Setup VPN Server

I got a problem that to setup a vpn server at Linksys RV016 and also what kind of vpn client need to choose to create??
Can give the step by step to create a vpn server in linksys RV016 and also vpn client...
What different of client to router gateway and vpn client access??
I had research at http://www.linksysinfo.org/ forum. But my VPN  still cant work..

My network diagram like this:
I got 2 ISP modem which connect to the Linksys RV016 and linksys will connect to switch..
1st modem, the ip address is 10.0.0.138.
2nd modem, the ip address is 10.0.1.138.
IP address of Linksys RV016 is 192.168.100.41.
In the linksys RV016 configuration, i set 2 WAN.
1st WAN ip address is 10.0.0.1.
Default gateway is 10.0.0.138.

2nd WAN ip address is 10.0.1.1.
Default gateway is 10.0.1.138.

That's all.
Thanks for helping.
 
LVL 1
jsscoAsked:
Who is Participating?
 
Rob WilliamsCommented:
You have 3 primary options with the Linksys RV016
1) use the router in pass-through mode only. In this case you use the Windows server as a VPN server. Not recommended, but works fine
2) use the Linksys QuickVPN client to create an IPSec tunnel with the RV016. Very simple and secure. Probably your best option is you can get it working. Some folks have had problems with this client, mostly connecting from behind some models or routers at remote sites. The client can be found (2nd item -free):
http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109974&packedargs=sku%3D1115416833102&pagename=Linksys%2FCommon%2FVisitorWrapper
3) the RV042/82 have a recent update, so I assume the RV016 does as well, that allows a PPTP VPN to be created with the router, using the Windows VPN client. Though a little less secure, it may be less problematic. You require the most recent firmware, available from the same link above.

I suspect the problem with your current configuration is the number of "hops" at each site. The RV016 needs it's WAN interface to be assigned with a true public IP. You are showing it as a private 10.x.x.x IP behind another NAT (Network Address Translation) device, which most VPN's, especially the Linksys, do not like. If it is as simple as the RV016 behind a modem that is a combined modem and router, you can resolve by putting the modem in bridge mode, effectively making it a simple modem. The WAN/public IP will then be assigned to the RV016's WAN interface.
Also remember all network segments that are part of your VPN, local and remote, all need to be different. For example; you cannot have 2 segments (networks between any 2 routers) with 10.0.1.x
0
 
jsscoAuthor Commented:
Hi, RobWill.
i had try before to configure your question 2 setting, but still cant work it.
my setting is i create a vpn client access in RV016.
after that, i try to install quickVPN in client PC. I just enter the username, password and server address as public address of router 10.0.x.x.
And then i also enable all setting in VPN pass through such as PPTP,L2TP and IPSec.

Can you tell me what mistake i facing now??
isnt my setting correctly?
refer from my network diagram, isnt very hard to setup a VPN ? or need to redesign network? got any suggestion??

Thanks,
Kelvin.
0
 
Rob WilliamsCommented:
Kelvin, you do not need to enable PPTP,L2TP and IPSec pass-through. These are only for option #1 above.
The configuration is very straight forward as you suggested, but the network configuration is important.

It looks as if your configuration is as follows:

               |=> Modem 1  => Wan port 1=>|
               |    10.0.0.138         10.0.0.1      |
Internet=>|                                              |=>RV016 LAN
               |=> Modem 2  => Wan port 2=>|     192.168.100.41
               |    10.0.1.138         10.0.1.1      |

In order for the VPN to work, The RV016 needs to be assigned your public IP address. Therefore both modems which are currently using NAT (Network address translation) need to be put in bridge mode. This will effectively make them simple modems. You can then configure the WAN ports of the RV016 with the ISP connection information.

I am assuming your ISP has not assigned the 10.0.x.x IP's, and this was done by the modem. If the ISP is performing NAT and assigning the 10.0.x.x IP's then you cannot configure a VPN. However, the latter is quite rare.

Once you have made the changes, if you still cannot connect, try connecting the remote client Pc directly to a modem, bypassing any routers at the remote site, as a test.
--Rob
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
jsscoAuthor Commented:
Hi. Rob.

