Jinesh Kumar Kochath
asked on
Port forwarding in ADSL router Linksys
Actually we had some problem with our old router and today we replaced our router with Linksys model WAG200G.
Also we use ISA, for VPN clients we have to forward ports and I have forwarded the following ports also from this new router
50
500
51
1723
After this when VPN dial-up connection is trying to establish connection and it is only showing verifying user name and password.
It was working fine with our old router, is there any other things to be checked for VPnS in this router
Your earliest response is highly appreciated
Jinesh
You need to setup protocol 47/50/51 forwarding; they're not TCP/UDP ports, they're IP protocol numbers.
There should be some sort of IPSec/PPTP passthrough option you need to enable on your router.
There should be some sort of IPSec/PPTP passthrough option you need to enable on your router.
ASKER
I opened all ports mentioned above
I tried all these options and also IPSEC/PPTP also enablsed in my router
please advise how to solve this issue
regards
Jinesh
I tried all these options and also IPSEC/PPTP also enablsed in my router
please advise how to solve this issue
regards
Jinesh
ASKER
Hi Rekolitus
you mentioned before
You need to setup protocol 47/50/51 forwarding; they're not TCP/UDP ports, they're IP protocol numbers.
I done it as TCP/UDP, other than where I have to forward these ports
you mentioned before
You need to setup protocol 47/50/51 forwarding; they're not TCP/UDP ports, they're IP protocol numbers.
I done it as TCP/UDP, other than where I have to forward these ports
They don't have anything to do with TCP or UDP ports. They're IP protocol numbers which you need to forward. You need to configure your router to forward IP protocols 47/50/51 to your LAN machine.
ASKER
done it and still not working dear
How is your VPN create. I assume since you are forwarding ports you are using the built-in Windows firewall, if so it uses PPTP.
(note below, that if not using PPTP your VPN protocol may not be supported)
Also, is this your sole connection device, i.e. modem and router. If so fine. But if you have an additional routing device, port forwarding will need to be enabled as well.
Updating to the latest firmware is also a good idea if having problems.
To reiterate what Rekolitus stated:
PPTP (most likely option) requires:
Forward only TCP 1723
Enable GRE, protocol 47 (not port 47) by enabling PPTP pass-through on the Security 'tab' page of the WAG200G
L2TP over IPSec requires:
To allow IKE forward UDP port 500.
To allow IPSec NAT-T forward port UDP 4500.
To allow L2TP forward port UDP 1701.
If using ESP (Encapsulation Security Payload) protocols 50 enable IPSec pass-through on the Security 'tab' page of the WAG200G
If using AH (Authentication Header Protocol) protocol 51 you need another router, yours does not support this protocol
IPSec requires:
To allow IKE forward UDP port 500.
To allow IPSec NAT-T forward port UDP 4500.
If using ESP (Encapsulation Security Payload) protocols 50 enable IPSec pass-through on the Security 'tab' page of the WAG200G
If using AH (Authentication Header Protocol) protocol 51 you need another router, yours does not support this protocol
Once done verify the port forwarding is working by logging onto the VPN server and going to http://www.canyouseeme.org and test for the appropriate port to see that it is forwarded correctly. This will not allow you to test protocols.
Assuming that is working correctly, and your are using the "standard Windows PPTP VPN, Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/
Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.
Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
(note below, that if not using PPTP your VPN protocol may not be supported)
Also, is this your sole connection device, i.e. modem and router. If so fine. But if you have an additional routing device, port forwarding will need to be enabled as well.
Updating to the latest firmware is also a good idea if having problems.
To reiterate what Rekolitus stated:
PPTP (most likely option) requires:
Forward only TCP 1723
Enable GRE, protocol 47 (not port 47) by enabling PPTP pass-through on the Security 'tab' page of the WAG200G
L2TP over IPSec requires:
To allow IKE forward UDP port 500.
To allow IPSec NAT-T forward port UDP 4500.
To allow L2TP forward port UDP 1701.
If using ESP (Encapsulation Security Payload) protocols 50 enable IPSec pass-through on the Security 'tab' page of the WAG200G
If using AH (Authentication Header Protocol) protocol 51 you need another router, yours does not support this protocol
IPSec requires:
To allow IKE forward UDP port 500.
To allow IPSec NAT-T forward port UDP 4500.
