RV042, quickVPN hangs

lincservices · ‎12-30-2009

I have 5 static IP addresses from my cable provider. One IP address is for my network that I use IPCop as my firewall. I have setup the RV042 router+vpn appliance with a different IP address so I can access my network remotely. When I am connected to the RV042 directly I get an IP address from my home network (10.1.x.x). When I try to connect from my friends house with DSL, behind a dlink router, my vpn client hangs at "verifying network" and then I get gateway not responding. I have tried connecting directly to my cable router, configuring my network card with a third static IP from my cable provider, and get the same error. Any suggestions?

wichilds · ‎12-31-2009

Please check the log file located in the installation folder. The name of the file is log.txt. This will give you some place to start. If possible, please post the log file.

If you don't want to post it, private message it to me so I can make some recommendations.

Bill

lincservices · ‎01-01-2010

Here is the log and some additional information. I am connecting the RV042 behind my firewall and would like to have my network dhcp server supply the IP address to the remote clients. One question, is it possible to setup the RV042 with a windows radius server so only AD users can access the network?

2010/01/01 13:33:34 [STATUS]OS Version: Windows Vista
2010/01/01 13:33:34 [STATUS]Windows Firewall Domain Profile Settings: OFF
2010/01/01 13:33:34 [STATUS]Windows Firewall Private Profile Settings: OFF
2010/01/01 13:33:34 [STATUS]Windows Firewall Private Profile Settings: OFF
2010/01/01 13:33:34 [STATUS]One network interface detected with IP address xxx.xxx.xxx.xxx (public IP address)
2010/01/01 13:33:34 [STATUS]Connecting...
2010/01/01 13:33:34 [STATUS]Connecting to remote gateway with IP address: xxx.xxx.xxx.xxx (public IP address)
2010/01/01 13:33:38 [STATUS]Remote gateway was reached by https ...
2010/01/01 13:33:38 [STATUS]Provisioning...
2010/01/01 13:33:49 [STATUS]Tunnel is configured. Ping test is about to start.
2010/01/01 13:33:49 [STATUS]Verifying Network...
2010/01/01 13:33:55 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:33:58 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:34:01 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:34:04 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:34:07 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:34:09 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2010/01/01 13:34:19 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:34:22 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:34:25 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:34:28 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:34:31 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:34:33 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2010/01/01 13:34:38 [STATUS]Disconnecting...
2010/01/01 13:34:45 [STATUS]Tunnel is disconnected successfully.
2010/01/01 13:49:37 [STATUS]OS Version: Windows Vista
2010/01/01 13:49:37 [STATUS]Windows Firewall Domain Profile Settings: OFF
2010/01/01 13:49:37 [STATUS]Windows Firewall Private Profile Settings: OFF
2010/01/01 13:49:37 [STATUS]Windows Firewall Private Profile Settings: OFF
2010/01/01 13:49:37 [STATUS]One network interface detected with IP address xxx.xxx.xxx.xxx (public IP address)
2010/01/01 13:49:37 [STATUS]Connecting...
2010/01/01 13:49:37 [STATUS]Connecting to remote gateway with IP address: xxx.xxx.xxx.xxx (public IP address)
2010/01/01 13:49:40 [STATUS]Remote gateway was reached by https ...
2010/01/01 13:49:40 [STATUS]Provisioning...
2010/01/01 13:49:51 [STATUS]Tunnel is configured. Ping test is about to start.
2010/01/01 13:49:51 [STATUS]Verifying Network...
2010/01/01 13:49:56 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:49:59 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:50:02 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:50:05 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:50:08 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/01/01 13:50:11 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2010/01/01 13:50:15 [STATUS]Disconnecting...
2010/01/01 13:50:22 [STATUS]Tunnel is disconnected successfully.

wichilds · ‎01-02-2010

Windows Vista is a difficult operating system. I'm sure you already knew this. That being said, make sure you have these things configured on your Vista machine:

1. The firewall must be turned ON. Turning off the firewall on a Vista box disables the use of ipsec.

2. Create an exception in the firewall for the QVPN program.

3. Make sure all anti-virus software is off. If the connection is successful, turn it back on and connect to it again. If it fails, make an exception for the QVPN program in the software.

