Problems with vpn and pptp

mdavidson58 · ‎07-06-2011

I have an RV016 with 3 dsl connections. I am running 3.0.2.01 tm of the RV016 firmware. Each dsl connection is behind a Netopia 3000. I have one netopia in bridge mode bridging the external ip to the internal. I have one in "gateway" mode. I am mapping all IP traffic to the internal gateway address of that model. The third interface has been disconnected so I can debug the pptp and vpn issues.

ex: Bridge Int:

Netopia Int 70.xxx.xxx.xxx

RV016 Int: DHCP and becomes the same as the bridge

Gateway Int:

Netopia Ext 70.xxx.xxx.xxx

Netopia Int 192.168.1.254

Netopia "default server" maps ext interface to 192.168.1.1

RV016 Int: 192.168.1.1

I have configured PPTP and I see in the logs that port 1723 has a successful connection and the Windows 7 (and iphone) PPTP client begins authenticating. I have a simple account set up and both the iphone and windows 7 pptp clients will prompt that it is authenticating user/password and then fail the pptp session.

I get the exact same problem on the bridged interface as I do the gateway interface. I have used two different PPTP clients (iphone and Windows 7) and at least 4 different windows 7 computers and still have the same issue.

I have also configured a client to gateway ipsec. I am using the shrewsoft ipsec client. My settings are as follows:

Remote Client Setup

Remote Client

Domain Name

IPSec Setup

Keying Mode:

IKE with Preshared key

	Phase1 DH Group
	Phase1 Encryption
	Phase1 Authentication
	Phase1 SA Life Time
	Perfect Forward Secrecy

Phase2 DH Group

	Phase2 Encryption
	Phase2 Authentication
	Phase2 SA Life Time
	Preshared Key

I am setup using IKE over NAT. My ipsec client is configured identically. The client will retry the initial IKE negotiation 3 times then fail. I do NOT see any logging information for the IKE session in the RV016 log files.

I have ALSO configured QVPN clients and none of these are working properly on any of my interfaces. I have connected the RV016 to a test lan and also cannot get these interfaces to work bypassing the netopias/internet altogether. I am either having an issue with the firmware and/or the hardware. I have tried to upgrade to 4.0 of the firmware but that failed. I have to have the vpn up by next week to support Cisco Live attendees. I would appreciate your support.

josomm · ‎07-06-2011

Out of thin air, some things to think about or try - just thinking out loud...

- Is there any filtering in front of either the client or the RV?

- You mentioned nothing in the logs - anything show up with a sniffer?

- What about client logs? Somewhere there must be a hint of what is not jibing...

- How about taking the shrewsoft/qvpn clients and point them to another box? To verify they are functioning...

- What about dropping down from AES256 to AES128 or even triple des?

- PPTP nad NAT potentially don't play well together - is there NAT going on in front of the clients or the box itself?

- Is UDP 4500 open both ways? Is it being passed inbound where appropriate? No ACL's, filtering, etc.

- Have you tried downgrading and/or upgrading firmware? clients?

- You mentioned issues w/ upgrading firmware. Factory reset and try again?

Sorry I don't have anything concrete - hopefully some of the above will nudge this in the positive direction.

Support can also assist with this as well...

mdavidson58 · ‎07-06-2011

The client show the following messages:

1/07/06 21:38:49 >> : security association payload

11/07/06 21:38:49 >> : - proposal #1 payload

11/07/06 21:38:49 >> : -- transform #1 payload

11/07/06 21:38:49 >> : -- transform #2 payload

11/07/06 21:38:49 >> : -- transform #3 payload

11/07/06 21:38:49 >> : -- transform #4 payload

11/07/06 21:38:49 >> : -- transform #5 payload

11/07/06 21:38:49 >> : -- transform #6 payload

11/07/06 21:38:49 >> : -- transform #7 payload

11/07/06 21:38:49 >> : -- transform #8 payload

11/07/06 21:38:49 >> : -- transform #9 payload

11/07/06 21:38:49 >> : key exchange payload

11/07/06 21:38:49 >> : nonce payload

11/07/06 21:38:49 >> : identification payload