If using ESP (Encapsulation Security Payload) protocols 50 enable IPSec pass-through on the Security 'tab' page of the WAG200G
If using AH (Authentication Header Protocol) protocol 51 you need another router, yours does not support this protocol
Once done verify the port forwarding is working by logging onto the VPN server and going to http://www.canyouseeme.org and test for the appropriate port to see that it is forwarded correctly. This will not allow you to test protocols.
Assuming that is working correctly, and your are using the "standard Windows PPTP VPN, Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/
Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.
Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
ASKER
Hi Robwill as I explained in my old post, I had some problems with my old router, that is why now I purchased Linksys model WAG200G.
Everything is configured and working fine, except VPN
for that I have forwarded the following ports from router
50
51
500
1723
Also enabled IPSEC/PPTP pass through all those services enabled, but after this when my vpn clients trying to connect, they are getting a message saying that verifying user name and password and disconnecting it.
Now tell me what all extra steps I have to in my router WAG200G
Awaiting your feedback
regards
Jinesh
Everything is configured and working fine, except VPN
for that I have forwarded the following ports from router
50
51
500
1723
Also enabled IPSEC/PPTP pass through all those services enabled, but after this when my vpn clients trying to connect, they are getting a message saying that verifying user name and password and disconnecting it.
Now tell me what all extra steps I have to in my router WAG200G
Awaiting your feedback
regards
Jinesh
The point is those are the only steps. I provided the port forwarding information as you had not advised of the type of VPN.
As asked, what type of VPN are you using, or how is it created. I assume Windows default PPTP VPN? If so there is no need of UDP 500, and at no point does forwarding 50 and 51 help.
Are there any other routing devices between the Internet and the VPN server, other than the WAG200G?
Have you run the canyouseeme and the pptpsrv/pptpclnt tests I outlined ? any luck with those?
Do you get an error message # when it fails to connect such as 721, 800, 691, or similar?
As asked, what type of VPN are you using, or how is it created. I assume Windows default PPTP VPN? If so there is no need of UDP 500, and at no point does forwarding 50 and 51 help.
Are there any other routing devices between the Internet and the VPN server, other than the WAG200G?
Have you run the canyouseeme and the pptpsrv/pptpclnt tests I outlined ? any luck with those?
Do you get an error message # when it fails to connect such as 721, 800, 691, or similar?
ASKER
I am out of office now.
tomorrow morning I will test it and let you know all these.
We are using ISA 2004 server with VPn
No other routing devices, router ethernet cable is connected directly to external network card of ISA server and my old router is working fine.. the only issue is with dyndns.org, that is why we changed the router as you instructed in our last post.
Regarding canyouseeme.org I will do it tomorrow morning, now I am in home, tomorrow morning I will come back to you.
thanks a lot
Jinesh
tomorrow morning I will test it and let you know all these.
We are using ISA 2004 server with VPn
No other routing devices, router ethernet cable is connected directly to external network card of ISA server and my old router is working fine.. the only issue is with dyndns.org, that is why we changed the router as you instructed in our last post.
Regarding canyouseeme.org I will do it tomorrow morning, now I am in home, tomorrow morning I will come back to you.
thanks a lot
Jinesh
OK sounds good.
The canyouseeme and pptpsrv/clnt tests should help to narrow down the problem area.
Let us know how it goes.
It would be good to confirm the VPN protocol, if possible, since you are using ISA it could be pptp/l2tp/ipsec.
Also was there a connection error # ?
The canyouseeme and pptpsrv/clnt tests should help to narrow down the problem area.
Let us know how it goes.
It would be good to confirm the VPN protocol, if possible, since you are using ISA it could be pptp/l2tp/ipsec.
Also was there a connection error # ?
ASKER
Hi
after referring microsoft document, I have enable DMZ port in router and ISA external IP forwarded from this port.
then VPN started working.
regards
Jinesh Kumar
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To my knowledge Cisco (owner of Linksys) took out all VPN support (inbound that is) out of the Linksys routers and modems. So no more inbound VPN connections available unless you start to use the router in the DMZ as described above.
regards,
MZeggie.
if the enabling the DMZ on the router makes the VPN or any applications recognize by the router it only means that the right port is NOT yet properly open on the router and that is the reason why the firewall is blocking it.
Though not the WAG200G...the ports are similar to use.