Solved

VPN's between Linksys RV042's keep dropping connection.  What is the most efficient way to configure Gateway to Gateway VPN?

Posted on 2006-06-23
16
3,148 Views
Last Modified: 2008-01-09
We currently have 9 remote sites that are connecting to our central office through VPN.  Each one of the sites is using a Linksys RV042 or an RV082 with the latest firmware.  All of the sites are using cable or DSL to access the internet.  The main office has a static IP but the rest are dynamic.  Each of the remote sites has between 1-4 PC's and the central office has 25 or so.

So...  All of the VPN's are established and working.    I check back the next day and one or two of them are disconnected.  I wait a few hours and check again and some have come back online again.  I call the remote sites and they are still online and able to access the internet just fine but they cant see the central office anymore.

The routers are currently configured as follows:

Local Group Setup:

Local Security Gateway Type: Dynamic IP + E-mail Addr.(USER FQDN) Authentication
E-mail address  user@domain
Local Security Group Type: Subnet
IP address  (192.168.2.1)
Subnet Mask: (255.255.255.0)  

--------------------------------------------------------------------------------
 
Remote Group Setup:

Remote Security Gateway Type: IP Only
IP address: (Main Office Wan Address)
Remote Security Group Type: Subnet
IP address: 192.168.0.0
Subnet Mask: 255.255.255.0
--------------------------------------------------------------------------------

IPSec Setup:

Keying Mode: IKE with Preshared key  
Phase1 DH Group: Group2  
Phase1 Encryption: 3DES  
Phase1 Authentication: SHA1
Phase1 SA Life Time: 28800 seconds  

Perfect Forward Secrecy: (Check in box)
Phase2 DH Group: Group1
Phase2 Encryption: DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 3600 seconds  
Preshared Key: 123fakekey321

Advanced:

(X) Aggressive Mode
(_) Compress (Support IP Payload Compression Protocol(IPComp))
(X) Keep-Alive
(_) AH Hash Algorithm: MD5
(X) NetBIOS broadcast
(X) Dead Peer Detection (DPD)   Interval: 10 seconds  

Are there any flaws in the way that this is set up now?  Any way to streamline these settings at all?  Encryption is important but if heavy encryption means I can't connect I can back off a bit.  
 
0
Comment
Question by:tonysheridan
  • 8
  • 4
  • 2
  • +2
16 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16973235
I have a dozen of these set up at various sites with no problem. One site has 7 connected to it. However, instead of  "Dynamic IP + E-mail Addr.(USER FQDN) Authentication" I always use "Dynamic IP + Dynamic Name ( FQDN) Authentication" in conjunction with a DDNS service. I prefer http://www.dyndns.com for this. See:
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=1705&p_created=1094687137&p_sid=U6Top31i&p_accessibility=0&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTAzJnBfcHJvZHM9MCZwX2NhdHM9JnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfbmwmcF9zY2ZfbGFuZz0xJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9cnYwODI*&p_li=&p_topview=1

Also you might try "Main Mode" instead of "Aggressive Mode", though I haven't had problems with either.
Finally, I have had some very peculiar un-related results sometimes with "NetBIOS Broadcast" enabled. If you don't have to have it enabled test without.

0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16974176
You can't VPN to a dynamic IP, sorry, they must be static.  I.e. the router or the VPN endpoint MUSt have a static IP assigned by the ISP.  You cannot do this on DSL unless you have bought a static IP from the ISP.  Dynamic IPs assigned by the ISP (such as a redirect from the DSL headend in the Telco office) simply do not work with VPN.  The Linksys routers you have are more than capable of FLAWLESS VPN, you just have to give them a REAL IP at each end to talk to, not something virtualized by the ISP provider.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16974238
Though static IP's are always recommended, "they must be static" is not true at all. I have 15 VoIP systems connected by VPN's, as well as several others, with static at one end and dynamic at the other and never a complaint. Of these, 10 are RV042's. For the record some are ADSL and some cable modems.
0
 

Author Comment

by:tonysheridan
ID: 16974346
Thanks Rob, I will test some of the settings you suggested.    

As for the static vs dynamic IP, VPN works great with a dynamic address.  I am just having problems keeping the connection established.  I thought it could be related to the way encryption was configured or not enough bandwidth from a DSL/cable line.  
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16975043
The encryption configuration shouldn't be-related to the disconnects. I find it is important to enable the keep alive feature and also, I forgot to mention; if you have a PPPoE connection to your ISP, on the "Set Up" page under the WAN connection information for PPPoE there are 2 options 1) Connect on demand, max idle time out -set this to 0 to disable but better than that 2) there is a keep alive option -set to 10 seconds.
The only VPN I had a problem with dropping the connection every few days was fixed by changing the ISP.
0
 

Expert Comment

by:ajortolani
ID: 16975418
What they said above about requiring a static IP is not true. I use cablevision for my ISP which only offers DHCP. I created another domain at DynDNS.com and downloaded the software to my server. Now instead of pointing my VPN to my routers IP address I point it the new domain name. The software on my server checks the ipaddress on my router every five minutes and uploads it to the new domain. It's the closest thing to static I could get with a cable connection. It works though, no problems.

For your problem I would consider getting a new router, maybe Netgear. I've only had problems with Linksys routers locking up on me, and when I load new firmware I've had to send them to the manufacurer to get fixed from internal software gliches. It's a real pain. It sounds like you have a lot of traffic coming through your main office router, maybe get a PIX firewall router. Your internet performance will improve, and they are a higher grade electronic device that can hanfle the load with a world of difference in security.

