Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9958
  • Last Modified:

GRE passthrough for VPN using Linksys WRT54G V5?

Is there any way to make this work, or am I looking a new router?
0
jb1013
Asked:
jb1013
  • 9
  • 8
  • 6
2 Solutions
 
Rick HobbsRETIREDCommented:
Yes.  GRE passthrough = Allow IPSEC.   Under advanced select Allow IPSEC
0
 
Rick HobbsRETIREDCommented:
I am sorry.  It is under Security.
0
 
jb1013Author Commented:
Unfortunately that does not do the trick.  Error 628 at the point of authenication.  From what I've been reading for some reason V5 of this router does not support GRE despite having the IPSec Passthrough and PPTP passthrough settings enabled.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Rick HobbsRETIREDCommented:
Then you are probably looking at a new router.  I would call their tech support and raise hell first.
0
 
jb1013Author Commented:
Doing it right now.
0
 
Rick HobbsRETIREDCommented:
Check this URL, it is about the same problem.  It says D-link also won't work.  You need to get a Netgear.
0
 
Rick HobbsRETIREDCommented:
0
 
Rick HobbsRETIREDCommented:
Hey!  Check out this site. http://vowe.net/archives/004600.html
0
 
jb1013Author Commented:
Thanks Rick,

I've been looking at some of the alternative firmware, but apparently the V5 does not support the linux firmwares that previous models did/do.  I've always recommended Linksys routers, but I guess that may be changing.  I'll just switch to a Dlink that I know will work.

Thanks again for you help.  I'm going to leave open this evening just to see if someone comes up with something I've not found, but chances are you'll be getting the points by tommorow.
0
 
Rick HobbsRETIREDCommented:
I have been searching all over.  Everybody comes to the conclusion we have.  One guy said "Turn off the firewall", but what would be the point of the unit without it?
0
 
jb1013Author Commented:
Exactly, thanks for your help.
0
 
Rob WilliamsCommented:
Actually the WRT54G does support VPN pass-through.
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1149562300349&pagename=Linksys%2FCommon%2FVisitorWrapper
To enable GRE check "PPTP pass-through" rather than IPSec.

There can be other reasons GRE is blocked though.
Where is the WRT54G located at the VPN client site or VPN server site ?
Is this a router you are connecting to or a Windows VPN server?
Is the modem at either site a combined router and modem ?
A 628 error usually is not a GRE or PPTP pass-through error but more likely port forwarding or incorrectly configured VPN server. Have you forwarded port 1723 at the VPN server site ?
0
 
jb1013Author Commented:
Everything I've read says that all versions of the WRT54G work except v5 due to the GRE limitation?

WRT54G is at the server site.  I'm attempting to connect to a Windows VPN Server.  PPTP and IPSec passthrough are enabled.  All the recommeded ports are fowarded in the router to the server.

I believe the modem does have routing capabilities, but I'm almost certain it is bridge mode.  Sorry, I don't have the model of the modem or access to until Tues to confirm that.

0
 
Rob WilliamsCommented:
You may be right with that particular V#. I have used 2 of them with older versions. I have to admit that the WRT54G does have a couple of peculiarities, unlike all the other Linksys units.

However, if GRE were the problem you most often get a 721 or 678 error. Without GRE/PPTP actually you can often make a connection but cannot communicate. Though this may be part of the problem I would tend to look at other options first.
First thing to check is that basic traffic is reaching the VPN server. Log on to that PC and go to http://www.canyouseeme.org and test for port 1723. It will advise if the basic VPN routing is reaching the VPN server. If test is negative you may have a routing or port forward issue.
This does not test for GRE. If the test is positive/successful then check the server configuration or you can use the pptpclnt.exe and pptpsrv.exe GRE test utilities which are available as part of the Windows Resource Kit or from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/

Software firewalls such as the Windows firewall, zone alarm, McAfee, Symantec can block VPN traffic. These can be configured to allow VPN traffic but you should disable for testing. Also Symantec's antivirus has a feature "Internet worm protection" that tends to block VPN's.
Do not turn off the firewall on the router.

0
 
jb1013Author Commented:
I can telnet into 1723, and canyousee.org shows it can reach the service on 1723.  No Firewalls other than in the router itself.

Running the GRE testing programs did not work.  Packets sent to the IP address of the router, but not received at the server.

Very frustrating.  Linksys support just continually danced all around the question concerning GRE.  But I never got answer one way or the other.  They blamed it on the OS.  But, I got the feeling I was getting the brush off.

I'm going to try a router that I know works on Tuesday.

Thanks for the tips on the PPTP testing programs from the Resource Kit.  Very useful!
0
 
Rob WilliamsCommented:
>>"Linksys support just continually danced all around the question concerning GRE"
Surprised they knew what you were talking about. <G> I am afraid they are not much help.

Definitely sounds like GRE being blocked. Perhaps it is the WRV54G. The only other thing to check is that neither end of the tunnel has 2 NAT (Network address Translation) devices such as a router. This will usually cause problems.
The router at either site should have a true public IP assigned to it's WAN/Internet interface, not a private such as:
192.168.x.x
10.x.x.x
172.16-31.x.x
If the router has a private WAN IP there is another router or combined modem/router performing NAT and this can block GRE.

One last thought, on occasion, though not very common, the ISP or modem may not support the protocol.
0
 
jb1013Author Commented:
The WAN side of the router definately has true public IP addressed assigned to it.  Like I said I think the modem, may have routing capabilities, but I'm pretty sure its in bridge mode.  I'll find out tommorow, when I go to the site.  Thanks for all your help!
0
 
Rob WilliamsCommented:
If in bridge, that's fine. Good luck !
--Rob
0
 
Rick HobbsRETIREDCommented:
A lot of the messages I read on the WWW indicate that once Cisco took over Linksys they eliminated GRE passthru.  Probably to make you buy a more expensive router.  But unless everyone else stops supporting it, I think they are just shooting themselves through the foot (like IBM did with Micro-channel).
0
 
jb1013Author Commented:
D-Link router did the trick for the VPN although I seem to be having other problems with Remote Desktop, and things like pinging computers by name when connected to the VPN.  I'll likely be starting a new thread.  Thanks for the help.
0
 
Rob WilliamsCommented:
I hope from the accepted answer, everyone who follows doesn't think that Cisco has "eliminated GRE passthru" on all Linksys routers. Perhaps a problem with that model, but certainly is not the case. Glad to hear the D-Link worked.

If you have a connection but cannot ping. Make sure the subnets at either end of the tunnel are different, and the firewalls are disabled (for testing) on the computers to which you are trying to connect.
--Rob
0
 
Rick HobbsRETIREDCommented:
I am glad that we now know that V5 of the Linksys WRT54g doesn't work, at least.  Will save someone time in the future.
0
 
Rob WilliamsCommented:
I tried a WRT54G V3.0 yesterday with a Windows PPTP client, and and the WatchGuard IPSec client, and it was fine, but there are definitely issues with the WRT54G's and maybe more with the V5. Lots of people have had problems with different VPN's, although primarily Linksys own IPSec QuickVPN client, behind that particular model. I don't know why some people do, and some don't. Other models, except some of the very old ones with old firmware, are fine.
Thanks for the update.As you say excellent information to know.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 9
  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now