Solved

IPSEC VPN Tunnel - Comtrend 5631 and Linksys rv082

Posted on 2013-01-18
6
2,269 Views
Last Modified: 2014-12-23
History:

Client has a Comtrend Nexuslink 5631 DSL modem for internet supplied by the ISP.  I have already tried putting a router/firewall behind it and using bridged mode but it doesn't work (not available on this device) and the ISP won't support it anyway and therefore won't help.  I have also tried a brand new Netgear DSL modem but that won't authenticate to the DSL and get a live circuit (and they won't help me troubleshoot that either since it's not their device)  I am not going to be recommending Frontier internet to any of my other clients...

I finally got a VPN tunnel to connect directly between the Comtrend and the RV082 on the other end but no traffic is passing through the tunnel.

The comtrend logs are non-descriptive just saying this over and over:
kernel: net/ipv4/netfilter/./broadcom/ip_nat_ipsec.c:ipsec_nat_help Out of table entries

Google searches are pretty dry for that error...

The Linksys logs show this:

Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: responding to Quick Mode
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Inbound SPI value = 8bf7f30c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Inbound SPI value = 8bf7f30c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Outbound SPI value = 807c627c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Outbound SPI value = 807c627c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: Dead Peer Detection (RFC 3706) enabled
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: IPsec SA established {ESP=>0x807c627c <0x8bf7f30c

But now the tunnel won't even connect after a reboot of the comtrend.

I am kind of out of ideas.  We are under contract with the ISP and can't really switch anyway since this area has very little in the way of service providers.

Any suggestions?

Thanks in advance for your help
Rob
0
Comment
Question by:bobbailey22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 95

Accepted Solution

by:
John Hurst earned 500 total points
ID: 38795446
The following is based on my notes and experience as I am not a detailed expert in this.

I assume you set up a Site to Site tunnel (vs Site to Gateway) in the RV082.

Look at the following variable in the Tunnel setup under +Advanced.

Aggressive Mode: Try both ways. I normally have Aggressive mode off (unchecked).
Keep Alive: Set it on (checked).
AH Hash (MD5): I use SHA1 so this is unchecked for me.
NAT Traversal: I have this on for all but one tunnel. Try this one both ways. Set wrong it prevents traffic flow.
Dead Peer Detect: Set on (checked)

Your preshared key must be correct or the tunnel would not connect. Likewise Phase 1 and Phase 2 settings must be correct or the tunnel would not connnect.

In the Advanced section, change one variable only and test. Then change another and test.
... Thinkpads_User
0
 

Author Comment

by:bobbailey22
ID: 38803353
Thanks for your reply, I will check all that.  There are not many options on the DSL side so it may be a matter of just getting them right on the RV082.  I'll keep you updated.
0
 

Assisted Solution

by:bobbailey22
bobbailey22 earned 0 total points
ID: 38807673
Turns out when I hit connect on the Linksys it synced right up and started passing traffic.  Not sure what the issue was on Friday.  Thanks for the help as your answer was sound.

Basically I must have made sure all the settings matched on both sides.  Also the PSK was being shortened on the DSL modem side as it was only able to handle a limited number of characters.  I had to copy it to the Linksys to make sure they matched.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Closing Comment

by:bobbailey22
ID: 38823848
I fixed the issue without knowing it but the solutions suggested were accurate and well thought out.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 38824015
@bobbailey22 - Thank you for the update and I was happy to help you with this.

.... Thinkpads_User
0
 

Author Comment

by:bobbailey22
ID: 40515463
I wanted to give a further update to this, the device would not allow VPN passthrough properly so I installed an older firmware on the device and set up VPN directly on the 5631

ftp://ftp.sonic.net/pub/firmware/NexusLink_5630u-D131-310CTU-C03_R01_4.5.5.37.bin
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question