Solved

Setup VPN Server

Posted on 2006-11-24
36
1,255 Views
Last Modified: 2008-01-09
I got a problem that to setup a vpn server at Linksys RV016 and also what kind of vpn client need to choose to create??
Can give the step by step to create a vpn server in linksys RV016 and also vpn client...
What different of client to router gateway and vpn client access??
I had research at http://www.linksysinfo.org/ forum. But my VPN  still cant work..

My network diagram like this:
I got 2 ISP modem which connect to the Linksys RV016 and linksys will connect to switch..
1st modem, the ip address is 10.0.0.138.
2nd modem, the ip address is 10.0.1.138.
IP address of Linksys RV016 is 192.168.100.41.
In the linksys RV016 configuration, i set 2 WAN.
1st WAN ip address is 10.0.0.1.
Default gateway is 10.0.0.138.

2nd WAN ip address is 10.0.1.1.
Default gateway is 10.0.1.138.

That's all.
Thanks for helping.
 
0
Comment
Question by:jssco
  • 18
  • 18
36 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 18007755
You have 3 primary options with the Linksys RV016
1) use the router in pass-through mode only. In this case you use the Windows server as a VPN server. Not recommended, but works fine
2) use the Linksys QuickVPN client to create an IPSec tunnel with the RV016. Very simple and secure. Probably your best option is you can get it working. Some folks have had problems with this client, mostly connecting from behind some models or routers at remote sites. The client can be found (2nd item -free):
http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109974&packedargs=sku%3D1115416833102&pagename=Linksys%2FCommon%2FVisitorWrapper
3) the RV042/82 have a recent update, so I assume the RV016 does as well, that allows a PPTP VPN to be created with the router, using the Windows VPN client. Though a little less secure, it may be less problematic. You require the most recent firmware, available from the same link above.

I suspect the problem with your current configuration is the number of "hops" at each site. The RV016 needs it's WAN interface to be assigned with a true public IP. You are showing it as a private 10.x.x.x IP behind another NAT (Network Address Translation) device, which most VPN's, especially the Linksys, do not like. If it is as simple as the RV016 behind a modem that is a combined modem and router, you can resolve by putting the modem in bridge mode, effectively making it a simple modem. The WAN/public IP will then be assigned to the RV016's WAN interface.
Also remember all network segments that are part of your VPN, local and remote, all need to be different. For example; you cannot have 2 segments (networks between any 2 routers) with 10.0.1.x
0
 
LVL 1

Author Comment

by:jssco
ID: 18017272
Hi, RobWill.
i had try before to configure your question 2 setting, but still cant work it.
my setting is i create a vpn client access in RV016.
after that, i try to install quickVPN in client PC. I just enter the username, password and server address as public address of router 10.0.x.x.
And then i also enable all setting in VPN pass through such as PPTP,L2TP and IPSec.

Can you tell me what mistake i facing now??
isnt my setting correctly?
refer from my network diagram, isnt very hard to setup a VPN ? or need to redesign network? got any suggestion??

Thanks,
Kelvin.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18019305
Kelvin, you do not need to enable PPTP,L2TP and IPSec pass-through. These are only for option #1 above.
The configuration is very straight forward as you suggested, but the network configuration is important.

It looks as if your configuration is as follows:

               |=> Modem 1  => Wan port 1=>|
               |    10.0.0.138         10.0.0.1      |
Internet=>|                                              |=>RV016 LAN
               |=> Modem 2  => Wan port 2=>|     192.168.100.41
               |    10.0.1.138         10.0.1.1      |

In order for the VPN to work, The RV016 needs to be assigned your public IP address. Therefore both modems which are currently using NAT (Network address translation) need to be put in bridge mode. This will effectively make them simple modems. You can then configure the WAN ports of the RV016 with the ISP connection information.

I am assuming your ISP has not assigned the 10.0.x.x IP's, and this was done by the modem. If the ISP is performing NAT and assigning the 10.0.x.x IP's then you cannot configure a VPN. However, the latter is quite rare.

Once you have made the changes, if you still cannot connect, try connecting the remote client Pc directly to a modem, bypassing any routers at the remote site, as a test.
--Rob
0
 
LVL 1

Author Comment

by:jssco
ID: 18024692
Hi. Rob.

