OT networking (Cisco VPN) question
jsf
jfreeman at gmail.com
Sat Jan 20 23:03:16 EST 2007
SHORT ANSWER IT'S WORKING! TO SEE THE PROGRESSION OF HOW (AND HOW
STUPID I AM) READ ON.
Hi Ben,
Thanks for the really detailed response.. please see below.
On 1/20/07, Ben Scott <dragonhawk at gmail.com> wrote:
> On 1/20/07, jsf <jfreeman at gmail.com> wrote:
> > I went into the DL 604 config and set up port forwarding on the IPSec
> > port (udp500) for the inside IP address of the DL 604 (192.168.10.1).
> > now things get interesting:
>
> Eh. You can't use "port forwarding" with IPsec. The concept does not apply.
>
> (Gory details: IPsec is a suite of protocols, which includes IKE
> (Internet Key Exchange), AH (Authentication Header), and ESP
> (Encapsulated Secure Payload). ESP and AH use IP Protocol Numbers 50
> and 51, respectively. An IP Protocol Number is not a TCP or UDP Port.
> ESP and EH exist below the layer of TCP and UDP Ports. ESP and EH
> exist at the same layer as TCP and UDP. IKE uses UDP/500, which you
> could in theory use port forwarding with, but there isn't much point
> in having IKE configure an SA (Security Association) if it can't work
> in the first place.)
>
> In all likelihood, your VPN system will need to implement NAT
> Traversal (NAT-T) for anything to work. Fortunately, NAT-T is pretty
> well supported. I'll assume you have NAT-T capability (otherwise,
> we're pretty much sunk).
>
> You'll want to go into your router(s) and disable anything and
> everything that tries to help the VPN. In particular, stop trying to
> port forward UDP/500; that will just make things worse. Also disable
> any "IPsec passthrough" or things like that.
OK, this was easily done.
>
> > I have a Linksys WRTG54 connected to it bridging the DHCP server on the DL604..
> > Basically, the Linksys is just a WiFI extension of the DL 604.. it doesn't have a
> > separate IP of its own (afaict) and is only providing WiFI service.
>
> You may want to plug your laptop into the LAN side of the DL-604 via
> wired Ethernet, at least at first. That should remove a lot of
> variables from the equation, which usually makes trouble-shooting a
> lot simpler.
Well, i just spent 30 minutes or so downstairs with the laptop plugged
directly to the LAN side of the DL-604... tried a few things but was
uniformly unsuccessful..
more information below...
>
> ----
>
> The LinkSys WRT54G has a LAN side and a WAN port (WAN may be labeled
> "Internet" on some versions). It will always have a LAN IP address,
> and it will be trying to have a WAN IP address. It implements a
> router (not a bridge) between the LAN and WAN sides. It will default
> to doing NAT between the WAN and LAN. It will also default to proving
> DHCP service on the LAN.
You're right... the LinkSys DOES have an IP address on the LAN and the
DHCP service is turned off. However, on the Firewall side there are
four options here...
Block Anonymous Internet Requests is checked.
Filter Multicast is checked.
Filter Internet NAT Redirection is NOT checked.
Filter IDENT(Port 113) is checked.
Meanwhile, I just disabled IPSec, PPTP and L2TP passthrough on the
Linksys and tried connecting again with the VPN client.. no soap.
>
> I'm not familiar with the DL-604, but if it's like most "home
> routers", it's just like the LinkSys: LAN side, WAN side, NAT between
> the two, DHCP server on the LAN.
>
> If you've got the WAN port of the LinkSys plugged into the LAN side
> of the DL-604, that might be causing you grief, and certainly isn't
> helping. What you want to do instead is to use the LinkSys as a WAP
> (wireless access point) and bypass the rotuer functions. To do so:
>
> First, configure the LinkSys for the LAN side of the DL-604. The
> LinkSys uses a web UI like everything else on the market. The default
> IP address is 192.168.1.1 and the default password is either
> "linksys", "admin", or "password" (I forget which). The username is
> ignored. Assign the LinkSys a static IP address on the LAN (for
> example, 192.168.10.69). Disable the DHCP server.
this is done.
>
> Once that is done, plug the LAN side of the DL-604 to the LAN side
> of the WRT54G. There should not be anything plugged into the
> "Internet" or "WAN" port of the WRT54G.
>
right.. done...
> You should now be able to get an IP address from the DL-604's DHCP
> server, either via wired Ethernet, or wireless (via the WRT54G).
done.. as mentioned way above, this was actually the case pertaining
all the time.. i had forgotten that this was how I set things up a
while ago.
>
> -----
>
> If the IP address space of the network you are trying to connect
> overlaps that of your LAN, nothing will work. That is to say, if your
> home LAN is 192.168.10.0/24, and your work network also uses
> 192.168.10.0/24, it will not work. The equipment on your LAN will not
> be able to tell the difference between your LAN and the remote
> network.
right which is why, in actual fact, my home (NATed) network is
10.10.70.* not the 192.168.* I mentioned earlier.. I just had written
that because it's a kind of default setup.. didn't want to distract
anyone...
>
> It might be a good idea to renumber your home LAN to use something
> more unusual. The 172.16.0.0/12 block is often suggested. For
> example, 172.30.53.0/24 might be a better choice.
right.. see above..
so..
We have established that there's no funny stuff going on with port 500
on the DL 604...
------snip---------
and at this point of writing my response, I went back to look at the
options on the DL604 once more and found a setting just for this
situation:
Allows VPN connections to work through the DI-604.
PPTP
Enabled Disabled
IPSec
Enabled Disabled
They were both set to 'Disabled'
I set the IPSec one to 'Enabled', fired up the VPN client and VOILA..
.everything is working..
I am dumb.
Thanks Ben!
Cheers everyone.
Joshua
>
> -- Ben
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
More information about the gnhlug-discuss
mailing list