Solved

VPN tunnel access to RV042 with a dynamic IP from Windows 7

Posted on 2014-11-07
32
272 Views
Last Modified: 2014-11-21
I need to be able to access a server behind a Cisco RV042 with a dynamic IP address given by dyndns, from a Windows 7 machine. How should this be set up? I have tried as much as possible but keep getting an access error.
0
Comment
Question by:RJV
  • 16
  • 13
  • 2
  • +1
32 Comments
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40429975
When do you get the error? Can you establish the tunnel? You're using PPPTP or IPSec? If IPSec, what client?
Details, please.
0
 

Author Comment

by:RJV
ID: 40430136
Hi Dan,

Let me give you more details. First, here is the structure:

Remote (or my) Win7 computer connects to   >>>   RV042 (IP xxx.xxx.3.1), to connect to   >>>   Win7 server (IP xxx.xxx.3.99).

Namely, the objective is to access the Win7 server to display and thus test a website.

The RV042 has a Dyn domain name with a dynamic IP (thus IP aaa.bbb.ccc.ddd or whatever) updated constantly by a Dyn app on the Win7 server. Thus the access of the remote computer arrives on the Dyn domain IP from WAN 1 (WAN 2 also exists but can be considered inactive). Just to understand, there is a router supplied by the ISP which is bridged to the RV042 so it can be ignored, so much that I can access the Win7 server through the Remote Desktop, with all ports on the RV forwarded to the Win7 server.

To answer your question, frankly all the instructions I have found are confusing or incomplete so what I can do is subject to mistakes. That said, I could never connect to the RV042, getting several standard errors. At one point I decided to try and see what works so from the local network I accessed the RV042 after using the specific IP of the RV042 (xxx.xxx.3.1) on my computer. I did that successfully with a PPTP server connection. When I change to the Dyn domain I don't succeed.

I would prefer trying to access using whatever already exists on Windows as there are other parties working on the project and I would like to avoid the imposition of their having to install special software just to be able to test their work (that necessity would be a last resort). Maybe the best way forward is if you can indicate what I should try now that you have this information and I check it out here.

I'd like to be optimistic and be prepared to say, "Hey, it worked!" the very first time.

Regards,
Roger

PS
You might wonder why I don't just access without the VPN. Simply because the ISP is "kind enough" to block those ports (80, 443, etc) on their internal routers. Besides, as a result I can keep more port closed on the RV.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40430158
I've never been able to get a stable connection to a RV042 using PPPTP.

It works without a hitch using Shrew Soft's VPN client (free if you don't need AD): https://www.shrew.net/support/Howto_Linksys

NCP's Secure Entry is easier go configure, but not free (120 Euros) https://www.ncp-e.com/en/products/ipsec-vpn-client-suite.html

Both clients don't care if you're using DDNS or not. As long as the URL you supply resolves to the correct IP, the connection will work.

HTH,
Dan
0
 

Author Comment

by:RJV
ID: 40430164
I'll give it a try. While the goal is not to impose, at this stage anything that gets this so work! I'm glad they have the instructions too. The only odd part is their logo (a rat?).

A quick question: I didn't even know Win 7 has a native VPN access option. Have you tried that? Thus wouldn't be dependent on the RV.
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 40430239
Windows 7 has native VPN support

Open Network and Sharing Center > Set up  A NEW CONNECTION OR NETWORK  CONNECT TO A WORKPLACE AND FOLLOW THE PROMPTS.


What error are you getting when trying to connect?  They all have a meaning which helps trouble shoot.
0
 

Author Comment

by:RJV
ID: 40430292
Dan,

I followed the steps in the instruction exactly as shown for the RV router. On the client side (VPN Access Manager) I mostly could not use IPs as this can change. So I used the Dyn domain, except where they ask for the local IP information, which I included there. Then I loaded Access Manager and had it connect. All seemed to be normal except at this point: "bringing up tunnel ... network unavailable".

Thus no connection.

Any ideas?
0
 

Author Comment

by:RJV
ID: 40430296
trgrassijr55,

I tried that again, after forwarding port 1723 to the machine, and also confirmed that it was open. I have found with setting RDP that if the forwarded port does not get to the machine (server, in this case), the port is considered closed. So that means it will get to the server.

The error I got was 619 (could not connect). Note that it is just a VPN connection with no apparent security to it (left to automatic). I also attempted tunneling with the same result.