In both modem, I didnt configure any NAT setting.
my ISP address is 202.136.x.x for modem 2 and 203.123.x.x for modem 1.
If i use the QuickVPN, then my RV016 need configure as Client to Gateway or juz create VPN Client access?

I had check in my modem and router, how to configure bridge mode if using NAT in modem??

Juz now you mention, how to test using remote client PC to connect to modem by passing through routers??


                      |=> Modem 1  => Wan port 1=>|
  203.123.x.x    |    10.0.0.138         10.0.0.1      |
    Internet=>  |                                              |=>RV016 LAN      => switch        
                      |=> Modem 2  => Wan port 2=>| 192.168.100.41   192.168.100.43
  202.136.x.x   |    10.0.1.138         10.0.1.1      |                             ||        ||        ||
                                                                                                   PC        PC       PC
                                                                                             x.x.x.205  x.x.x.206

In RV016 Setting,
I configure client to gateway.
In Client to gateway, the setting is:
Local Group Setting
-----------------------
Local Security Gateway Type = IP Only
IP Address = 10.0.0.1
Local Security Group Type = subnet
IP address  = 192.168.100.0
Subnet Mask = 255.255.255.0

Remote Client Setup  
------------------------
Remote Client = IP + FQDN
IP Address = 203.123.x.x
Domain Name = xxxxxx.dyndns.org

IPSec Setup    
--------------
all I using is default setting...
juz i set preshared key = secretkey

isnt my setting ok for setup a VPN??
Thanks.
Kelvin.
0
 
Rob WilliamsCommented:
I wasn't suggesting you configured NAT on the modem, but rather it is enabled by default. That is why the RV016 has a private IP address of  10.0.0.1 and 10.0.1.1. You need to put the modems in bridge mode so that the public IP's 203.123.x.x ands 202.136.x.x are assigned to the WAN ports of the RV016. This is necessary so that your VPN client is connecting directly to the RV016, rather than the modem.

Also if you are using the Quick VPN client, you only need to go to the "VPN"/"VPN client access" page and add a user name, password, and enable to set up the VPN. It is extremely easy if using the QuickVPN client. No other configuration is necessary on the router.

Make sure you have the latest firmware as well. They keep making improvements and adding features.
0
 
jsscoAuthor Commented:
Hi, Rob.
I had check the modem, dont have any bridge configuration.
so, how was I to do the bridge mode? got any suggestion?

thanks.
kelvin.
0
 
Rob WilliamsCommented:
Kelvin, what make and models are the modems ? Maybe I can come up with some options.
--Rob
0
 
jsscoAuthor Commented:
Rob,

The modem model is SpeedTouch series 500.

Kelvin.
0
 
Rob WilliamsCommented:
I have to step out for a while, but I will look into this further when I get back, but I did find this "fix" for the 530, that may be of some help. You may want to look at the whole thread in the link:
The steps is:
1. telnet to the modem 10.0.0.138
2. at the prompt "=>" type "nat"
3. at the prompt "[nat]=>" type "unbind application=IKE port=500"
4. at the prompt "[nat]=>" type ".."
5. at the prompt "=>" type "config save"
6. type "exit" to exit
From: http://forums.whirlpool.net.au/forum-replies-archive.cfm/285476.html
0
 
Rob WilliamsCommented:
0
 
jsscoAuthor Commented:
hi, Rob.
If i dont want to make it 2 modem as the bridge mode, can I use modem 1 as VPN Connection?

If I do like this, what configure can do?

Thanks.
Kelvin
0
 
Rob WilliamsCommented:
>>"can I use modem 1 as VPN Connection?"
Because it is an incoming connection, you can really only use one IP/Modem anyway, So that is fine. You still need to put one modem in bridge mode. I was hoping the above links would help you to do so .
0
 
jsscoAuthor Commented:
Rob,
Why need configure modem as a bridge mode?
I had look at the link that you send to me, i had a bit confuse because i look at this link http://www.ozcableguy.com/alcatel.html#bridging. In the VPN Passthrough for SpeedTouch 570, 510 and 530 modems Section, What all this command meaning for...
--------------------------------------------------------------------------------------------------
enter command 'nat unbind application=ESP port=1' or 'nat unbind application=ESP'. [these are interchangeable but must be entered exactly as shown, without the ']
Then enter 'nat unbind application=IKE port=500'.
----------------------------------------------------------------------------------------------------
What different "Configuring the Pro to allow other services through" and "VPN Passthrough for SpeedTouch 570, 510 and 530 modems"? Which I want pefer to??


