Solved

GRE passthrough for VPN using Linksys WRT54G V5?

Posted on 2006-07-16
23
9,904 Views
Last Modified: 2013-11-09
Is there any way to make this work, or am I looking a new router?
0
Comment
Question by:jb1013
  • 9
  • 8
  • 6
23 Comments
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
Yes.  GRE passthrough = Allow IPSEC.   Under advanced select Allow IPSEC
0
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
I am sorry.  It is under Security.
0
 
LVL 1

Author Comment

by:jb1013
Comment Utility
Unfortunately that does not do the trick.  Error 628 at the point of authenication.  From what I've been reading for some reason V5 of this router does not support GRE despite having the IPSec Passthrough and PPTP passthrough settings enabled.
0
 
LVL 22

Assisted Solution

by:rickhobbs
rickhobbs earned 500 total points
Comment Utility
Then you are probably looking at a new router.  I would call their tech support and raise hell first.
0
 
LVL 1

Author Comment

by:jb1013
Comment Utility
Doing it right now.
0
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
Check this URL, it is about the same problem.  It says D-link also won't work.  You need to get a Netgear.
0
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
0
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
Hey!  Check out this site. http://vowe.net/archives/004600.html
0
 
LVL 1

Author Comment

by:jb1013
Comment Utility
Thanks Rick,

I've been looking at some of the alternative firmware, but apparently the V5 does not support the linux firmwares that previous models did/do.  I've always recommended Linksys routers, but I guess that may be changing.  I'll just switch to a Dlink that I know will work.

Thanks again for you help.  I'm going to leave open this evening just to see if someone comes up with something I've not found, but chances are you'll be getting the points by tommorow.
0
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
I have been searching all over.  Everybody comes to the conclusion we have.  One guy said "Turn off the firewall", but what would be the point of the unit without it?
0
 
LVL 1

Author Comment

by:jb1013
Comment Utility
Exactly, thanks for your help.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Actually the WRT54G does support VPN pass-through.
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1149562300349&pagename=Linksys%2FCommon%2FVisitorWrapper
To enable GRE check "PPTP pass-through" rather than IPSec.

There can be other reasons GRE is blocked though.
Where is the WRT54G located at the VPN client site or VPN server site ?
Is this a router you are connecting to or a Windows VPN server?
Is the modem at either site a combined router and modem ?
A 628 error usually is not a GRE or PPTP pass-through error but more likely port forwarding or incorrectly configured VPN server. Have you forwarded port 1723 at the VPN server site ?
0
 
LVL 1

Author Comment

by:jb1013
Comment Utility
Everything I've read says that all versions of the WRT54G work except v5 due to the GRE limitation?

WRT54G is at the server site.  I'm attempting to connect to a Windows VPN Server.  PPTP and IPSec passthrough are enabled.  All the recommeded ports are fowarded in the router to the server.

I believe the modem does have routing capabilities, but I'm almost certain it is bridge mode.  Sorry, I don't have the model of the modem or access to until Tues to confirm that.

0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
You may be right with that particular V#. I have used 2 of them with older versions. I have to admit that the WRT54G does have a couple of peculiarities, unlike all the other Linksys units.

However, if GRE were the problem you most often get a 721 or 678 error. Without GRE/PPTP actually you can often make a connection but cannot communicate. Though this may be part of the problem I would tend to look at other options first.
First thing to check is that basic traffic is reaching the VPN server. Log on to that PC and go to http://www.canyouseeme.org and test for port 1723. It will advise if the basic VPN routing is reaching the VPN server. If test is negative you may have a routing or port forward issue.
This does not test for GRE. If the test is positive/successful then check the server configuration or you can use the pptpclnt.exe and pptpsrv.exe GRE test utilities which are available as part of the Windows Resource Kit or from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/

Software firewalls such as the Windows firewall, zone alarm, McAfee, Symantec can block VPN traffic. These can be configured to allow VPN traffic but you should disable for testing. Also Symantec's antivirus has a feature "Internet worm protection" that tends to block VPN's.
Do not turn off the firewall on the router.

0
 
LVL 1

Author Comment

by:jb1013
Comment Utility
I can telnet into 1723, and canyousee.org shows it can reach the service on 1723.  No Firewalls other than in the router itself.

Running the GRE testing programs did not work.  Packets sent to the IP address of the router, but not received at the server.

Very frustrating.  Linksys support just continually danced all around the question concerning GRE.  But I never got answer one way or the other.  They blamed it on the OS.  But, I got the feeling I was getting the brush off.

I'm going to try a router that I know works on Tuesday.

Thanks for the tips on the PPTP testing programs from the Resource Kit.  Very useful!
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"Linksys support just continually danced all around the question concerning GRE"
Surprised they knew what you were talking about. <G> I am afraid they are not much help.

Definitely sounds like GRE being blocked. Perhaps it is the WRV54G. The only other thing to check is that neither end of the tunnel has 2 NAT (Network address Translation) devices such as a router. This will usually cause problems.
The router at either site should have a true public IP assigned to it's WAN/Internet interface, not a private such as:
192.168.x.x
10.x.x.x
172.16-31.x.x
If the router has a private WAN IP there is another router or combined modem/router performing NAT and this can block GRE.

One last thought, on occasion, though not very common, the ISP or modem may not support the protocol.
0
 
LVL 1

Author Comment

by:jb1013
Comment Utility
The WAN side of the router definately has true public IP addressed assigned to it.  Like I said I think the modem, may have routing capabilities, but I'm pretty sure its in bridge mode.  I'll find out tommorow, when I go to the site.  Thanks for all your help!
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If in bridge, that's fine. Good luck !
--Rob
0
 
LVL 22

Accepted Solution

by:
rickhobbs earned 500 total points
Comment Utility
A lot of the messages I read on the WWW indicate that once Cisco took over Linksys they eliminated GRE passthru.  Probably to make you buy a more expensive router.  But unless everyone else stops supporting it, I think they are just shooting themselves through the foot (like IBM did with Micro-channel).
0
 
LVL 1

Author Comment

by:jb1013
Comment Utility
D-Link router did the trick for the VPN although I seem to be having other problems with Remote Desktop, and things like pinging computers by name when connected to the VPN.  I'll likely be starting a new thread.  Thanks for the help.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I hope from the accepted answer, everyone who follows doesn't think that Cisco has "eliminated GRE passthru" on all Linksys routers. Perhaps a problem with that model, but certainly is not the case. Glad to hear the D-Link worked.

If you have a connection but cannot ping. Make sure the subnets at either end of the tunnel are different, and the firewalls are disabled (for testing) on the computers to which you are trying to connect.
--Rob
0
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
I am glad that we now know that V5 of the Linksys WRT54g doesn't work, at least.  Will save someone time in the future.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I tried a WRT54G V3.0 yesterday with a Windows PPTP client, and and the WatchGuard IPSec client, and it was fine, but there are definitely issues with the WRT54G's and maybe more with the V5. Lots of people have had problems with different VPN's, although primarily Linksys own IPSec QuickVPN client, behind that particular model. I don't know why some people do, and some don't. Other models, except some of the very old ones with old firmware, are fine.
Thanks for the update.As you say excellent information to know.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Decrypting SSL traffic in wireshark 7 25
RIP Routing 5 45
cisco nexus experiance 2 27
Adding a secondary DC Server 2008R2 10 39
I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now