Solved

IPSEC VPN Tunnel - Comtrend 5631 and Linksys rv082

Posted on 2013-01-18
6
2,206 Views
Last Modified: 2014-12-23
History:

Client has a Comtrend Nexuslink 5631 DSL modem for internet supplied by the ISP.  I have already tried putting a router/firewall behind it and using bridged mode but it doesn't work (not available on this device) and the ISP won't support it anyway and therefore won't help.  I have also tried a brand new Netgear DSL modem but that won't authenticate to the DSL and get a live circuit (and they won't help me troubleshoot that either since it's not their device)  I am not going to be recommending Frontier internet to any of my other clients...

I finally got a VPN tunnel to connect directly between the Comtrend and the RV082 on the other end but no traffic is passing through the tunnel.

The comtrend logs are non-descriptive just saying this over and over:
kernel: net/ipv4/netfilter/./broadcom/ip_nat_ipsec.c:ipsec_nat_help Out of table entries

Google searches are pretty dry for that error...

The Linksys logs show this:

Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: responding to Quick Mode
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Inbound SPI value = 8bf7f30c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Inbound SPI value = 8bf7f30c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Outbound SPI value = 807c627c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Outbound SPI value = 807c627c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: Dead Peer Detection (RFC 3706) enabled
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: IPsec SA established {ESP=>0x807c627c <0x8bf7f30c

But now the tunnel won't even connect after a reboot of the comtrend.

I am kind of out of ideas.  We are under contract with the ISP and can't really switch anyway since this area has very little in the way of service providers.

Any suggestions?

Thanks in advance for your help
Rob
0
Comment
Question by:bobbailey22
  • 4
  • 2
6 Comments
 
LVL 92

Accepted Solution

by:
John Hurst earned 500 total points
ID: 38795446
The following is based on my notes and experience as I am not a detailed expert in this.

I assume you set up a Site to Site tunnel (vs Site to Gateway) in the RV082.

Look at the following variable in the Tunnel setup under +Advanced.

Aggressive Mode: Try both ways. I normally have Aggressive mode off (unchecked).
Keep Alive: Set it on (checked).
AH Hash (MD5): I use SHA1 so this is unchecked for me.
NAT Traversal: I have this on for all but one tunnel. Try this one both ways. Set wrong it prevents traffic flow.
Dead Peer Detect: Set on (checked)

Your preshared key must be correct or the tunnel would not connect. Likewise Phase 1 and Phase 2 settings must be correct or the tunnel would not connnect.

In the Advanced section, change one variable only and test. Then change another and test.
... Thinkpads_User
0
 

Author Comment

by:bobbailey22
ID: 38803353
Thanks for your reply, I will check all that.  There are not many options on the DSL side so it may be a matter of just getting them right on the RV082.  I'll keep you updated.
0
 

Assisted Solution

by:bobbailey22
bobbailey22 earned 0 total points
ID: 38807673
Turns out when I hit connect on the Linksys it synced right up and started passing traffic.  Not sure what the issue was on Friday.  Thanks for the help as your answer was sound.

Basically I must have made sure all the settings matched on both sides.  Also the PSK was being shortened on the DSL modem side as it was only able to handle a limited number of characters.  I had to copy it to the Linksys to make sure they matched.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Closing Comment

by:bobbailey22
ID: 38823848
I fixed the issue without knowing it but the solutions suggested were accurate and well thought out.
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 38824015
@bobbailey22 - Thank you for the update and I was happy to help you with this.

.... Thinkpads_User
0
 

Author Comment

by:bobbailey22
ID: 40515463
I wanted to give a further update to this, the device would not allow VPN passthrough properly so I installed an older firmware on the device and set up VPN directly on the 5631

ftp://ftp.sonic.net/pub/firmware/NexusLink_5630u-D131-310CTU-C03_R01_4.5.5.37.bin
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS on-premise and on-cloud 15 119
Monitor bandwidth 3 84
Android VPN into Server 2012 R2 Essentials (SSTP VPN) 4 111
Office 365 vs. In-House 4 80
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now