Thanks.
Kelvin
0
 
Rob WilliamsCommented:
>>"Why need configure modem as a bridge mode?"
When you connect from a remote site, you are connecting to 203.123.x.x  This IP is that of the modem, not the VPN router. Putting the modem in Bridge mode assigns the 203.123.x.x  to the router's WAN IP, as it should be.

>>"What all this command meaning "
Apparently these are the necessary commands to re-configure the modem to put it in bridge mode. Make sure you make notes of the existing configuration in case you need to change it back. There are some differences in those links, so first I would see if the options are similar to your SpeedTouch. Some Internet Service providers will configure the modem for you if you like.

By the way I noticed there is a firmware update for your router as of the middle of October. This has a couple of important improvements, especially if you are using the QuickVPN client.

The other option might be to enable port forwarding on the modem for port 1723 to the Linksys, and enable VPN pass-through. This will not normally work, but might with the Linksys firmware update which adds NAT-T capabilities. I would still recomend the bridge mode option.

0
 
jsscoAuthor Commented:
Rob,

Before Bridge Mode:

                   |=> Modem 1  => Wan port 1=>|
  203.123.x.x    |    10.0.0.138         10.0.0.1      |
    Internet=>  |                                              |=>RV016 LAN      => switch        
                      |=> Modem 2  => Wan port 2=>| 192.168.100.41   192.168.100.43
  202.136.x.x   |    10.0.1.138         10.0.1.1      |                             ||        ||        ||
                                                                                                   PC        PC       PC
                                                                                             x.x.x.205  x.x.x.206

After Bridge Mode:
                       (Brigde Mode)
                   |=> Modem 1  => Wan port 1=>|
  203.123.x.x |    10.0.0.138       203.123.x.x   |
  Internet=>  |                                              |=>RV016 LAN      => switch        
                    |=> Modem 2  => Wan port 2=>| 192.168.100.41   192.168.100.43
  202.136.x.x |    10.0.1.138         10.0.1.1      |                             ||        ||        ||
                                                                                                   PC        PC       PC
                                                                                             x.x.x.205  x.x.x.206

Then, My VPN Client Access can allow VPN Client to pass through RV016 and can access to LAN.Isnt my theory is correct? based on Network Diagram above.

Thanks.
kelvin
0
 
Rob WilliamsCommented:
Yes, correct. The modem IP's may not be quite as shown, but the router will be correct. It is possible you may have some other configuration issues with the VPN, but this is a first step. As for LAN users accessing Internet they should have no problem at all.
0
 
jsscoAuthor Commented:
Rob,

If my public IP address is dynamically, then easy to mantaince VPN? or use static IP address?
what the best solution for VPN to use public IP address?

Thanks.
kelvin
0
 
Rob WilliamsCommented:
Static IP's are better for VPN's, if for no other reason than they do not change, but you do not have to use a static. You can use a dynamic IP address and a DDNS (Dynamic Domain Name Service) such as  www.dyndns.com, or www.no-ip.com  to track the changing dynamic IP. That works fine. I have at least a dozen set up that way.
0
 
jsscoAuthor Commented:
Rob,
I didnt change any things in modem..
I direct use VPN Client.
I work but when connecting to VPN router. In the client VPN, it take very long time to verifying network. What the problem on my setting??

I didnt configure any bridege mode.

What mistake i done??
kelvin.
0
 
Rob WilliamsCommented:
>>" it take very long time to verifying network"
But does it eventually connect ?
0
 
jsscoAuthor Commented:
Rob,

ya.. i check at my VPN router, it shown online in VPN client section.
after few mins, it popup a message said that remote gateway no response..

so, what the problem occur?

kelvin
0
 
Rob WilliamsCommented:
Des the RV016 still have a 10.0.x.x IP address ? If so I have no idea how it is even making the initial connection. If you have set up port forwarding on the modem you may get an initial connection but you may have problems accessing resources.
Have you made any changes to the modem at all or is it still in it's default NAT mode?
0
 
jsscoAuthor Commented:
i still using default NAT..
how to check RV016 ip address?
i didnt setup port forwading in my modem.
i just install QuickVPN in clinet side. and setup a VPN Client in vpn ROUTER..
0
 
