• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 969
  • Last Modified:

Need VPN Client software for specific conditions.

I need VPN client software that will allow me to connect to a Linksys WRV54G bsed VPN tunnel using 3DES/SHA1 and a pre-shared key.  It must allow me to do so without using a username and password.  Cisco's VPN software and the Linksys QuickVPN solution will not work in this scenario.  Any suggestions?
  • 8
  • 7
1 Solution
Rob WilliamsCommented:
TheGreenBow will work, but you will need a user name and password. I believe you can save them in the configuration to make an automatic connection.
Specific documentation for the WRV54G:
sc456aAuthor Commented:
Thanks for the links.  That product didn't completely work (I can never make a complete connection), but I didn't have to use a username and password - I'm using it as an IPSEC tunnel which, if I'm correct doesn't require usernames and passwords.  Linksys actually has documentation that leads you through complicated secpol modification to force traffic through the tunnel, but that never works either.

Any other ideas?
Rob WilliamsCommented:
>"I'm correct doesn't require usernames and passwords"
Actually , I'm sorry it doesn't. There is a only pre-shared key. I was thinking you will need the user name and password to log on to the remote system.

>>"Any other ideas?"
Another router <G>
The WRV54G and the BEFxxx series have never been terribly popular for client-to-site VPN's. They tend to be difficult to configure and sometimes a little flaky. They are great for site to site, however it should work.

>>" product didn't completely work "

>"Linksys actually has documentation that leads you through complicated secpol modification to force traffic through the tunnel"
Do you mean on the workstation? That shouldn't be necessary at all.
How far does it get? Do you have any log files you can make available? (block 2 octets of your public IP if you do so).

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

sc456aAuthor Commented:
Here is the Greenbow log:

20070402 230256 Default (SA WRV54G-P1) SEND phase 1 Main Mode  [SA] [VID] [VID] [VID] [VID]
20070402 230256 Default (SA WRV54G-P1) RECV phase 1 Main Mode  [SA]
20070402 230256 Default (SA WRV54G-P1) SEND phase 1 Main Mode  [KEY_EXCH] [NONCE]
20070402 230256 Default (SA WRV54G-P1) RECV phase 1 Main Mode  [KEY_EXCH] [NONCE]
20070402 230256 Default (SA WRV54G-P1) SEND phase 1 Main Mode  [HASH] [ID]
20070402 230303 Default (SA WRV54G-P1) SEND phase 1 Main Mode  [HASH] [ID]
20070402 230326 Default message_recv: invalid cookie(s) cd5e50c79f7addee 265df81fa48f8b2f
20070402 230326 Default dropped message from due to notification type INVALID_COOKIE
20070402 230326 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
Rob WilliamsCommented:
According the TheGreenBow, an invalid cookie error; "means that one of the endpoint is using a SA that is no more in use. Reset the VPN connection on each side."
Not much help.

Make sure that if using PFS (Perfect Forward Secrecy, it is set the same on both ens (on/off), and I would use aggressive mode rather than main mode.
There is a lot to configure, so it's difficult to diagnose without viewing both ends.
WRV54G doesn't have much to offer in the way of a log to see what it is receiving.
If desperate might be worth setting up a syslog "server". You can get one for free from:
Log viewer:
sc456aAuthor Commented:
TheGreenbow technical support went the extra mile in trying to get it to work, and in the end told me it was because the WRV54G doesn't support NAT-T.  Can anyone think of a way around this?
Rob WilliamsCommented:
No but to confirm that is the issue, can you try with a client machine connected directly to a DSL/modem> Make suer the Windows firewall is enabled, and Windows and virus updates are current.
sc456aAuthor Commented:
OK so I finally caved and re-configured the network the WRV54G is setup on to a different network type (10.x.x.x), which the WRV54G forces you to do in order to use their QuickVPN software.  I disabled all of the VPN tunnels I created manually.
This actually worked, but now I have another problem - only one device can connect at a time!  It's supposed to support up to 50 tunnels, so something isn't right.  I'm connecting from behind a WRT54GS using NAT.  I'm unsure what to do because no matter which of my two devices (Windows XP notebooks using QuickVPN) I try to connect first, the other will not connect and simply says:
"The remote gateway is not responding.  You will now be disconnected, please try again later."