In both modem, I didnt configure any NAT setting.
my ISP address is 202.136.x.x for modem 2 and 203.123.x.x for modem 1.
If i use the QuickVPN, then my RV016 need configure as Client to Gateway or juz create VPN Client access?

I had check in my modem and router, how to configure bridge mode if using NAT in modem??

Juz now you mention, how to test using remote client PC to connect to modem by passing through routers??


                      |=> Modem 1  => Wan port 1=>|
  203.123.x.x    |    10.0.0.138         10.0.0.1      |
    Internet=>  |                                              |=>RV016 LAN      => switch        
                      |=> Modem 2  => Wan port 2=>| 192.168.100.41   192.168.100.43
  202.136.x.x   |    10.0.1.138         10.0.1.1      |                             ||        ||        ||
                                                                                                   PC        PC       PC
                                                                                             x.x.x.205  x.x.x.206

In RV016 Setting,
I configure client to gateway.
In Client to gateway, the setting is:
Local Group Setting
-----------------------
Local Security Gateway Type = IP Only
IP Address = 10.0.0.1
Local Security Group Type = subnet
IP address  = 192.168.100.0
Subnet Mask = 255.255.255.0

Remote Client Setup  
------------------------
Remote Client = IP + FQDN
IP Address = 203.123.x.x
Domain Name = xxxxxx.dyndns.org

IPSec Setup    
--------------
all I using is default setting...
juz i set preshared key = secretkey

isnt my setting ok for setup a VPN??
Thanks.
Kelvin.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18025086
I wasn't suggesting you configured NAT on the modem, but rather it is enabled by default. That is why the RV016 has a private IP address of  10.0.0.1 and 10.0.1.1. You need to put the modems in bridge mode so that the public IP's 203.123.x.x ands 202.136.x.x are assigned to the WAN ports of the RV016. This is necessary so that your VPN client is connecting directly to the RV016, rather than the modem.

Also if you are using the Quick VPN client, you only need to go to the "VPN"/"VPN client access" page and add a user name, password, and enable to set up the VPN. It is extremely easy if using the QuickVPN client. No other configuration is necessary on the router.

Make sure you have the latest firmware as well. They keep making improvements and adding features.
0
 
LVL 1

Author Comment

by:jssco
ID: 18033342
Hi, Rob.
I had check the modem, dont have any bridge configuration.
so, how was I to do the bridge mode? got any suggestion?

thanks.
kelvin.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18033352
Kelvin, what make and models are the modems ? Maybe I can come up with some options.
--Rob
0
 
LVL 1

Author Comment

by:jssco
ID: 18033385
Rob,

The modem model is SpeedTouch series 500.

Kelvin.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18033445
I have to step out for a while, but I will look into this further when I get back, but I did find this "fix" for the 530, that may be of some help. You may want to look at the whole thread in the link:
The steps is:
1. telnet to the modem 10.0.0.138
2. at the prompt "=>" type "nat"
3. at the prompt "[nat]=>" type "unbind application=IKE port=500"
4. at the prompt "[nat]=>" type ".."
5. at the prompt "=>" type "config save"
6. type "exit" to exit
From: http://forums.whirlpool.net.au/forum-replies-archive.cfm/285476.html
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18034042
0
 
LVL 1

Author Comment

by:jssco
ID: 18042118
hi, Rob.
If i dont want to make it 2 modem as the bridge mode, can I use modem 1 as VPN Connection?

If I do like this, what configure can do?

Thanks.
Kelvin
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18042365
>>"can I use modem 1 as VPN Connection?"
Because it is an incoming connection, you can really only use one IP/Modem anyway, So that is fine. You still need to put one modem in bridge mode. I was hoping the above links would help you to do so .
0
 
LVL 1

Author Comment

by:jssco
ID: 18042397
Rob,
Why need configure modem as a bridge mode?
I had look at the link that you send to me, i had a bit confuse because i look at this link http://www.ozcableguy.com/alcatel.html#bridging. In the VPN Passthrough for SpeedTouch 570, 510 and 530 modems Section, What all this command meaning for...
--------------------------------------------------------------------------------------------------
enter command 'nat unbind application=ESP port=1' or 'nat unbind application=ESP'. [these are interchangeable but must be entered exactly as shown, without the ']
Then enter 'nat unbind application=IKE port=500'.
----------------------------------------------------------------------------------------------------
What different "Configuring the Pro to allow other services through" and "VPN Passthrough for SpeedTouch 570, 510 and 530 modems"? Which I want pefer to??