This leaves me wondering if I need to forward some other port and if so, which that or those might be. I won't go into security as the goal is to get it working first!

I hope you have some bright ideas!
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40430412
Along with the VPN client from Shrew Soft you installed the VPN Trace Utility (it's under Shrew Soft VPN Client in the Start menu).

Start it, set the output level to Debug (File->Options), then leave it open and try to connect again. It will give you detailed info on what it's trying to do. Post the log here (it's text, so delete the parts that you don't want to be public).
0
 

Author Comment

by:RJV
ID: 40430433
That, Dan, is the best news I've heard in a while: a proper trace or debug facility. You bet I'm off to Sherlock that down! Plus, of course, keep you updated.
0
 

Author Comment

by:RJV
ID: 40430495
I wish I could interpret this (and solve without having to further ask you):

14/11/08 17:18:43 ii : rebuilding vnet device list ...
14/11/08 17:18:43 ii : device ROOT\VNET\0000 disabled
14/11/08 17:18:43 ii : network process thread begin ...
14/11/08 17:18:43 !! : vflt device attach failed
14/11/08 17:18:43 ii : pfkey process thread begin ...
14/11/08 17:18:43 ii : ipc server process thread begin ...
14/11/08 17:18:44 !! : vflt device attach failed
14/11/08 17:18:45 !! : vflt device attach failed
14/11/08 17:18:46 !! : vflt device attach failed
14/11/08 17:18:47 !! : vflt device attach failed
14/11/08 17:18:48 !! : vflt device attach failed
14/11/08 17:18:49 !! : vflt device attach failed
14/11/08 17:18:50 !! : vflt device attach failed
14/11/08 17:18:51 !! : vflt device attach failed
14/11/08 17:18:52 ii : ipc client process thread begin ...
14/11/08 17:18:52 <A : peer config add message
14/11/08 17:18:52 <A : proposal config message
14/11/08 17:18:52 <A : proposal config message
14/11/08 17:18:52 <A : client config message
14/11/08 17:18:52 <A : local id 'test.dyndns-server.com' message
14/11/08 17:18:52 <A : remote id 'test.dyndns-server.com' message
14/11/08 17:18:52 <A : preshared key message
14/11/08 17:18:52 <A : remote resource message
14/11/08 17:18:52 <A : peer tunnel enable message
14/11/08 17:18:52 DB : peer added ( obj count = 1 )
14/11/08 17:18:52 ii : local address 192.168.194.131 selected for peer
14/11/08 17:18:52 DB : tunnel added ( obj count = 1 )
14/11/08 17:18:52 DB : new phase1 ( ISAKMP initiator )
14/11/08 17:18:52 DB : exchange type is aggressive
14/11/08 17:18:52 DB : 192.168.194.131:500 <-> 177.148.218.232:500
14/11/08 17:18:52 DB : f2caae839e2e9803:0000000000000000
14/11/08 17:18:52 DB : phase1 added ( obj count = 1 )
14/11/08 17:18:52 >> : security association payload
14/11/08 17:18:52 >> : - proposal #1 payload
14/11/08 17:18:52 >> : -- transform #1 payload
14/11/08 17:18:52 >> : key exchange payload
14/11/08 17:18:52 >> : nonce payload
14/11/08 17:18:52 >> : identification payload
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports nat-t ( draft v00 )
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports nat-t ( draft v01 )
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports nat-t ( draft v02 )
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports nat-t ( draft v03 )
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports nat-t ( rfc )
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local supports DPDv1
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local is SHREW SOFT compatible
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local is NETSCREEN compatible
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local is SIDEWINDER compatible
14/11/08 17:18:52 >> : vendor id payload
14/11/08 17:18:52 ii : local is CISCO UNITY compatible
14/11/08 17:18:52 >= : cookies f2caae839e2e9803:0000000000000000
14/11/08 17:18:52 >= : message 00000000
14/11/08 17:18:52 -> : send IKE packet 192.168.194.131:500 -> 177.148.218.232:500 ( 529 bytes )
14/11/08 17:18:52 ii : phase1 removal before expire time
14/11/08 17:18:52 DB : phase1 deleted ( obj count = 0 )
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : policy not found
14/11/08 17:18:52 DB : removing tunnel config references
14/11/08 17:18:52 DB : removing tunnel phase2 references
14/11/08 17:18:52 DB : removing tunnel phase1 references
14/11/08 17:18:52 DB : tunnel deleted ( obj count = 0 )
14/11/08 17:18:52 DB : removing all peer tunnel references
14/11/08 17:18:52 DB : peer deleted ( obj count = 0 )
14/11/08 17:18:52 ii : ipc client process thread exit ...
14/11/08 17:18:52 !! : vflt device attach failed
14/11/08 17:18:53 !! : vflt device attach failed
14/11/08 17:18:55 !! : vflt device attach failed
14/11/08 17:18:56 !! : vflt device attach failed
14/11/08 17:18:57 !! : vflt device attach failed
14/11/08 17:18:58 !! : vflt device attach failed
14/11/08 17:18:59 !! : vflt device attach failed
14/11/08 17:19:00 !! : vflt device attach failed
14/11/08 17:19:01 !! : vflt device attach failed
14/11/08 17:19:01 ii : hard halt signal received, shutting down
14/11/08 17:19:01 ii : pfkey process thread exit ...
14/11/08 17:19:01 ii : ipc server process thread exit ...
14/11/08 17:19:02 ii : network process thread exit ...
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40430500
Phase 1 could not be completed, which means it couldn't even connect to the remote server. Check the firewall on your test computer. Looks like the VPN Client is firewalled.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40430505
After this:
14/11/08 17:18:52 -> : send IKE packet 192.168.194.131:500 -> 177.148.218.232:500 ( 529 bytes )
You should of had another event like this:
14/11/08 17:18:52 <- : recv IKE packet 177.148.218.232:500 -> 192.168.194.131:500 ( 344 bytes )

