I have a WRVS4400N V2 Wireless-N Gigabit Security Router with VPN from Cisco Small Business.
This box has many features but they do not include an ADSL interface. For that I have a Linksys AG300 DSL Modem / Router.
What I couldn't find documentation on is how to configure these two devices to be able to establish a VPN connection from the Internet. But, after much trial and error I have it working.
The AG300 has been serving our office LAN for several years and I didn't want to disrupt any existing configuration or services.
I connected the WAN port of the WRVS4400N to a port on our LAN - via a switch to one of the AG300 LAN ports. The WRVS4400N WAN port picked up an IP on our LAN from the DHCP server on the AG300.
I set the WAN port MTU configuration to Manual (Setup, WAN) and MTU size to 1000. This on the basis that the VPN traffic will be tunnelled so the MTU better be less than 1500. 1000 is no doubt lower than necessary but I didn't want failure for the sake of a few bytes. I can tune it up later.
I set the timezone and enabled daylight savings time, with the default NTP server(s).
I set up the wireless network, though this is probably irrelevant at this point. My testing was all with wired systems. All I did was set an SSID Name for SSID1 (Wireless, Basic Settings), and set security mode to WPA2-Personal Mixed and a Shared Secret (Wireless, Security Settings).
IPSec VPN I left disabled (default).
I created one VPN Client Account: a username and password and left Allow User to Change Password at default: no.
I generated a certificate and exported for client.
I changed the admin account password.
I did all this from a laptop plugged into one of the LAN ports on the WRVS4400N. The laptop picked up an IP from the DHCP server on the WRVS4400N on the default 192.168.1.0/24 network.
I then downloaded and installed the QuickVPN client from http://www.cisco.com/en/US/prod/routers/quick_vpn.html. I was using a laptop running Windows 7 64bit for testing, so I downloaded WRVS4400N Wireless-N Gigabit Security Router - VPN V2.0. I ran setup as administrator and accepted all defaults. The laptop was in a workgroup, not a domain member on our LAN.
I copied the WRVS4400N certificate to the QuickVPN folder (C:\Program Files (x86)\Cisco Small Business\QuickVPN Client.
I connected the test client (with QuickVPN) to our internal LAN and configured a QuickVPN profile to access the WRVS4400N directly (ie at its internal WAN port address, thus not traversing our Internet DSL modem / router). This connected successfully and I was able to RDP to a test system on the LAN side of the WRVS4400N - success!!! of a sort.
Next I created a new QuickVPN profile, the same as the first except for specifying the external address of the AG300 (i.e. our public / Internet IP address). I tried to connect and this failed.
The failure wasn't too surprising. There was nothing on the AG300 that would allow the connection attempts to reach the WRVS4400N WAN port. Unfortunately, the WRVS4400N documentation said nothing other than to configure our DSL router / modem according to instructions from our ISP and our ISP knows nothing of the WRVS4400N, VPNs or anything else they don't supply and almost nothing about what they do supply, so I didn't even bother calling them.
After some searching I found a post (https://supportforums.cisco.com/thread/2108785) indicating that some ports should be opened on the DSL modem / router and that this sometimes works, though it is an unsupported configuration (cryptic comment about there should only be one gateway). Anyway, I added ports 443, 500, 4500 and 60443, all TCP, to the port forwarding list on the AG300, all forwarded to the WRVS4400N WAN interface, but still no luck.
Then I got out the sniffer and compared the successful internal connection with the failing external connection and noted that the internal connection had an exchange on UDP port 500 and the failing one had inbound packets to that port but no replies. So, I forwarded UDP port 500 as well and finally got a VPN connection via the external interface of the AG300. Success at last!! I had almost given up.
3 comments:
UPD port 500 did the trick!! Thanks much Ian
Post a Comment