Solved

Need VPN Client software for specific conditions.

Posted on 2007-04-02
15
837 Views
Last Modified: 2011-09-20
I need VPN client software that will allow me to connect to a Linksys WRV54G bsed VPN tunnel using 3DES/SHA1 and a pre-shared key.  It must allow me to do so without using a username and password.  Cisco's VPN software and the Linksys QuickVPN solution will not work in this scenario.  Any suggestions?
Thanks,
SC
0
Comment
Question by:sc456a
  • 8
  • 7
15 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
TheGreenBow will work, but you will need a user name and password. I believe you can save them in the configuration to make an automatic connection.
http://www.thegreenbow.com/vpn.html
Specific documentation for the WRV54G:
http://www.thegreenbow.com/doc/tgbvpn_cg_LinksysWRV54G_en.pdf
0
 
LVL 1

Author Comment

by:sc456a
Comment Utility
Rob:
Thanks for the links.  That product didn't completely work (I can never make a complete connection), but I didn't have to use a username and password - I'm using it as an IPSEC tunnel which, if I'm correct doesn't require usernames and passwords.  Linksys actually has documentation that leads you through complicated secpol modification to force traffic through the tunnel, but that never works either.

Any other ideas?
-SC
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>"I'm correct doesn't require usernames and passwords"
Actually , I'm sorry it doesn't. There is a only pre-shared key. I was thinking you will need the user name and password to log on to the remote system.

>>"Any other ideas?"
Another router <G>
The WRV54G and the BEFxxx series have never been terribly popular for client-to-site VPN's. They tend to be difficult to configure and sometimes a little flaky. They are great for site to site, however it should work.

>>" product didn't completely work "

>"Linksys actually has documentation that leads you through complicated secpol modification to force traffic through the tunnel"
Do you mean on the workstation? That shouldn't be necessary at all.
How far does it get? Do you have any log files you can make available? (block 2 octets of your public IP if you do so).


0
 
LVL 1

Author Comment

by:sc456a
Comment Utility
Here is the Greenbow log:

20070402 230256 Default (SA WRV54G-P1) SEND phase 1 Main Mode  [SA] [VID] [VID] [VID] [VID]
20070402 230256 Default (SA WRV54G-P1) RECV phase 1 Main Mode  [SA]
20070402 230256 Default (SA WRV54G-P1) SEND phase 1 Main Mode  [KEY_EXCH] [NONCE]
20070402 230256 Default (SA WRV54G-P1) RECV phase 1 Main Mode  [KEY_EXCH] [NONCE]
20070402 230256 Default (SA WRV54G-P1) SEND phase 1 Main Mode  [HASH] [ID]
20070402 230303 Default (SA WRV54G-P1) SEND phase 1 Main Mode  [HASH] [ID]
20070402 230326 Default message_recv: invalid cookie(s) cd5e50c79f7addee 265df81fa48f8b2f
20070402 230326 Default dropped message from 1.1.1.1 due to notification type INVALID_COOKIE
20070402 230326 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
According the TheGreenBow, an invalid cookie error; "means that one of the endpoint is using a SA that is no more in use. Reset the VPN connection on each side."
Not much help.

Make sure that if using PFS (Perfect Forward Secrecy, it is set the same on both ens (on/off), and I would use aggressive mode rather than main mode.
There is a lot to configure, so it's difficult to diagnose without viewing both ends.
WRV54G doesn't have much to offer in the way of a log to see what it is receiving.
If desperate might be worth setting up a syslog "server". You can get one for free from:
http://www.kiwisyslog.com/syslog-info.php
Log viewer:
http://www.kiwisyslog.com/log-viewer-info.php
0
 
LVL 1

Author Comment

by:sc456a
Comment Utility
TheGreenbow technical support went the extra mile in trying to get it to work, and in the end told me it was because the WRV54G doesn't support NAT-T.  Can anyone think of a way around this?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
No but to confirm that is the issue, can you try with a client machine connected directly to a DSL/modem> Make suer the Windows firewall is enabled, and Windows and virus updates are current.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:sc456a
Comment Utility
OK so I finally caved and re-configured the network the WRV54G is setup on to a different network type (10.x.x.x), which the WRV54G forces you to do in order to use their QuickVPN software.  I disabled all of the VPN tunnels I created manually.
This actually worked, but now I have another problem - only one device can connect at a time!  It's supposed to support up to 50 tunnels, so something isn't right.  I'm connecting from behind a WRT54GS using NAT.  I'm unsure what to do because no matter which of my two devices (Windows XP notebooks using QuickVPN) I try to connect first, the other will not connect and simply says:
"The remote gateway is not responding.  You will now be disconnected, please try again later."