4. This is not related to your Vista machine, but check to see if your destination ISP is blocking ports 500 or 4500. You can do this by going to grc.com and performing a shields up test. This is a 3rd party port scan. It will tell you if your ISP is blocking any ports. This will tell you how to do that:

https://www.myciscocommunity.com/docs/DOC-13405

From the looks of the log, your tunnel is being established but is not able to pass data through the tunnel. That is, most of the time, due to either ports 500 or 4500 being blocked somewhere. It does not matter if they are blocked client side as the QVPN software sends the request on a random port. The destination ports are the ones that are very important.

Please do this test and post your results to the community.

Bill

lincservices · ‎01-02-2010

Thanks for the information. I am able to connect but I still am not getting an IP address from my dhcp server and cannot connect to any of my network resources.

jbattist · ‎01-03-2010

When you have connected the tunnel, are you able to ping any of your remote internal IP address from your local PC?

lincservices · ‎01-03-2010

The only internal IP address I can ping is the RV042 static ip address. I cannot ping anything else on my network.

Alejandro Gallego · ‎01-03-2010

I have 5 static IP addresses from my cable provider.  One IP address is
for my network that I use IPCop as my firewall.  I have setup the RV042
router+vpn appliance with a different IP address so I can access my
network remotely.

I just want to make sure that I am clear with your set up and what you are saying. From your original quote you state that you have 5 public IPs, and two (as of this point) are being used; one for IPCop and the other for the RV042 WAN connection.

Keeping in mind that the whole time you are trying to connect via QVPN.

Here is where I get a little lost:

When I am connected to the RV042 directly I get an IP address from my home network (10.1.x.x).

Not really sure what you meant. Did you mean you connected from your house to the RV by using the PPTP VPN server feature on the RV042, or did you mean you connected to the RV using QVPN and your home router issued you a 10.1.x.x IP address?

When using QVPN; the connection established is an IPSec connection, so you will not receive an IP address from the remote router. This type of VPN connection creates a route statement on the participating routers so you are able to access the remote site and network resources.

I have tried connecting directly to my cable router, configuring my
network card with a third static IP from my cable provider, and get the
same error.

Here I understood that from your home (remote location - not local to the RV042) you assigned your computer a public IP address (a third of the original five) and you were still not able to connect. Now I would assume that at both locations home and work (RV042 side) you have the same ISP and you block of five IPs would be valid at either location.

So, working with that assumption what is the local IP address of your network on both sides of the tunnel?

One thing that can not be is having the same network ID on both sides of the tunnel. So if I connect from my home which has an internal IP address scheme of 172.16.10.20 the internal IP address of the RV cannot be 172.16.10.x.

This is what the tunnel whether established or not should look like:

IP: 172.16.20.1 (LAN) << == >> RV042 (WAN) 64.23.x.x <<==>> CLOUD <<==>> 159.35.x.x (WAN) "HOME ROUTER" <<==>>(LAN) 192.168.12.1 IP --- QVPN client

NOTE: the ip numbers do not matter so long both sides are different networks as shown. This would also be a different network: 192.168.20.x and 192.168.30.x both with a subnet mask of 255.255.255.0.

Some other notes which may have already been mentioned is that if your PC is Vista the Firewall must be running, but if XP the Firewall needs to be turned off. In XP turning of the firewall via the GUI may not be enough, you may want to disable the service and try again. You can do this by clicking "Start" > "Run" then type "services.msc" (with out quotes) hit enter. Browse the serivces window for "Windows Firewall (ICS)" and just STOP the service while testing. If that works, then you may want to disable the service.

On a later post you stated:

Thanks for the information.  I am able to connect but I still am not
getting an IP address from my dhcp server and cannot connect to any of
my network resources.

Remmember you will not get an IP address from the remote side (RV042 network), but you should be able to get to shares via IP address. Later you said that you were not able to ping; don't get too hung up on not being able to ping, as the device you pinging may not be set to respong with echos. Try testing the connection using know running services of the remote site, such as file shares, remote desktop, VNC and so on. Maybe open up a command prompt and launch a telnet session to the DHCP server on port 67 and see if you are able to get there (the session should not time out).

