VPN tunnel access to RV042 with a dynamic IP from Windows 7

I need to be able to access a server behind a Cisco RV042 with a dynamic IP address given by dyndns, from a Windows 7 machine. How should this be set up? I have tried as much as possible but keep getting an access error.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan CraciunIT ConsultantCommented:
When do you get the error? Can you establish the tunnel? You're using PPPTP or IPSec? If IPSec, what client?
Details, please.
RJVAuthor Commented:
Hi Dan,

Let me give you more details. First, here is the structure:

Remote (or my) Win7 computer connects to   >>>   RV042 (IP xxx.xxx.3.1), to connect to   >>>   Win7 server (IP xxx.xxx.3.99).

Namely, the objective is to access the Win7 server to display and thus test a website.

The RV042 has a Dyn domain name with a dynamic IP (thus IP aaa.bbb.ccc.ddd or whatever) updated constantly by a Dyn app on the Win7 server. Thus the access of the remote computer arrives on the Dyn domain IP from WAN 1 (WAN 2 also exists but can be considered inactive). Just to understand, there is a router supplied by the ISP which is bridged to the RV042 so it can be ignored, so much that I can access the Win7 server through the Remote Desktop, with all ports on the RV forwarded to the Win7 server.

To answer your question, frankly all the instructions I have found are confusing or incomplete so what I can do is subject to mistakes. That said, I could never connect to the RV042, getting several standard errors. At one point I decided to try and see what works so from the local network I accessed the RV042 after using the specific IP of the RV042 (xxx.xxx.3.1) on my computer. I did that successfully with a PPTP server connection. When I change to the Dyn domain I don't succeed.

I would prefer trying to access using whatever already exists on Windows as there are other parties working on the project and I would like to avoid the imposition of their having to install special software just to be able to test their work (that necessity would be a last resort). Maybe the best way forward is if you can indicate what I should try now that you have this information and I check it out here.

I'd like to be optimistic and be prepared to say, "Hey, it worked!" the very first time.


You might wonder why I don't just access without the VPN. Simply because the ISP is "kind enough" to block those ports (80, 443, etc) on their internal routers. Besides, as a result I can keep more port closed on the RV.
Dan CraciunIT ConsultantCommented:
I've never been able to get a stable connection to a RV042 using PPPTP.

It works without a hitch using Shrew Soft's VPN client (free if you don't need AD): https://www.shrew.net/support/Howto_Linksys

NCP's Secure Entry is easier go configure, but not free (120 Euros) https://www.ncp-e.com/en/products/ipsec-vpn-client-suite.html

Both clients don't care if you're using DDNS or not. As long as the URL you supply resolves to the correct IP, the connection will work.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

RJVAuthor Commented:
I'll give it a try. While the goal is not to impose, at this stage anything that gets this so work! I'm glad they have the instructions too. The only odd part is their logo (a rat?).

A quick question: I didn't even know Win 7 has a native VPN access option. Have you tried that? Thus wouldn't be dependent on the RV.
Thomas GrassiSystems AdministratorCommented:
Windows 7 has native VPN support


What error are you getting when trying to connect?  They all have a meaning which helps trouble shoot.
RJVAuthor Commented:

I followed the steps in the instruction exactly as shown for the RV router. On the client side (VPN Access Manager) I mostly could not use IPs as this can change. So I used the Dyn domain, except where they ask for the local IP information, which I included there. Then I loaded Access Manager and had it connect. All seemed to be normal except at this point: "bringing up tunnel ... network unavailable".

Thus no connection.

Any ideas?
RJVAuthor Commented:

I tried that again, after forwarding port 1723 to the machine, and also confirmed that it was open. I have found with setting RDP that if the forwarded port does not get to the machine (server, in this case), the port is considered closed. So that means it will get to the server.

The error I got was 619 (could not connect). Note that it is just a VPN connection with no apparent security to it (left to automatic). I also attempted tunneling with the same result.

This leaves me wondering if I need to forward some other port and if so, which that or those might be. I won't go into security as the goal is to get it working first!

I hope you have some bright ideas!
Dan CraciunIT ConsultantCommented:
Along with the VPN client from Shrew Soft you installed the VPN Trace Utility (it's under Shrew Soft VPN Client in the Start menu).