I'm using QuickVPN 1.039.

Any ideas?
Rob WilliamsCommented:
I am surprised you had to change to Bothe sites need to use differnt subnets but they shouldn't have to be 10.x.x.x

You can't connect multiple clients from the same site in this scenareo. There are 2 issues that come into play, all clients are connecting with the same public IP address at their local site, and many routers, not sure about the WRRT54GS, only allow 1 PPTP pass-through tunnel.
If you have multiple clients from the same site needing access you need to buy another WRV54G or RV042 and create a site to site VPN tunnel. This actually has numerous advantages.
The Quick VPN client is really meant for multiple mobile clients connecting from various remote sites.
sc456aAuthor Commented:
You're killing me Rob!  I think you're right though, but why doesn't Linksys state this -anywhere- in their documentation?  I've been on the phone with "Senior Level" Linksys technicians for an hour now and they haven't mentioned it not being able to work.  Granted, they are idiots.

Can you think of any way to make this work using what I have now?
Rob WilliamsCommented:
If the VPN router supports NAT-T (NAT- Traversal), the WRV54G doesn't, and the client router supports multiple VPN tunnel pass-throughs it will work, I don't know if the WRT54GS supports multiples.

This is not so much a function of Linksys but basic VPN design or functionality.
On a brighter note; site-to-site does have advantages:
-no client to install and configure
-tunnel is always available to all users without having to connect
-slightly better performance
-name resolution usually works better
-where the tunnel is always "up", users can authenticate to the domain controller over the VPN if a domain envirnment
sc456aAuthor Commented:
Can you recommend a few different models that could serve as the other end of the tunnel (the device that connects to the WRV54G)?  I will have to go out and buy one.  GRRRR

I really appreciate your help with this Rob - I would have no support if it weren't for you!
Rob WilliamsCommented:
Glad to help.
Personally I prefer the RV042, to the WRV54G, however if you need wireless you may want to get another WRV54G. Though you can configure most VPN routers to talk to one another, those two have almost identical configurations, making them easy to set up and maintain. If you need wireless you could install an RV042, and add the WRT54GS as an access point. If the latter sounds interesting, let me know and I can advise as to how to configure.

One thought: The Linksys QuickVPN can be a bit troublesome sometimes when connecting from different site. Though I haven't had much problem, many have. The RV042 allows you to use both the QuickVPN and the Windows PPTP client. You might want to consider putting the RV042 at the primary site with the WRT54GS as an access point, if you have mobile clients depending on remote access via VPN.
sc456aAuthor Commented:
In the end I do believe you were correct about not being able to connect with two PC's from behind a WRT54G device.  I tested it at another site and could only connect one QuickVPN workstation at a time, just like in my office.  I have decided to go another route with this customer, but for future reference it does not have to do with PPTP limitations.  QuickVPN doesn't use PPTP, it uses IPSEC.  I got one of the craptastic "Senior Level" support agents at Linskys to confirm this.  I also disabled PPTP passthrough on my WRT54GS and QuickVPN still worked.

What's so strange is that the WRV54G indicated that both QuickVPN clients had connected, though the second never truly achieved connectivity.  I'm giving you the points for what turned out to be the honest truth: you cannot connect to a WRV54G from behind a WRT54G-like device with a single public IP address.
Rob WilliamsCommented:
>>"but for future reference it does not have to do with PPTP limitations."
Sorry, yes I caught the fact that I said PPTP later on. It's a function of VPN's in general, or rather routing not just PPTP.
The WRV54G will receive the packets from both clients but can't reply to both, so there will be log entries. Some routers will support multiple clients from the same site, if they support NAT-T

Thanks sc456a,
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now