 to the website.  Our router is configured so that its external IP address is the same as the websites (External IP #2, which is mapped to 192.168.2.11 internally).
-NIC2) Has 1 IP assigned to it, which is on a different subnet (192.168.1.X).  All of the computers on the local LAN point to this IP for DNS.  This 192.168.1 subnet makes up our lan.
-NIC3) We're not really using at this point.

Virtual Server 1 - Maps External IP #1 to the DMZ address of the Mailserver
Virtual Server 2 - Maps External IP #2 to the DMZ address of the Webserver
Virtual Server 3 - Maps External IP #3 to the Internal (LAN) address of our Server.  This was only mapped to attempt  to allow an Incoming Policy for access to the LAN from the Home.

Policies
---------
External to DMZ:  permits services from Outside to Virtual Server 1 and Virtual Server 2.
Incoming:  permits services from Outside to Virtual Server 3.

My Home setup is simple, on a cable modem with DHCP enabled (the router is the same brand, DFL 300).

The home local IP is set up as 192.168.0.10 (different subnet than the office).  While I can easily get a connection through the IPSec VPN option by using a preshared key (this must be initiated from the home, since it is DHCP), I am *usually* unable to ping a computer behind the office LAN.  I have this 192.168.0.10 home computer added to the external group within the router.  I've even added it into the internal group as well.  Sometimes I am able to get a ping response from the home computer to a computer on the LAN, after resetting both routers, and/or making changes that I can't pinpoint--it seems random.  Occasionally, I can even ping the home computer on the 192.168.0.10 ip from within the LAN.  However, this is rare.  

I have tried to set up a WindowsXP client IPSec VPN from the home into the office DFL 300, with no success.  I get a negotiating IP security message when I try to ping the office LAN from the home--even when the home router is removed and I am plugged directly in to the Cable Modem.  

When I do a portscan on the IPSec 1701 port from behind the office firewall on the LAN, it comes back closed.  I believe IKE does the same, and have had similar problems with PPTP.  I don't know if my whole issue is related to closed ports, crappy router firmware, or this author's limited IT skillset.  

I keep thinking that this could be a port issue, or an issue because our router's external IP is being forwarded to the DMZ while we are trying to use this same IP to connect to the internal LAN of the office from home.  The home router is using the External IP address #2 as the external gateway (this is the Office router's IP).  I think I have my subnets correctly... the home router points to 192.168.1.0, and the office router points to 192.168.0.0.  

I'm outta ideas.  Can anyone point me in the right direction?


0
Comment
Question by:bmoneyless
2 Comments
 

Author Comment

by:bmoneyless
ID: 16643988
Found an answer... seems the home computer had a software firewall installed that I was not informed of.  Though the hardware vpn was allowed, and the routers were connecting, I could not ping a machine behind each subnet.  Now that the software firewall has been removed, I am able to create the vpn tunnel and get access, going both ways.
0
 

Accepted Solution

by:
EE_AutoDeleter earned 0 total points
ID: 16678606
bmoneyless,
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.

EE_AutoDeleter
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question