Start it, set the output level to Debug (File->Options), then leave it open and try to connect again. It will give you detailed info on what it's trying to do. Post the log here (it's text, so delete the parts that you don't want to be public).
RJVAuthor Commented:
That, Dan, is the best news I've heard in a while: a proper trace or debug facility. You bet I'm off to Sherlock that down! Plus, of course, keep you updated.
RJVAuthor Commented:
I wish I could interpret this (and solve without having to further ask you):

14/11/08 17:18:43 ii : rebuilding vnet device list ...
14/11/08 17:18:43 ii : device ROOT\VNET\0000 disabled
14/11/08 17:18:43 ii : network process thread begin ...
14/11/08 17:18:43 !! : vflt device attach failed
14/11/08 17:18:43 ii : pfkey process thread begin ...
14/11/08 17:18:43 ii : ipc server process thread begin ...
14/11/08 17:18:44 !! : vflt device attach failed
14/11/08 17:18:45 !! : vflt device attach failed
14/11/08 17:18:46 !! : vflt device attach failed
14/11/08 17:18:47 !! : vflt device attach failed
14/11/08 17:18:48 !! : vflt device attach failed
14/11/08 17:18:49 !! : vflt device attach failed
14/11/08 17:18:50 !! : vflt device attach failed
14/11/08 17:18:51 !! : vflt device attach failed
14/11/08 17:18:52 ii : ipc client process thread begin ...
14/11/08 17:18:52 <A : peer config add message
14/11/08 17:18:52 <A : proposal config message
14/11/08 17:18:52 <A : proposal config message
14/11/08 17:18:52 <A : client config message
14/11/08 17:18:52 <A : local id 'test.dyndns-server.com' message
14/11/08 17:18:52 <A : remote id 'test.dyndns-server.com' message
14/11/08 17:18:52 <A : preshared key message
14/11/08 17:18:52 <A : remote resource message
14/11/08 17:18:52 <A : peer tunnel enable message
14/11/08 17:18:52 DB : peer added ( obj count = 1 )
14/11/08 17:18:52 ii : local address selected for peer
14/11/08 17:18:52 DB : tunnel added ( obj count = 1 )
14/11/08 17:18:52 DB : new phase1 ( ISAKMP initiator )
14/11/08 17:18:52 DB : exchange type is aggressive
14/11/08 17:18:52 DB : <->
14/11/08 17:18:52 DB : f2caae839e2e9803:0000000000000000
14/11/08 17:18:52 DB : phase1 added ( obj count = 1 )
14/11/08 17:18:52 >> : security association payload
14/11/08 17:18:52 >> : - proposal #1 payload
14/11/08 17:18:52 >> : -- transform #1 payload
14/11/08 17:18:52 >> : key exchange payload
14/11/08 17:18:52 >> : nonce payload
14/11/08 17:18:52 >> : identification payload
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports nat-t ( draft v00 )
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports nat-t ( draft v01 )
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports nat-t ( draft v02 )
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports nat-t ( draft v03 )
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports nat-t ( rfc )
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports DPDv1
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local is SHREW SOFT compatible
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local is NETSCREEN compatible
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local is SIDEWINDER compatible
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local is CISCO UNITY compatible
14/11/08 17:18:52 >= : cookies f2caae839e2e9803:0000000000000000
14/11/08 17:18:52 >= : message 00000000
14/11/08 17:18:52 -> : send IKE packet -> ( 529 bytes )
14/11/08 17:18:52 ii : phase1 removal before expire time
14/11/08 17:18:52 DB : phase1 deleted ( obj count = 0 )
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : removing tunnel config references
14/11/08 17:18:52 DB : removing tunnel phase2 references
14/11/08 17:18:52 DB : removing tunnel phase1 references
14/11/08 17:18:52 DB : tunnel deleted ( obj count = 0 )
14/11/08 17:18:52 DB : removing all peer tunnel references
14/11/08 17:18:52 DB : peer deleted ( obj count = 0 )
14/11/08 17:18:52 ii : ipc client process thread exit ...
14/11/08 17:18:52 !! : vflt device attach failed
14/11/08 17:18:53 !! : vflt device attach failed
14/11/08 17:18:55 !! : vflt device attach failed
14/11/08 17:18:56 !! : vflt device attach failed
14/11/08 17:18:57 !! : vflt device attach failed
14/11/08 17:18:58 !! : vflt device attach failed
14/11/08 17:18:59 !! : vflt device attach failed
14/11/08 17:19:00 !! : vflt device attach failed
14/11/08 17:19:01 !! : vflt device attach failed
14/11/08 17:19:01 ii : hard halt signal received, shutting down
14/11/08 17:19:01 ii : pfkey process thread exit ...
14/11/08 17:19:01 ii : ipc server process thread exit ...
14/11/08 17:19:02 ii : network process thread exit ...
Dan CraciunIT ConsultantCommented:
Phase 1 could not be completed, which means it couldn't even connect to the remote server. Check the firewall on your test computer. Looks like the VPN Client is firewalled.
Dan CraciunIT ConsultantCommented:
After this:
14/11/08 17:18:52 -> : send IKE packet -> ( 529 bytes )
You should of had another event like this:
14/11/08 17:18:52 <- : recv IKE packet -> ( 344 bytes )