Let us know what you are able to find.

Hope this helps a little.

lincservices · ‎01-04-2010

Here is where I get a little lost:

When I am connected to the RV042 directly I get an IP address from my home network (10.1.x.x).

Not really sure what you meant. Did you mean you connected from your house to the RV by using the PPTP VPN server feature on the RV042, or did you mean you connected to the RV using QVPN and your home router issued you a 10.1.x.x IP address?

I mean that I am connected directly to the router. Using it as a switch.

I have tried connecting directly to my cable router, configuring mynetwork card with a third static IP from my cable provider, and get the
same error.
Here I understood that from your home (remote location - not local to the RV042) you assigned your computer a public IP address (a third of the original five) and you were still not able to connect. Now I would assume that at both locations home and work (RV042 side) you have the same ISP and you block of five IPs would be valid at either location.
So, working with that assumption what is the local IP address of your network on both sides of the tunnel?
One thing that can not be is having the same network ID on both sides of the tunnel. So if I connect from my home which has an internal IP address scheme of 172.16.10.20 the internal IP address of the RV cannot be 172.16.10.x.
This is what the tunnel whether established or not should look like:
IP: 172.16.20.1 (LAN) << == >> RV042 (WAN) 64.23.x.x <<==>> CLOUD <<==>> 159.35.x.x (WAN) "HOME ROUTER" <<==>>(LAN) 192.168.12.1 IP --- QVPN client
NOTE: the ip numbers do not matter so long both sides are different networks as shown. This would also be a different network: 192.168.20.x  and 192.168.30.x both with a subnet mask of 255.255.255.0.

I will attempt from my friends house again. When I successfully connected, I was using a third public ip address on a laptop to connect to the RV042 that is using a second public ip address.

Remmember you will not get an IP address from the remote side (RV042 network), but you should be able to get to shares via IP address. Later you said that you were not able to ping; don't get too hung up on not being able to ping, as the device you pinging may not be set to respong with echos. Try testing the connection using know running services of the remote site, such as file shares, remote desktop, VNC and so on. Maybe open up a command prompt and launch a telnet session to the DHCP server on port 67 and see if you are able to get there (the session should not time out).

I attempted to open telnet to the dhcp server on port 67, from a pc that is on the internal network and got the message "Could not open connection to the host, on port 67: Connect failed." I know my dhcp server is working because I getting assigned ip addresses. From a pc on the network I have verified that dns is also working via nslookup.

Again I will post the results after I test from my friends internet connection.

David Hornstein · ‎01-04-2010

Hi lincservices,

I am wondering if you are encountering a similar IP address peculiarity exhibited by the WRV router that I tested.

I found that my PC could not be in the same IP WAN network as VPN router WAN interface. I just could not create a VPN connection to my WRV router when in the same WAN IP network range.

I ran a simulation on a test network in my lab. I connected my PC and my WRV wan interface on a simulated internet. I used a layer 3 switch to provide DHCP services and physical connectivity to devices on my hypothetical simulated internet. This meant that my PC and my WRV router WAN interface were in the same network.

If however, my PC client was in a different IP network, as compared to that on my WRV router WAN interface, i could consistantly VPN to my WRV router.

You mention when at a friends house and using their connection to get to your router all seems, well almost

When your PC client uses a IP address in the range allocated by the Service Provider, you mention, at times difficulty in connecting to your WAN router.

Are we both seeing the same thing, when you try to connect via vpn to the WAN router using a IP address in the same IP range as manually allocated by the service provider you have difficulty in connecting ?

If this is the case, just don't use one of those IP address in the same network range given by the SP.

See what happens when you use a dynamic IP allocated by the service provider, from another location, maybe again from your friends place.

(hopefully in a different IP network range maybe :) ).

I think this will solve your issue.

I'm thinking that quick IPVPN server cannot have clients in the same IP WAN network, maybe someone in the community can validate my statement or shoot my observation down.

regards Dave