Solved

IPSEC VPN Tunnel - Comtrend 5631 and Linksys rv082

Posted on 2013-01-18
6
2,194 Views
Last Modified: 2014-12-23
History:

Client has a Comtrend Nexuslink 5631 DSL modem for internet supplied by the ISP.  I have already tried putting a router/firewall behind it and using bridged mode but it doesn't work (not available on this device) and the ISP won't support it anyway and therefore won't help.  I have also tried a brand new Netgear DSL modem but that won't authenticate to the DSL and get a live circuit (and they won't help me troubleshoot that either since it's not their device)  I am not going to be recommending Frontier internet to any of my other clients...

I finally got a VPN tunnel to connect directly between the Comtrend and the RV082 on the other end but no traffic is passing through the tunnel.

The comtrend logs are non-descriptive just saying this over and over:
kernel: net/ipv4/netfilter/./broadcom/ip_nat_ipsec.c:ipsec_nat_help Out of table entries

Google searches are pretty dry for that error...

The Linksys logs show this:

Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: responding to Quick Mode
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Inbound SPI value = 8bf7f30c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Inbound SPI value = 8bf7f30c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Outbound SPI value = 807c627c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Outbound SPI value = 807c627c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: Dead Peer Detection (RFC 3706) enabled
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: IPsec SA established {ESP=>0x807c627c <0x8bf7f30c

But now the tunnel won't even connect after a reboot of the comtrend.

I am kind of out of ideas.  We are under contract with the ISP and can't really switch anyway since this area has very little in the way of service providers.

Any suggestions?

Thanks in advance for your help
Rob
0
Comment
Question by:bobbailey22
  • 4
  • 2
6 Comments
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
Comment Utility
The following is based on my notes and experience as I am not a detailed expert in this.

I assume you set up a Site to Site tunnel (vs Site to Gateway) in the RV082.

Look at the following variable in the Tunnel setup under +Advanced.

Aggressive Mode: Try both ways. I normally have Aggressive mode off (unchecked).
Keep Alive: Set it on (checked).
AH Hash (MD5): I use SHA1 so this is unchecked for me.
NAT Traversal: I have this on for all but one tunnel. Try this one both ways. Set wrong it prevents traffic flow.
Dead Peer Detect: Set on (checked)

Your preshared key must be correct or the tunnel would not connect. Likewise Phase 1 and Phase 2 settings must be correct or the tunnel would not connnect.

In the Advanced section, change one variable only and test. Then change another and test.
... Thinkpads_User
0
 

Author Comment

by:bobbailey22
Comment Utility
Thanks for your reply, I will check all that.  There are not many options on the DSL side so it may be a matter of just getting them right on the RV082.  I'll keep you updated.
0
 

Assisted Solution

by:bobbailey22
bobbailey22 earned 0 total points
Comment Utility
Turns out when I hit connect on the Linksys it synced right up and started passing traffic.  Not sure what the issue was on Friday.  Thanks for the help as your answer was sound.

Basically I must have made sure all the settings matched on both sides.  Also the PSK was being shortened on the DSL modem side as it was only able to handle a limited number of characters.  I had to copy it to the Linksys to make sure they matched.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Closing Comment

by:bobbailey22
Comment Utility
I fixed the issue without knowing it but the solutions suggested were accurate and well thought out.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
@bobbailey22 - Thank you for the update and I was happy to help you with this.

.... Thinkpads_User
0
 

Author Comment

by:bobbailey22
Comment Utility
I wanted to give a further update to this, the device would not allow VPN passthrough properly so I installed an older firmware on the device and set up VPN directly on the 5631

ftp://ftp.sonic.net/pub/firmware/NexusLink_5630u-D131-310CTU-C03_R01_4.5.5.37.bin
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now