Since you don't have that event, then the router and your computer cannot communicate on port 500.
RJVAuthor Commented:
The app is enabled (Kaspersky firewall). That said, just to be 100% sure I disabled the firewall and no luck. Checked out the other end yet again.

Before I posted here I also didn't get through and in the end, tried directly to the IP of the RV. That worked, as also indicated above. The feeling I get is that the IP from the domain does not take you to the RV itself but to the WAN. Be it, the router of ISP, which is bridged to the RV. Having said that, while this may be logical, the fact that I can access the server through RDP, through the domain that takes to the IP of the ISP's router, seems to knock that possibility down the drain.

Overall, what a frustrating process.
Dan CraciunIT ConsultantCommented:
When you ping the domain, to what IP it resolves?
RJVAuthor Commented:
Dan CraciunIT ConsultantCommented:
Then it should not matter if you use the IP or the domain, as long as a DNS server is available.

If you use directly the IP on the VPN client, is there any difference?
RJVAuthor Commented:
Nope. Meanwhile I decided to recheck everything once again. At the same time, I thought it was wise to grab a screenshot of the client configuration to include here. That way you can look it over and make sure I haven't missed something or should do something differently, leading us to waste time (particularly you as you are helping and I need to get it to work).

I hope that helps.
Dan CraciunIT ConsultantCommented:
There are some differences to my setup. Particularly on the authentication part. The domain name has nothing to do with DDNS. It can be any name, as long as it's the same on the client and the router.
Plus, on the policy tab, you need to add the remote router's internal network. Is the remote router's IP
configlocal identityremotepolicydnsclient
RJVAuthor Commented:
No luck, Dan, but I seem to have found something. I ran a test on port 500 and it seems to be closed. The reason I say "seems" and not "is", is because I'm not 100% sure of the reliability of open port testers. If you want to give it a shot on your end, the IP given above hasn't changed so far.

I also discovered that RV042 can access DYN and thus keep the IP up-to-date, without depending on DYN's app to do that. I don't know if that will effect the IP structure of the network, though that doesn't seem logical (if there is logic in this whole mess).

Finally, in checking I also discovered an open VPN solution suggested by DYN (http://dyn.com/support/wizard-js/#vpn-0) that takes you directly to the machine. Since that is the ultimate goal of the exercise and not the whole network, it may also be a solution.
Dan CraciunIT ConsultantCommented:
That guide is for installing OpenVPN and a client. This means you would need to install OpenVPN to your server, then forward the needed ports in the RV042.