Since you don't have that event, then the router and your computer cannot communicate on port 500.
0
 

Author Comment

by:RJV
ID: 40430537
The app is enabled (Kaspersky firewall). That said, just to be 100% sure I disabled the firewall and no luck. Checked out the other end yet again.

Before I posted here I also didn't get through and in the end, tried directly to the IP of the RV. That worked, as also indicated above. The feeling I get is that the IP from the domain does not take you to the RV itself but to the WAN. Be it, the router of ISP, which is bridged to the RV. Having said that, while this may be logical, the fact that I can access the server through RDP, through the domain that takes to the IP of the ISP's router, seems to knock that possibility down the drain.

Overall, what a frustrating process.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40430543
When you ping the domain, to what IP it resolves?
0
 

Author Comment

by:RJV
ID: 40430545
177.148.218.232
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40430548
Then it should not matter if you use the IP or the domain, as long as a DNS server is available.

If you use directly the IP on the VPN client, is there any difference?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:RJV
ID: 40430607
Nope. Meanwhile I decided to recheck everything once again. At the same time, I thought it was wise to grab a screenshot of the client configuration to include here. That way you can look it over and make sure I haven't missed something or should do something differently, leading us to waste time (particularly you as you are helping and I need to get it to work).

I hope that helps.
ClientSetup.jpg
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40430890
There are some differences to my setup. Particularly on the authentication part. The domain name has nothing to do with DDNS. It can be any name, as long as it's the same on the client and the router.
Plus, on the policy tab, you need to add the remote router's internal network. Is the remote router's IP 192.168.0.1?
configlocal identityremotepolicydnsclient
0
 

Author Comment

by:RJV
ID: 40431141
No luck, Dan, but I seem to have found something. I ran a test on port 500 and it seems to be closed. The reason I say "seems" and not "is", is because I'm not 100% sure of the reliability of open port testers. If you want to give it a shot on your end, the IP given above hasn't changed so far.

I also discovered that RV042 can access DYN and thus keep the IP up-to-date, without depending on DYN's app to do that. I don't know if that will effect the IP structure of the network, though that doesn't seem logical (if there is logic in this whole mess).

Finally, in checking I also discovered an open VPN solution suggested by DYN (http://dyn.com/support/wizard-js/#vpn-0) that takes you directly to the machine. Since that is the ultimate goal of the exercise and not the whole network, it may also be a solution.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40431463
That guide is for installing OpenVPN and a client. This means you would need to install OpenVPN to your server, then forward the needed ports in the RV042.

