Solved

IPSEC VPN Tunnel - Comtrend 5631 and Linksys rv082

Posted on 2013-01-18
6
2,227 Views
Last Modified: 2014-12-23
History:

Client has a Comtrend Nexuslink 5631 DSL modem for internet supplied by the ISP.  I have already tried putting a router/firewall behind it and using bridged mode but it doesn't work (not available on this device) and the ISP won't support it anyway and therefore won't help.  I have also tried a brand new Netgear DSL modem but that won't authenticate to the DSL and get a live circuit (and they won't help me troubleshoot that either since it's not their device)  I am not going to be recommending Frontier internet to any of my other clients...

I finally got a VPN tunnel to connect directly between the Comtrend and the RV082 on the other end but no traffic is passing through the tunnel.

The comtrend logs are non-descriptive just saying this over and over:
kernel: net/ipv4/netfilter/./broadcom/ip_nat_ipsec.c:ipsec_nat_help Out of table entries

Google searches are pretty dry for that error...

The Linksys logs show this:

Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: responding to Quick Mode
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Inbound SPI value = 8bf7f30c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Inbound SPI value = 8bf7f30c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Outbound SPI value = 807c627c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Outbound SPI value = 807c627c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: Dead Peer Detection (RFC 3706) enabled
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: IPsec SA established {ESP=>0x807c627c <0x8bf7f30c

But now the tunnel won't even connect after a reboot of the comtrend.

I am kind of out of ideas.  We are under contract with the ISP and can't really switch anyway since this area has very little in the way of service providers.

Any suggestions?

Thanks in advance for your help
Rob
0
Comment
Question by:bobbailey22
  • 4
  • 2
6 Comments
 
LVL 93

Accepted Solution

by:
John Hurst earned 500 total points
ID: 38795446
The following is based on my notes and experience as I am not a detailed expert in this.

I assume you set up a Site to Site tunnel (vs Site to Gateway) in the RV082.

Look at the following variable in the Tunnel setup under +Advanced.

Aggressive Mode: Try both ways. I normally have Aggressive mode off (unchecked).
Keep Alive: Set it on (checked).
AH Hash (MD5): I use SHA1 so this is unchecked for me.
NAT Traversal: I have this on for all but one tunnel. Try this one both ways. Set wrong it prevents traffic flow.
Dead Peer Detect: Set on (checked)

Your preshared key must be correct or the tunnel would not connect. Likewise Phase 1 and Phase 2 settings must be correct or the tunnel would not connnect.

In the Advanced section, change one variable only and test. Then change another and test.
... Thinkpads_User
0
 

Author Comment

by:bobbailey22
ID: 38803353
Thanks for your reply, I will check all that.  There are not many options on the DSL side so it may be a matter of just getting them right on the RV082.  I'll keep you updated.
0
 

Assisted Solution

by:bobbailey22
bobbailey22 earned 0 total points
ID: 38807673
Turns out when I hit connect on the Linksys it synced right up and started passing traffic.  Not sure what the issue was on Friday.  Thanks for the help as your answer was sound.

Basically I must have made sure all the settings matched on both sides.  Also the PSK was being shortened on the DSL modem side as it was only able to handle a limited number of characters.  I had to copy it to the Linksys to make sure they matched.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Closing Comment

by:bobbailey22
ID: 38823848
I fixed the issue without knowing it but the solutions suggested were accurate and well thought out.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 38824015
@bobbailey22 - Thank you for the update and I was happy to help you with this.

.... Thinkpads_User
0
 

Author Comment

by:bobbailey22
ID: 40515463
I wanted to give a further update to this, the device would not allow VPN passthrough properly so I installed an older firmware on the device and set up VPN directly on the 5631

ftp://ftp.sonic.net/pub/firmware/NexusLink_5630u-D131-310CTU-C03_R01_4.5.5.37.bin
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Low Broadband usage..?? 3 42
Cisco Router help 5 64
what kind of tasks do I need to conduct in order to configure ip-sec in AWS 1 37
Question about Authentication Domain 6 90
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question