If port 500 is filtered, it means your ISP is blocking port 500. Contact them to open it.
RJVAuthor Commented:
To make sure the result I got is valid, have you had the same blocked result on port 500? I'd like to make sure so neither of us chase our tails, as it were. Besides, often the ISP doesn't own up to closing certain ports pointing to some failure on the user's part. The reality is an attempt to charge more for "premium" services. I'm sure you've heard that music!
Dan CraciunIT ConsultantCommented:
Tried it, no response on port 500. (using IP
RJVAuthor Commented:
Thus you and I have just been wasting our time as a result. Fantastic!!! I wonder if the RV accepts changing that port. Otherwise, open VPN it'll have to be, as that can use different ports too I gather.
Dan CraciunIT ConsultantCommented:
You should take this up with your ISP.
If the modem in front of the RV042 is really in bridge mode (meaning it does not filter traffic), then you should provide a list of ports you need opened and your ISP should make sure they are not filtered in any way.

If the server behind the RV042 is running some variant of Windows Server, you don't need OpenVPN. You can add the "Remote access" role and use that as a VPN server. See here for Windows Server 2012: http://www.thomasmaurer.ch/2014/01/how-to-install-vpn-on-windows-server-2012-r2/
RJVAuthor Commented:
I have. They say the port in question is open. Try it and it isn't. Call again. Same answer. Translated: a waste of time.

The computer is a simple Windows 7. I also tried VPN on it and that port is closed. The why of open VPN is to change the port and be done with it. I've wasted too much time with this already. To change it means probably bumping into the no port change problem again (besides reconfiguring everythingl). I also hope this workout will be worth it for you, beyond the points (which you certainly deserve). I think you'll bump into these tricks more and more often. By now I'm no longer surprised with the stuff I bump into, in different locations in the world too.
Dan CraciunIT ConsultantCommented:
The RV042's are a very popular choice for VPN for small businesses. I have them at several customers, never had a problem configuring VPN on them, except in a double NAT situation, where I ended up changing the ISP.

That being said, I've consistently kept phone numbers from tech support from various ISPs in my area. Personal numbers, any time I could find them. Now I can usually call someone when the official phone support proves to be lacking.
At the end of the day, IT consulting looks more and more like a social science :)
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
To put my own money in this (nothing more than 2c): If the ISP blocks udp/500, they will most probably do for other popular ports like PPTP and L2TP. OpenVPN is the only VPN software I know of allowing to use a different port.

Just to make sure: You didn't try that from inside the office LAN, hopefully? Because that is something many routers do not support.
If you hit the RV per IPSec from outside, you should be able to see something in the RV logs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
BTW, the W7 VPN client can only use IPSec with IKEv2 (besides PPTP and L2TP/IPSec), and that won't work with the RV.
RJVAuthor Commented:
Qlemo, thanks for your thoughts. I wanted to get to the bottom of this asap but couldn't Mon, Tues and half of yesterday. Meanwhile after spinning my wheels I was able to find a location that tested all of the main ports and nearly all are closed. The most important was to find what is open to use that. Namely, forward it to the server where OpenVPN can take over.

The problem with OpenVPN is that it isn't clearly documented. The matter is to make sure it is running and can be tested and responding. The final objective of all of this is to have a server to get new code, integrated with the web. If I can do that with regular http, great. Otherwise the thought is to go through VPN where all ports would be open and not subject to ISPitis (the illness that slows all of us down.
Dan CraciunIT ConsultantCommented:
You only need one port to test your web app. Why not simply forward one of the open ports to the computer serving your web app? That's basic NATing and should be way easier to achieve than a VPN.
RJVAuthor Commented:
That's what I'm doing at this moment. My issue is that you need to add the port to the URL. However, in the code it redirects the URL to its SSL or https version and that code gets messed up when it finds the port in it. Apache has a proxy which you can use to clear that out so the code sees what it needs to see (the URL without the port number in it). My tests so far haven't worked as the port keeps showing up and generating the error.

I don't want to fiddle around with the original code as that is needed as clean as possible in the production environment. I've noticed that I'm not alone with this type of issue. Some want to leave it all on the same server but only restart the test environment. I prefer all to be on separate machines not to risk the production server.
RJVAuthor Commented:
Olemo, things are so well locked that in the end the best solution was to get a virtual external server at a low cost. I even found an interesting new open solution at www.softether.org, much more comprehensive that OpenVPN (by a Japanese university). I'd like to thank you for your help, which made it possible to come to the final best solution of the server, even though at a cost despite having something that cost nothing (except for time, far more valuable than the cost of this server).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.