Thanks.
Kelvin
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18042671
>>"Why need configure modem as a bridge mode?"
When you connect from a remote site, you are connecting to 203.123.x.x  This IP is that of the modem, not the VPN router. Putting the modem in Bridge mode assigns the 203.123.x.x  to the router's WAN IP, as it should be.

>>"What all this command meaning "
Apparently these are the necessary commands to re-configure the modem to put it in bridge mode. Make sure you make notes of the existing configuration in case you need to change it back. There are some differences in those links, so first I would see if the options are similar to your SpeedTouch. Some Internet Service providers will configure the modem for you if you like.

By the way I noticed there is a firmware update for your router as of the middle of October. This has a couple of important improvements, especially if you are using the QuickVPN client.

The other option might be to enable port forwarding on the modem for port 1723 to the Linksys, and enable VPN pass-through. This will not normally work, but might with the Linksys firmware update which adds NAT-T capabilities. I would still recomend the bridge mode option.

0
 
LVL 1

Author Comment

by:jssco
ID: 18042740
Rob,

Before Bridge Mode:

                   |=> Modem 1  => Wan port 1=>|
  203.123.x.x    |    10.0.0.138         10.0.0.1      |
    Internet=>  |                                              |=>RV016 LAN      => switch        
                      |=> Modem 2  => Wan port 2=>| 192.168.100.41   192.168.100.43
  202.136.x.x   |    10.0.1.138         10.0.1.1      |                             ||        ||        ||
                                                                                                   PC        PC       PC
                                                                                             x.x.x.205  x.x.x.206

After Bridge Mode:
                       (Brigde Mode)
                   |=> Modem 1  => Wan port 1=>|
  203.123.x.x |    10.0.0.138       203.123.x.x   |
  Internet=>  |                                              |=>RV016 LAN      => switch        
                    |=> Modem 2  => Wan port 2=>| 192.168.100.41   192.168.100.43
  202.136.x.x |    10.0.1.138         10.0.1.1      |                             ||        ||        ||
                                                                                                   PC        PC       PC
                                                                                             x.x.x.205  x.x.x.206

Then, My VPN Client Access can allow VPN Client to pass through RV016 and can access to LAN.Isnt my theory is correct? based on Network Diagram above.

Thanks.
kelvin
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18043145
Yes, correct. The modem IP's may not be quite as shown, but the router will be correct. It is possible you may have some other configuration issues with the VPN, but this is a first step. As for LAN users accessing Internet they should have no problem at all.
0
 
LVL 1

Author Comment

by:jssco
ID: 18050277
Rob,

If my public IP address is dynamically, then easy to mantaince VPN? or use static IP address?
what the best solution for VPN to use public IP address?

Thanks.
kelvin
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18050317
Static IP's are better for VPN's, if for no other reason than they do not change, but you do not have to use a static. You can use a dynamic IP address and a DDNS (Dynamic Domain Name Service) such as  www.dyndns.com, or www.no-ip.com  to track the changing dynamic IP. That works fine. I have at least a dozen set up that way.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:jssco
ID: 18065431
Rob,
I didnt change any things in modem..
I direct use VPN Client.
I work but when connecting to VPN router. In the client VPN, it take very long time to verifying network. What the problem on my setting??

I didnt configure any bridege mode.

What mistake i done??
kelvin.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18065470
>>" it take very long time to verifying network"
But does it eventually connect ?
0
 
LVL 1

Author Comment

by:jssco
ID: 18065516
Rob,

ya.. i check at my VPN router, it shown online in VPN client section.
after few mins, it popup a message said that remote gateway no response..

so, what the problem occur?

kelvin
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18065572
Des the RV016 still have a 10.0.x.x IP address ? If so I have no idea how it is even making the initial connection. If you have set up port forwarding on the modem you may get an initial connection but you may have problems accessing resources.
Have you made any changes to the modem at all or is it still in it's default NAT mode?
0
 
LVL 1

Author Comment

by:jssco
ID: 18065612
i still using default NAT..
how to check RV016 ip address?
i didnt setup port forwading in my modem.
i just install QuickVPN in clinet side. and setup a VPN Client in vpn ROUTER..
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18065669
>>"how to check RV016 ip address?"
Log on to the router and on the first page, the "Summary" page it should show "LAN IP" and WAN IP"

