Solved

IPSEC VPN Tunnel - Comtrend 5631 and Linksys rv082

Posted on 2013-01-18
6
2,248 Views
Last Modified: 2014-12-23
History:

Client has a Comtrend Nexuslink 5631 DSL modem for internet supplied by the ISP.  I have already tried putting a router/firewall behind it and using bridged mode but it doesn't work (not available on this device) and the ISP won't support it anyway and therefore won't help.  I have also tried a brand new Netgear DSL modem but that won't authenticate to the DSL and get a live circuit (and they won't help me troubleshoot that either since it's not their device)  I am not going to be recommending Frontier internet to any of my other clients...

I finally got a VPN tunnel to connect directly between the Comtrend and the RV082 on the other end but no traffic is passing through the tunnel.

The comtrend logs are non-descriptive just saying this over and over:
kernel: net/ipv4/netfilter/./broadcom/ip_nat_ipsec.c:ipsec_nat_help Out of table entries

Google searches are pretty dry for that error...

The Linksys logs show this:

Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: responding to Quick Mode
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Inbound SPI value = 8bf7f30c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Inbound SPI value = 8bf7f30c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Outbound SPI value = 807c627c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Outbound SPI value = 807c627c
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: Dead Peer Detection (RFC 3706) enabled
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 18 16:43:20 2013      VPN Log      (g2gips2) #158647: IPsec SA established {ESP=>0x807c627c <0x8bf7f30c

But now the tunnel won't even connect after a reboot of the comtrend.

I am kind of out of ideas.  We are under contract with the ISP and can't really switch anyway since this area has very little in the way of service providers.

Any suggestions?

Thanks in advance for your help
Rob
0
Comment
Question by:bobbailey22
  • 4
  • 2
6 Comments
 
LVL 93

Accepted Solution

by:
John Hurst earned 500 total points
ID: 38795446
The following is based on my notes and experience as I am not a detailed expert in this.

I assume you set up a Site to Site tunnel (vs Site to Gateway) in the RV082.

Look at the following variable in the Tunnel setup under +Advanced.

Aggressive Mode: Try both ways. I normally have Aggressive mode off (unchecked).
Keep Alive: Set it on (checked).
AH Hash (MD5): I use SHA1 so this is unchecked for me.
NAT Traversal: I have this on for all but one tunnel. Try this one both ways. Set wrong it prevents traffic flow.
Dead Peer Detect: Set on (checked)

Your preshared key must be correct or the tunnel would not connect. Likewise Phase 1 and Phase 2 settings must be correct or the tunnel would not connnect.

In the Advanced section, change one variable only and test. Then change another and test.
... Thinkpads_User
0
 

Author Comment

by:bobbailey22
ID: 38803353
Thanks for your reply, I will check all that.  There are not many options on the DSL side so it may be a matter of just getting them right on the RV082.  I'll keep you updated.
0
 

Assisted Solution

by:bobbailey22
bobbailey22 earned 0 total points
ID: 38807673
Turns out when I hit connect on the Linksys it synced right up and started passing traffic.  Not sure what the issue was on Friday.  Thanks for the help as your answer was sound.

Basically I must have made sure all the settings matched on both sides.  Also the PSK was being shortened on the DSL modem side as it was only able to handle a limited number of characters.  I had to copy it to the Linksys to make sure they matched.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Closing Comment

by:bobbailey22
ID: 38823848
I fixed the issue without knowing it but the solutions suggested were accurate and well thought out.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 38824015
@bobbailey22 - Thank you for the update and I was happy to help you with this.

.... Thinkpads_User
0
 

Author Comment

by:bobbailey22
ID: 40515463
I wanted to give a further update to this, the device would not allow VPN passthrough properly so I installed an older firmware on the device and set up VPN directly on the 5631

ftp://ftp.sonic.net/pub/firmware/NexusLink_5630u-D131-310CTU-C03_R01_4.5.5.37.bin
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question