Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[littler2011]

Hello everyone, my name is Robert Little of Venezuela and my job is to provide technical support to different clients.

First of all, I apologize for my very basic english .

I'm having trouble getting the communication of two DFL-800 routers through a VPN with IPsec tunnel. Then explain the details.

I hope someone on the forum can offer some tips for finding an effective solution.

For several weeks I have tried several configurations to enable a VPN for a client who has two DFL-800 router and want to establish a VPN between two geographically separate offices.

I've tried almost all settings by different guiding documents developed by D-Link as well as read some forum. In all attempts have been unsuccessful results.

Document "Interoperability Profiles for D-Link DFL-800 - Last update: 2005-09-09"
Document "http://www.dlink.com/support/faqDetail/?print=1&prod_id=2783"
Document "NetDefendOS_2.27.03_Firewall_UserManual.pdf"
Document "Manual_DFL-800_Espanol.pdf"
Document "Configuration Examples_Scenarios_Step-by-Step for NetDefend Firewalls v1.00.pdf"
(7a - Virtual private network using a IPsec in a lan-to-lan tunnel - page 66)


The only case where communication could be established was that in which both DFL-800 were connected to same DSL modem through a switch. For example:

Scenario TEST

DFL-800 (1) (WAN1 Port )---->|               |
                                          |  Switch    |---->[ DSL modem ISP (1 )]---->( Internet)
DFL-800 (2) (WAN1 Port )---->|               |

Test ping from 192.168.0.100 to 192.168.5.100 OK (time <50ms / 0% Lost). Tipical time is 300-600ms.



The Scenario for the desired IPsec VPN connection is as follows:
Scenario Production

DFL-800(Office 1)(WAN1 Port)----[modem DSL ISP(1)]-----(Internet)-----[modem CABLE ISP(2)]----DFL-800(Office 2)(WAN1 Port)

IP will be Dynamic on DSL modem with dyndns.com (on future)


I proceeded to do a reset on both routers, with the intention of starting from scratch. I then proceeded (previous upgrade to Firmware) to set the configuration as specified in the document   "http://www.dlink.com/support/faqDetail/?print=1&prod_id=2783"

The initial result was:

Loggings screens:



DHCP screen(s):



Address Book screen(s):


IPSec Objects screen(s):


InterfaceAddresses screen(s):


IKE Algorithms screen(s):


IPSec Algorithms screen(s):


lan_to_wan1 screen(s):


ipsec_rules screen(s):


IPSec screen(s):


ipsec_tunnel (General) screen(s):


ipsec_tunnel (Authentication) screen(s):


ipsec_tunnel (Routing) screen(s):


ipsec_tunnel (IKE Settings) screen(s):


ipsec_tunnel (Keep Alive) screen(s):


ipsec_tunnel (Advanced) screen(s):


Routing table (Main) screen(s):


Thanks
Robert.

[chechito]

please use  img tag to insert images on forum

[littler2011]

Thanks chechito. I placed the images according to your specifications.

Robert.

[lingnau]

Did you check if the ISP is blocking any ports needed by the VPN/IPSec ?
I presume both DFL-800 are themselves the PPPoE clients? Or is the DSL modem acting as router?

[chechito]

looks like you are behind a nat device, like isp modem/router and the firewall have a private ip address on wan interface.

in that cases its advisable to map vpn specific ports from public isp modem ip to the local wan ip of the firewall.

Its advisable to use a fixed wan ip on the firewall.

Check the isp modem/router the enable vpn pass through options

[littler2011]

Thanks Lingnau and Chechito. I proceeded to check open ports on both Internet service providers ISP (One of them is xDSL and the other is Cable Service).

Prior to checking open ports I proceeded to search for information on google about the ports that are used with VPN and IPSec. I found and used the information from the following links: http://www.vpntools.com/vpntools_articles/port-for-vpn.htm and http://www.vpntools.com/vpntools_articles/port-for-vpn.htm

Ports involved in the operation of VPN / IPSec:
50 - IPSec VPN ports assignments for use of Encapsulation Security Payload
51 - IPSec VPN ports assignments for Authentication Header
88 - Kerberos (computer authentication protocol) in TCP / UDP
446 - for SSL VPN for secure HTTP application.
500 - for Internet Security Association and Key Management Protocol in TCP / UDP.
1723 - Virtual private network (VPN)
4500, 10000, 10001 - That for the systems use hardware VPN.

Test using the software "Last Soft - tek-scan3k - Ultima Port Scanner" on both routers (with different ISP) using Windows XP Professional with Firewall disabled.
50 (Closed)
51 (Closed)
88 (Closed)
446 (Closed)
500 (Closed)
1723 (Closed)
4500 (Closed)
10000 (Closed)
10001 (Closed)

If the above list of ports required for operation of the VPN / IPSec is correct then there is no possibility that the VPN to work because everyone is blocked by the ISP : (.

My question, for these cases is possible to use different ports? or need to manage with the ISP to open those ports?

Thanks
Robert.

[chechito]

maybe check the possibility of changing the internet service configuration with your isp getting a fixed public ip and avaliable to be configured in firewall interface directly disabling nat.

some providers call server type