>>"i didnt setup port forwading in my modem.
i just install QuickVPN in client side. and setup a VPN Client in vpn ROUTER.."
Then it cannot work. Your QuickVPN client is pointing to 203.123.x.x which is the modem, not the router.
0
 
LVL 1

Author Comment

by:jssco
ID: 18065701
BUT I  check at VPN Client status, it shown online.
if still point to ip modem, how come i can see status of VPN Client is online.
by the way, it still cant go through router.

when i connect quickVPN, then i try to ping 192.168.100.x.
then it shown negotiating security.

i had check my RV016 ip address, still private ip address (10.0.x.x).
0
 
LVL 1

Author Comment

by:jssco
ID: 18065719
i check my incoming log table.
i got this message, isnt this message mean are trying to connect to LAN??

TCP 58.185.88.50:15029->10.0.0.1:443 on ixp1
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18065754
That does indicate an incoming connection on port 443 It may be the VPN as the QuickVPN uses port 443 or 60443. But, also if you have remote management of the router enabled with https, that will also use port 443. Also if you have an exchange or web server enaled it could be useing secure connections with port 443.

Not questioning you have a connection, but from my experience I have no idea how.
0
 
LVL 1

Author Comment

by:jssco
ID: 18073603
Rob,

http://www.ozcableguy.com/stfaq.htm

On this link , question9&10.
Can you look it? I have some confusing on bridge and NAT.
On above link, it using NAT to configure in modem.
 
Can help?
 
Kelvin
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18084701
Questions 9 & 10 deal with port forwarding rather than changing to bridge mode. Though there is a possibility this will work, I am extremely doubtful. If you were forwarding the traffic directly to a VPN server, such as a Windows RRAS server, that would be ideal, but the RV016, usually requires that it be assigned a public address. The only way I know of doing this is to put the modem in bridge mode.
0
 
LVL 1

Author Comment

by:jssco
ID: 18091905
From remote client, i use QuickVPN connect to RV016 router.
when connecting, until verify network. It hang on a few min.
I think is 6mins because i go web management router and check at VPN summary.
after that, it shown a info screen  told me that "The remote gateway is not responding. You will now be disconnected, please try again."

so, what happen to my QuickVPN? What's blocked my connection to LAN??
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18092499
Have you put the modem in bridge mode ?
0
 
LVL 1

Author Comment

by:jssco
ID: 18098378
I had ask ISP provider support team, they said the modem by default in bridge mode.
so i check on the user interface, i can't see have setting of bridge.

so, i login to CLI mode, then i get this information.

[bridge]=>iflist
OBC       : Internal
            Connection State : connected   Port : OBC   PortState : forwarding
            RX bytes: 1168227641 frames: 26353412
            TX bytes: 850299333  frames: 26307699     dropframes: 0

eth0      : Internal
            Connection State : connected   Port : eth0   PortState : forwarding
            RX bytes: 860150756  frames: 12968992
            TX bytes: 518253997  frames: 13415215     dropframes: 30

are my bridge had already configure it?

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18098613
Sorry, I don't know the unit to be able to tell from that. However, I cannot see how it could be in bridge mode and the Linksys have a 10.0.x.x WAN address.
0
 
LVL 1

Author Comment

by:jssco
ID: 18113127
Thanks, Rob.
I get my VPN connection..
but i cant view my share folder when my vpn established.
but i can use remote desktop.
what i lost the step for allow to view the share folder in LAN??
0
 
LVL 1

Author Comment

by:jssco
ID: 18113275
Rob, can RV016 divert port 80 request for dynamic line and other port go to static line??
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18115366
If your modem forwards traffic to the RV016 then services such as remote desktop will work, however, the only suggestion I have to allow full access to resources such as file shares is to put the modem in bridge mode. Sorry I have no other ideas.

>>"can RV016 divert port 80 request for dynamic line and other port go to static line??"
Sorry I do not understand that question. Can you elaborate ?
If you mean can WAN1 be dynamic and WAN2 static, yes that will work fine.

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Reverse Proxy Server 6 69
2 LAN/WAN on One Server 2 44
VPN speed and 3rd party service 13 31
restore DAG configuration 1 28
Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Resolve DNS query failed errors for Exchange
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now