Last note, neither cable or DSL are perfect ISP's. They will lose connectivity for shory periods now and then. To drop a VPN connection you only need to lose connectivity for a few seconds. CHeck and make sure that your modems are the most recent and up to date models.
0
 

Expert Comment

by:cygereric
ID: 16975502
What you are probably seeing is the VPN dropping due to innactivity. Many timeout after 3 hours of innactivity. A way around it is to use the schedular service on the server to run a batchfile that Pings a computer on the other side of the VPN every 2.5 hours at night.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16975506
A couple of points about www.dyndns.com:
I have used their services for quite a while. You can install the service on the Linksys router itself, or using one of the software clients, you can install on a PC. I find using the router much more consistent and it is always on where the PC may not be. Linksys did have a problem last year with the router's DDNS service, but have long since resolved. However for this and other reasons make sure you have the latest firmware installed. The other problem with the DDNS service is if your public IP doesn't change for 35 days they consider your account dormant and although your account stays active your domain name is removed from the active list. Theoretically the software client on the PC addresses this but I haven't  had much luck with it. The other way around it is to pay for the service, $10/year US. This also gives you 20 domain names you can use. I have found this service reasonable priced, and rock solid.

As for Linksys quality, I think you will find the RV0xx series extremely dependable. They are a favorite of this message board if you are not going to use a high end Cisco, WatchGuard, Netscreen or equivalent.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:tonysheridan
ID: 16980086
Well I tried the initial suggestion from Rob and the VPN stayed up for the rest of the evening.  I just checked today and our remote site is disconnected again.  I must not have setup DDNS properly because I am not getting an IP from them.  Since I no longer know the WAN IP I will have to wait until tomorrow to either drive out to the site or have a user find the IP for me.

ajortolani :
We already have RV042's in place and we are also using them with other clients and they seem very stable.  This client is not going to dish out $$ for new equipment especially since we can't guarantee that will solve their issue.  

cygereric:
The VPN's shouldnt be timing out.  At another site we have offices that are not used for weeks/months at a time.  During that time every piece of equipment is turned off except for the router and the connection is never dropped.  

(Side note...  6 out of 9 routers are brand new and I have already updated them with the latest firmware.)

I will post a follow up on Monday
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 16980449
Tony, if it is any help below is a copy of an earlier post of mine explaining how to set up the dyndns service. Kind of basic but may be of some help.

Also, you mentioned the latest firmware. All of the routers I have set up have been updated to version 1.3.7.2 The last one I did I was in a huge rush to get ready and ship out. I had updated to 1.3.7.4 and had some connection issues. For fear of problems in the field I reverted back to 1.3.7.4  Still don't know if the problem was the firmware, but if no other solution works for you, and you are using 1.3.7.4 you might want to try back tracking. If you don't have a copy I can upload and provide a link.

-----------------------------------------------------
Specific instructions for www.dyndns.com;
After you create an new user account with www.dyndns.com ,  log in and at the top of the page click on 'Account' and then middle of the page choose 'My services'. Near the bottom of the page you will see Host Level Services. If you haven't done so you will need to set up a domain name. I would recommend starting with a fresh one regardless. Do so by clicking "Add host service", then "Add Dynamic DNS Host". Now fill in a Host name of your choosing like "myname" and choose a suffix like "dnsalias.org" (any one in the list will do). Your current IP, if you are connecting from the site where you will be using this, will be displayed in the next box. If not, change it to the current IP.  If you don't know it you can find by going to  http://www.whatismyip.com  Now click "Add Host". Leave Wildcards and Mail fields empty. Actually it will update automatically so you don't really have to do this.
Now in your router set up (my recommendation), or in your DDNS software application; choose the DDNS service, enter user name and password, and then enter your host name myname.dnsalias.org, or what ever you choose. Once you save the configuration it should show in red "DDNS updated successfully".  Make sure you only use one, the router or the application, not a good idea to use both.
If you wish to test. You know how to find your IP by going to http://www.whatismyip.com so verify that. Now at a command prompt (DOS window) enter nslookup  myname.dnsalias.org  (substitute your domain name) and it should resolve/return the proper WAN IP you located above.
0
 

Expert Comment

by:cygereric
ID: 16980515
Ok, when in doubt, look for a physical reason. story time, don't know if this will help. Had a client that was loosing router to their cross-city office (back in the 56k days) every time it happened (usually on Wednesdays bit sometimes Tuesday or Thursdays) it happened at or near 4:50 AM. I was baffled, all the settings were right on both endas and it was a dedicated connection. We'll for some reason I decided to go sit at the far end and watch it happen. So I arrived at 4:00 AM and sat there in the room (which doubled as a larger conference room). At 4:45, I heared a rumbling sound coming down the hall way, and watched as the maid came in the door and unplugged the powerstrip that ran the router, and plugged in her vacuum. Problem solved.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16980554
:-)  Never overlook the obvious !  Love it !!!  :-)
0
 

Author Comment

by:tonysheridan
ID: 16986561
Doh!!  (note to self... when changing DDNS settings in the router don't forget to click "Save Changes")

DynDns is working now.  Still not sure if the VPN's will stay connected but at least I will have a backup way to find the remote sites if they do go down again.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16986999
>>"in the router don't forget to click "Save Changes")"
Been there, done that.  :-)

Thanks Tony. Let us know how it goes.
--Rob
0
 

Author Comment

by:tonysheridan
ID: 17010441
Follow up, we still ended up having disconnect problems with the VPN's.  We replaced the DSL modems at a few of the sites and we are going on 3 solid days without a disconnect.  They were using "2-wire" and speedstream 4100 modems and I replaced them with Speedstream 5100's.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17010656
That is good to hear. Not to suggest a problem with the other units,  but I have 6-8  5100's at various sites with different routers, all with VPN's, and seem to work great.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now