I'm using QuickVPN 1.039.

Any ideas?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
I am surprised you had to change to 10.0.0.0 Bothe sites need to use differnt subnets but they shouldn't have to be 10.x.x.x

You can't connect multiple clients from the same site in this scenareo. There are 2 issues that come into play, all clients are connecting with the same public IP address at their local site, and many routers, not sure about the WRRT54GS, only allow 1 PPTP pass-through tunnel.
If you have multiple clients from the same site needing access you need to buy another WRV54G or RV042 and create a site to site VPN tunnel. This actually has numerous advantages.
The Quick VPN client is really meant for multiple mobile clients connecting from various remote sites.
0
 
LVL 1

Author Comment

by:sc456a
Comment Utility
You're killing me Rob!  I think you're right though, but why doesn't Linksys state this -anywhere- in their documentation?  I've been on the phone with "Senior Level" Linksys technicians for an hour now and they haven't mentioned it not being able to work.  Granted, they are idiots.

Can you think of any way to make this work using what I have now?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If the VPN router supports NAT-T (NAT- Traversal), the WRV54G doesn't, and the client router supports multiple VPN tunnel pass-throughs it will work, I don't know if the WRT54GS supports multiples.

This is not so much a function of Linksys but basic VPN design or functionality.
On a brighter note; site-to-site does have advantages:
-no client to install and configure
-tunnel is always available to all users without having to connect
-slightly better performance
-name resolution usually works better
-where the tunnel is always "up", users can authenticate to the domain controller over the VPN if a domain envirnment
0
 
LVL 1

Author Comment

by:sc456a
Comment Utility
Can you recommend a few different models that could serve as the other end of the tunnel (the device that connects to the WRV54G)?  I will have to go out and buy one.  GRRRR

I really appreciate your help with this Rob - I would have no support if it weren't for you!
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Glad to help.
Personally I prefer the RV042, to the WRV54G, however if you need wireless you may want to get another WRV54G. Though you can configure most VPN routers to talk to one another, those two have almost identical configurations, making them easy to set up and maintain. If you need wireless you could install an RV042, and add the WRT54GS as an access point. If the latter sounds interesting, let me know and I can advise as to how to configure.

One thought: The Linksys QuickVPN can be a bit troublesome sometimes when connecting from different site. Though I haven't had much problem, many have. The RV042 allows you to use both the QuickVPN and the Windows PPTP client. You might want to consider putting the RV042 at the primary site with the WRT54GS as an access point, if you have mobile clients depending on remote access via VPN.
0
 
LVL 1

Author Comment

by:sc456a
Comment Utility
In the end I do believe you were correct about not being able to connect with two PC's from behind a WRT54G device.  I tested it at another site and could only connect one QuickVPN workstation at a time, just like in my office.  I have decided to go another route with this customer, but for future reference it does not have to do with PPTP limitations.  QuickVPN doesn't use PPTP, it uses IPSEC.  I got one of the craptastic "Senior Level" support agents at Linskys to confirm this.  I also disabled PPTP passthrough on my WRT54GS and QuickVPN still worked.

What's so strange is that the WRV54G indicated that both QuickVPN clients had connected, though the second never truly achieved connectivity.  I'm giving you the points for what turned out to be the honest truth: you cannot connect to a WRV54G from behind a WRT54G-like device with a single public IP address.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"but for future reference it does not have to do with PPTP limitations."
Sorry, yes I caught the fact that I said PPTP later on. It's a function of VPN's in general, or rather routing not just PPTP.
The WRV54G will receive the packets from both clients but can't reply to both, so there will be log entries. Some routers will support multiple clients from the same site, if they support NAT-T
http://kbserver.netgear.com/kb_web_files/n101581.asp

Thanks sc456a,
--Rob
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now