Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[blk1948]

I've done exactly that ("Add a VPN like a normal PPTP VPN and change the type to L2TP and enter the PSK in the IPsec settings button") and cannot connect.  I think I'm close to connecting but Quickmode in phase 2 has a problem.

As I mentioned previously, I am testing the VPN within my home network (same subnet).  Could this be causing a problem?  How else could one test a VPN?

[blk1948]

After much trial and error, I am now able to connect via an ipsec\l2tp connection within my home lan.  Now the even harder part, connecting via the internet.  My Dlink DIR-130 is now connected behind a Dlink DIR-655 router.  All the passthroughs and virtual servers are set up on the DIR-655.  Now, when I try and connect from work through the internet, the DIR-655 logs show the following:

"Blocked incoming ICMP packet (ICMP type from xx.xx.xx.xx to yy.yy.yy.yy."  (xx.xx.xx.xx is my work ip address, yy.yy.yy.yy is the DIR-655 public address).

Do you have any idea what is causing this error and how to overcome it as this seems to halt any attempt to connect via ipsec?

In the above configuration, I am able to ipsec/l2tp connect from within my lan (from my winxp computer with a local ip address of 192.168.1.254 to the DIR-310, local address of 192.168.1.251, and also from my Vista wireless portable with an ip address of 192.168.1.249).  I am also able to connect via vpn PPTP from work to home.

Your assistance has been appreciated.

[Fatman]

ICMP Type 8 is known as an Echo Request, or more commonly a ping.  That traffic is not what is causing your bind here.  Though I will say that putting the VPN router behind another router is bad joojoo.  Ensure that you have done all nescesarry to forward IPsec on your DIR-655.


To stop those log messages either quit pinging your DIR-655 from work or enable WAN ping on your DIR-655.

[blk1948]

I am a novice at this, can you explain why it is a no no to put the DIR-130 behind the DIR-655?  To my way of thinking, if I set up a VPN server on an XP machine, it would be behind the router too, that supposedly works, why not the router?


My Microsoft IPSEC Diagnostic Tool logs show the following:

Oakley Diagnosis:
(If you did not repro the issue while the tool was running, ignore Oakley Diagnosis)
Information: The host machine is Initiator
Information : Retransmit failure for first IKE Packet. This machine tried to start IKE negotiation with the other machine but it never Received a response. Possible that the other side 1.didn't have a matching MM filter, 2.never received the packet sent by this system 3. This system didn't receive the packet sent by the other side
Live Debugging: End
 
RRAS Diagnosis:
--Passed : RRAS is switched off, implying no external policies
--Information: Disabling RRAS trace that was enabled during live debugging.RRAS logs copied.
 
Registry and Events Diagnosis:
--Passed: System, Application and Security event logs collected
 
IPsec filters, SAs Diagnosis:
--Passed : Generic MM Filters Configured
--Passed :Specific MM Filters Configured
--Information: No Specific Tunnel Filters Configured
--Passed: Main Mode Policies Configured correctly
--Passed: Quick Mode Policies Configured correctly
--Failed: No Main Mode SAs exist between 192.168.1.39 and zz.zzz.zzz.zzz
--Failed: No Quick Mode SA exists between 192.168.1.39 and zz.zzz.zzz.zzz
--Falied : No SA exists between 192.168.1.39 and zz.zzz.zzz.zzz
----However filters exist. Refer logs to debug the failure


Is there any hint here as to what is causing it to fail?  The zz.zzz.zzz.zzz address is the public WAN address of the DIR-655.  The DIR-130 has an internal address of 192.168.10.251.  The logs seems to show an IKE transmit problem.

My DIR-655 has Virtual Server set up to forward UDP port 1701, UDP 500, UDP 4500 and Protocol 50 to the DIR-130.  Also, the Application Level Gateway Configuration is enabled for PPTP and IPSEC(VPN).

[Fatman]

It sounds like your passthroughs are set set up correctly on the DIR-655.

This is the primary reason that I recommend against it, more configurations to go wrong, however there is a second reason.  This puts you into what is known as a double NAT'ed situation.  Technically it should work, however connectivity from hosts behind the DIR-130 (including VPN'ed computers) to the web will be problematic.  The problems that this generated are usually troublesome enough that if you were to call in they would tell you they can't help you.

[blk1948]

"The problems that this generated are usually troublesome enough that if you were to call in they would tell you they can't help you"

I sort of figured that.

What would the security ramifications be to put the DR-130 connected to the DSL modem and thus in front of the DIR-655?

From your looking at the logs in my previous post, is there anything you could give me a hint on as to what is going wrong?
 

[Fatman]

Only that you then have the clients behind the DIR-655 double NAT'ed.

The best solution is to do the following.
Turn off DHCP on the DIR-655.
Give it a LAN IP on the same network as the DIR-130.
Then if you connect the DIRs LAN to LAN.
Connect the modem to the WAN side of the DIR-130.

As far as your logs, it looks like your IPsec isn't even passing the DIR-655, which means you either need to take another look at the passthroughs in it or follow a plan like the one above.