If port 500 is filtered, it means your ISP is blocking port 500. Contact them to open it.
0
 

Author Comment

by:RJV
ID: 40431470
To make sure the result I got is valid, have you had the same blocked result on port 500? I'd like to make sure so neither of us chase our tails, as it were. Besides, often the ISP doesn't own up to closing certain ports pointing to some failure on the user's part. The reality is an attempt to charge more for "premium" services. I'm sure you've heard that music!
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40431477
Tried it, no response on port 500. (using IP 177.148.218.232)
0
 

Author Comment

by:RJV
ID: 40431494
Thus you and I have just been wasting our time as a result. Fantastic!!! I wonder if the RV accepts changing that port. Otherwise, open VPN it'll have to be, as that can use different ports too I gather.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40431516
You should take this up with your ISP.
If the modem in front of the RV042 is really in bridge mode (meaning it does not filter traffic), then you should provide a list of ports you need opened and your ISP should make sure they are not filtered in any way.

If the server behind the RV042 is running some variant of Windows Server, you don't need OpenVPN. You can add the "Remote access" role and use that as a VPN server. See here for Windows Server 2012: http://www.thomasmaurer.ch/2014/01/how-to-install-vpn-on-windows-server-2012-r2/
0
 

Author Comment

by:RJV
ID: 40431531
I have. They say the port in question is open. Try it and it isn't. Call again. Same answer. Translated: a waste of time.

The computer is a simple Windows 7. I also tried VPN on it and that port is closed. The why of open VPN is to change the port and be done with it. I've wasted too much time with this already. To change it means probably bumping into the no port change problem again (besides reconfiguring everythingl). I also hope this workout will be worth it for you, beyond the points (which you certainly deserve). I think you'll bump into these tricks more and more often. By now I'm no longer surprised with the stuff I bump into, in different locations in the world too.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40431543
The RV042's are a very popular choice for VPN for small businesses. I have them at several customers, never had a problem configuring VPN on them, except in a double NAT situation, where I ended up changing the ISP.

That being said, I've consistently kept phone numbers from tech support from various ISPs in my area. Personal numbers, any time I could find them. Now I can usually call someone when the official phone support proves to be lacking.
At the end of the day, IT consulting looks more and more like a social science :)
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40439603
To put my own money in this (nothing more than 2c): If the ISP blocks udp/500, they will most probably do for other popular ports like PPTP and L2TP. OpenVPN is the only VPN software I know of allowing to use a different port.

Just to make sure: You didn't try that from inside the office LAN, hopefully? Because that is something many routers do not support.
If you hit the RV per IPSec from outside, you should be able to see something in the RV logs.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40439608
BTW, the W7 VPN client can only use IPSec with IKEv2 (besides PPTP and L2TP/IPSec), and that won't work with the RV.
0
 

Author Comment

by:RJV
ID: 40439633
Qlemo, thanks for your thoughts. I wanted to get to the bottom of this asap but couldn't Mon, Tues and half of yesterday. Meanwhile after spinning my wheels I was able to find a location that tested all of the main ports and nearly all are closed. The most important was to find what is open to use that. Namely, forward it to the server where OpenVPN can take over.

The problem with OpenVPN is that it isn't clearly documented. The matter is to make sure it is running and can be tested and responding. The final objective of all of this is to have a server to get new code, integrated with the web. If I can do that with regular http, great. Otherwise the thought is to go through VPN where all ports would be open and not subject to ISPitis (the illness that slows all of us down.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40439644
You only need one port to test your web app. Why not simply forward one of the open ports to the computer serving your web app? That's basic NATing and should be way easier to achieve than a VPN.
0
 

Author Comment

by:RJV
ID: 40439672
That's what I'm doing at this moment. My issue is that you need to add the port to the URL. However, in the code it redirects the URL to its SSL or https version and that code gets messed up when it finds the port in it. Apache has a proxy which you can use to clear that out so the code sees what it needs to see (the URL without the port number in it). My tests so far haven't worked as the port keeps showing up and generating the error.

I don't want to fiddle around with the original code as that is needed as clean as possible in the production environment. I've noticed that I'm not alone with this type of issue. Some want to leave it all on the same server but only restart the test environment. I prefer all to be on separate machines not to risk the production server.
0
 

Author Closing Comment

by:RJV
ID: 40458543
Olemo, things are so well locked that in the end the best solution was to get a virtual external server at a low cost. I even found an interesting new open solution at www.softether.org, much more comprehensive that OpenVPN (by a Japanese university). I'd like to thank you for your help, which made it possible to come to the final best solution of the server, even though at a cost despite having something that cost nothing (except for time, far more valuable than the cost of this server).
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now