Rob WilliamsCommented:
>>"how to check RV016 ip address?"
Log on to the router and on the first page, the "Summary" page it should show "LAN IP" and WAN IP"

>>"i didnt setup port forwading in my modem.
i just install QuickVPN in client side. and setup a VPN Client in vpn ROUTER.."
Then it cannot work. Your QuickVPN client is pointing to 203.123.x.x which is the modem, not the router.
0
 
jsscoAuthor Commented:
BUT I  check at VPN Client status, it shown online.
if still point to ip modem, how come i can see status of VPN Client is online.
by the way, it still cant go through router.

when i connect quickVPN, then i try to ping 192.168.100.x.
then it shown negotiating security.

i had check my RV016 ip address, still private ip address (10.0.x.x).
0
 
jsscoAuthor Commented:
i check my incoming log table.
i got this message, isnt this message mean are trying to connect to LAN??

TCP 58.185.88.50:15029->10.0.0.1:443 on ixp1
0
 
Rob WilliamsCommented:
That does indicate an incoming connection on port 443 It may be the VPN as the QuickVPN uses port 443 or 60443. But, also if you have remote management of the router enabled with https, that will also use port 443. Also if you have an exchange or web server enaled it could be useing secure connections with port 443.

Not questioning you have a connection, but from my experience I have no idea how.
0
 
jsscoAuthor Commented:
Rob,

http://www.ozcableguy.com/stfaq.htm

On this link , question9&10.
Can you look it? I have some confusing on bridge and NAT.
On above link, it using NAT to configure in modem.
 
Can help?
 
Kelvin
0
 
Rob WilliamsCommented:
Questions 9 & 10 deal with port forwarding rather than changing to bridge mode. Though there is a possibility this will work, I am extremely doubtful. If you were forwarding the traffic directly to a VPN server, such as a Windows RRAS server, that would be ideal, but the RV016, usually requires that it be assigned a public address. The only way I know of doing this is to put the modem in bridge mode.
0
 
jsscoAuthor Commented:
From remote client, i use QuickVPN connect to RV016 router.
when connecting, until verify network. It hang on a few min.
I think is 6mins because i go web management router and check at VPN summary.
after that, it shown a info screen  told me that "The remote gateway is not responding. You will now be disconnected, please try again."

so, what happen to my QuickVPN? What's blocked my connection to LAN??
0
 
Rob WilliamsCommented:
Have you put the modem in bridge mode ?
0
 
jsscoAuthor Commented:
I had ask ISP provider support team, they said the modem by default in bridge mode.
so i check on the user interface, i can't see have setting of bridge.

so, i login to CLI mode, then i get this information.

[bridge]=>iflist
OBC       : Internal
            Connection State : connected   Port : OBC   PortState : forwarding
            RX bytes: 1168227641 frames: 26353412
            TX bytes: 850299333  frames: 26307699     dropframes: 0

eth0      : Internal
            Connection State : connected   Port : eth0   PortState : forwarding
            RX bytes: 860150756  frames: 12968992
            TX bytes: 518253997  frames: 13415215     dropframes: 30

are my bridge had already configure it?

0
 
Rob WilliamsCommented:
Sorry, I don't know the unit to be able to tell from that. However, I cannot see how it could be in bridge mode and the Linksys have a 10.0.x.x WAN address.
0
 
jsscoAuthor Commented:
Thanks, Rob.
I get my VPN connection..
but i cant view my share folder when my vpn established.
but i can use remote desktop.
what i lost the step for allow to view the share folder in LAN??
0
 
jsscoAuthor Commented:
Rob, can RV016 divert port 80 request for dynamic line and other port go to static line??
0
 
Rob WilliamsCommented:
If your modem forwards traffic to the RV016 then services such as remote desktop will work, however, the only suggestion I have to allow full access to resources such as file shares is to put the modem in bridge mode. Sorry I have no other ideas.

>>"can RV016 divert port 80 request for dynamic line and other port go to static line??"
Sorry I do not understand that question. Can you elaborate ?
If you mean can WAN1 be dynamic and WAN2 static, yes that will work fine.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.