WRV210 - Not working with QuickVPN

Unanswered Question
Nov 7th, 2009

I have set up my router, Changed the network to 115.168.1.X to avoid conflicts and created client accounts for Quick VPN.

I get as far as verifying Network.  I have verified with my ISP that all the ports are open for the VPN including 500 & 4500 and I have also created exceptions in the windows firewall for UDP 500 and UDP 4500. What could be causing this?

Below is from my Log.txt file

2009/11/07 20:08:14 [STATUS]OS Version: Windows Vista

2009/11/07 20:08:14 [STATUS]Windows Firewall Domain Profile Settings: ON

2009/11/07 20:08:14 [STATUS]Windows Firewall Private Profile Settings: ON

2009/11/07 20:08:14 [STATUS]Windows Firewall Private Profile Settings: ON

2009/11/07 21:08:14 [STATUS]One network interface detected with IP address 192.168.1.101

2009/11/07 21:08:14 [STATUS]Connecting...

2009/11/07 21:08:14 [STATUS]Connecting to remote gateway with IP address: knet.selfip.net

2009/11/07 21:08:18 [STATUS]Remote gateway was reached by https ...

2009/11/07 21:08:18 [STATUS]Provisioning...

2009/11/07 21:08:28 [STATUS]Tunnel is configured. Ping test is about to start.

2009/11/07 21:08:28 [STATUS]Verifying Network...

2009/11/07 21:08:34 [WARNING]Failed to ping the LAN IP of the remote VPN Router!

2009/11/07 21:08:37 [WARNING]Failed to ping the LAN IP of the remote VPN Router!

2009/11/07 21:08:40 [WARNING]Failed to ping the LAN IP of the remote VPN Router!

2009/11/07 21:08:43 [WARNING]Failed to ping the LAN IP of the remote VPN Router!

2009/11/07 21:08:46 [WARNING]Failed to ping the LAN IP of the remote VPN Router!

2009/11/07 21:08:51 [WARNING]IKE was blocked, which can be caused by a firewall blocking the UDP port 500 or 4500.

2009/11/07 21:08:55 [STATUS]Disconnecting...

2009/11/07 21:09:00 [STATUS]Tunnel is disconnected successfully.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Hornstein Sun, 11/08/2009 - 18:47

Hi Eric,

looks almost identical to the following incident;


http://forums.linksysbycisco.com/linksys/board/message?board.id=Wireless_Routers&thread.id=119219

Good to see you left the firewall enabled on your vista client.  Release note on the WRV210 show the following ;

• You must enable Windows Firewall on Windows Vista for QuickVPN Client to function properly.

This is because the IPSec service on Vista is disabled when Windows Firewall is disabled.

I must admit it would be good to know what version of VPN client and firmware you are using on the WRV210, too late now

.

But it would be good to now assume you are using the latest firmware as well as VPN client.

Also try using port 60443 on the client

vpn.JPG

See how that goes,

regards Dave

erickolesnikova... Sun, 11/08/2009 - 22:44

Firmware: WRV210_2.0.011

Quick VPN Client ver: 1.3.0.3

Firewall is on.

Have tried both 444 and 60443 on the client.

I also checked in the services and the IPSec service is on

Same error:

Failed to ping the LAN IP of the remote VPN Router!

IKE was blocked, which can be caused by a firewall blocking the UDP port 500 or 4500

David Hornstein Mon, 11/09/2009 - 06:08

Hi Eric,

Don't think you have to worry about allowing IKE via port 500 or NAT-T-port 4500, even though these two ports are critical to successful negotiation of ISAKMP.

So at the moment undo the work you did to allow those ports on the firewall.

Just checked the notes within the WRV210 manual, it suggests;

1. On page 56 " Disabling passthrough may prevent VPN clients from connecting to your network "so make sure that passthrough is enabled.

2. on page 69  “NAT-Traversal: Click Enabled if you need to establish a VPN tunnel with a device that is behind an NAT firewall. NAT-T must be enabled for another private network to be able set up a site-to-site IPSec tunnel with your WRV210. Click Disabled if the remote device is not behind an NAT firewall.

NOTE If NAT traversal is enabled, the Remote Secure Group and Remote Secure Gateway must be set to Any.”

If this doesn't work, maybe contact SBSC, so they can escalate this issue.

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

regards Dave



daviddun Mon, 11/09/2009 - 06:10

Eric,

Have you done a PORT scan with the router out of the picture to your ISP modem.

They maybe blocking port 500 traffic, typical of what you are seeing.

Go to GRC.com and do the shields up test to see if port 500 traffic is blocked.

If this does not work, then call the SBSC 866-606-1866

erickolesnikova... Mon, 11/09/2009 - 16:10

i did a full scan on GRC and all ports were stealth. Is this weird?

---------------------------------------------------------------------- GRC Port Authority Report created on UTC: 2009-11-10 at 00:08:27 Results from scan of ports: 0-1055     0 Ports Open     0 Ports Closed 1056 Ports Stealth --------------------- 1056 Ports Tested ALL PORTS tested were found to be: STEALTH. TruStealth: FAILED - ALL tested ports were STEALTH,                    - NO unsolicited packets were received,                    - A PING REPLY (ICMP Echo) WAS RECEIVED. ----------------------------------------------------------------------
Alejandro Gallego Mon, 11/09/2009 - 17:02

No the results are not weird. When a port is marked as Stealth it just means that it is not being directly blocked (Closed) it is just in a waiting state. I will re-read your original post and see if I can offer better assistance.

OK, first off the IP address that you have given your router on the LAN (local network) is a public IP. What will hapen is that the routers will try and try to find that IP address until the request finally dies out there in the internet somewhere.

Change your LAN ip address to something like 172.16.68.0 with a subnet of 255.255.255.0. So your router's IP address will be something like 172.16.68.1 subnet mask 255.255.255.0. Also make sure that on your Windows machine the service "IP sec" is running and it is set to start automatically. You can check this by clicking on your Start button > run > type "services.msc" without the quotes. When the services window open scroll down a little and look for IP Sec. If that service is not running QVPN will not work. Must say however; from looking at your log this service is already started.

After you change the IP address of your router please post your log file again.

erickolesnikova... Thu, 11/12/2009 - 10:57

I ran a GRC Scan while I was directly connected to the modem and recieved the results below

I called my ISP they told me they block only 1434,1433,1900,4445,80 out, 135-139.

They told me all other ports are open and they can not do anything further to help me.

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2009-11-12 at 18:41:20

Results from scan of ports: 0-1055

0 Ports Open
1048 Ports Closed
8 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be STEALTH were: 25, 80, 135, 136, 137, 138,
139, 445

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

erickolesnikova... Fri, 11/13/2009 - 13:48

IT works

I called cisco and they had me put my router back to the defaults because I never did that after the firmware upgrade. They also helped me scan my internet connection and I called my ISP as you can see from above. So one of the things worked  Thanks all for your help :-)

iandesousa Tue, 12/29/2009 - 02:56

i had the same issue and port forwarded ESP to the router and it all started to work.