Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1313
Views
0
Helpful
5
Replies

QuickVPN connecting to RV180W behind Verizon FIOS Westell router?

Adam White
Level 1
Level 1

‎01-14-2015 08:14 PM

I have Verizon FIOS service which has coax from their ONT to my primary (Verizon) router, a Westell 9100EM.  I have my own secondary router, a Cisco RV180W, connected to a LAN port on the Westell.  The Westell acquires the public IP via DHCP and its subnet is 192.168.1.x.  The Cisco router has a static IP assignment and then serves as the gateway for its own subnet 192.168.130.x.  Devices connecting to either LAN have full internet access.

I would like to establish a VPN connection from remote locations to the Cisco RV180W.  I have been trying to accomplish this using QuickVPN which is installed on my laptop (and which I can use to successfully connect to a different Cisco router on an entirely different network – meaning the laptop itself is not somehow blocking QuickVPN). 

I have been trying to establish the QuickVPN connection to the RV180W for the last several days, without success (trying to forward ports from Verizon router to Cisco router).  I finally spoke to Cisco telephone support yesterday and they told me it will never work if the RV180W has a non-routable IP address assigned to its WAN interface / is double-NAT'd (which is the case in my setup).  So question #1:  is this true or is there some way to work around this limitation, given my setup / Westell router?

Question #2:  is there another VPN client software (like for example Shrewsoft VPN Client) that WILL be able to connect to the RV180W, given my current configuration?

Question #3:  If #1 or #2 don't have easy answers … how can I change my configuration to enable the RV180W to support QuickVPN?  I also spoke to Verizon about potentially bridging their router.  They tell me they don't support this so I'm on my own in terms of trying it – and depending on what I do it may negatively impact some of my FIOS services (on the TVs).  But if anyone has done this I would love to hear about it!  I'm also wondering if putting the RV180W into the Westell's DMZ would help anything? 

I initially set things up as they are because I didn't really trust whatever router Verizon might install and didn't want my home network connected to its LAN.  I still feel that way, and believe my current setup offers better security for my own devices.  But nevertheless I need VPN access to my LAN so I need to do something!  And am open for any suggestions!

 

Thanks in advance …

Adam

 

Labels:
0 Helpful
5 Replies 5

Kremena Ivanova
Cisco Employee
Cisco Employee

‎01-15-2015 06:28 AM

Hi Adam,

 

question #1 In case of double-NAT very often Quick VPN cannot establish a connection. This can be due to:

-firewall, antivirus settings of the PC

-Windows OS of the PC

-correct port forwarding of all necessary ports

-IPsec pass-through support on the device infront of the router.

 

Regarding the PC part -Quick VPN is really simple software, which uses the IPsec services of Windows. If you tested recently the Quick VPN connection from this PC and it works, we can assume Windows is just fine

Regarding the Port forwarding part, the needed ports to be forwarded to RV180 are

UDP 500, UDP 4500, TCP 443 and ESP (or the option IPsec pass-through to be enabled)

 

Putting RV180 in the DMZ zone is a good idea. DMZ zone will allow all ports to be open for RV180W, so you can be sure that traffic is not filtered. As RV180 has a firewall as well, your LAN will be not exposed to risk

 

Question #2: Shrew VPN is working fine with RV180. It does not rely on Windows services, so it is more likely to work than Quick VPN. It requires the same port forwarding rules, or RV180 in the DMZ zone. Though it requires more time to configure, as a stable client, I like it more than Quick VPN. Attached is configuration instructions

 

Question #3: Quick VPN requires only a user to be configured on the router and remote management to be activated on port 443. Nothing else can be done.

 

If you want to dig into as why Quick VPN is not connecting, I would advise to use Wireshark. You can install it and start it on the PC with Quick VPN and capture packets when starting the VPN client.

ISAKMP (you need to type the word in the filter menu) packets show the negotiation process. Once it is established you have to see only ESP (you need to type the word in the filter menu) packets sent to the public IP, that you are using for connection. If you don't see any ESP packets that's mean your PC is filtering it.

From the menu of RV180 Administration - Diagnostic - Capture Packets, click on Packet trace on the WAN port and after that start the quick VPN. Once it shows the error you may stop the capturing. You can open the file with Wireshark again. This option capture all traffic arriving on the WAN port and it will allow you to see if something is filtered by the router in front.

Usually the providers devices are stopping ESP packets. So in the filter menu type ESP and see if there is any packets.

 

Hope it can help!

 

Regards,

Kremena

 

 

 

 

 

Preview file
992 KB
0 Helpful

Adam White
Level 1
Level 1
In response to Kremena Ivanova

‎01-15-2015 08:50 AM

Thanks for your reply Kremena!  Couple of follow-up questions for you, to help me decide which option to pursue first:

1. If I put the Cisco router into the Verizon router's DMZ, will that give the cisco router's WAN interface an external IP address?  Seems like it would still be a non-routable / internal IP address (on the Verizon router's subnet)???  (and if what the Cisco support person told me is correct, about the RV180W needing an external IP address, then I'm not sure how this would help)

2. Do you think the Shrewsoft VPN Client will work using my existing configuration (i.e., with the RV180W not in the Verizon DMZ?)

Thanks again for the help.  I will try one of these two options later today ...

0 Helpful

Kremena Ivanova
Cisco Employee
Cisco Employee
In response to Adam White

‎01-16-2015 04:14 AM

Hello Adam,

 

1. What address RV180 will receive, when is plugged on the DMZ port, this Verizon can answer. But no matter public or private IP, the idea to put RV180 in the DMZ is that there will be no firewall, which may filter the traffic. And the problem when there is double-NAT is the firewall, and not the IP address on the WAN port.

2. Using Shrew, instead of Quick VPN, can only solve problems, which you may face on the VPN client side- on the PC

Please, note that so far you do not know what and where is the problem for Quick VPN not to connect. If it's something related to the client PC - Shrew will solve it, no matter the port. If it is related to traffic filtered from Verizon - changing the port to DMZ may show a difference even with Quick VPN.

 

Regards,

Kremena

0 Helpful

Adam White
Level 1
Level 1
In response to Kremena Ivanova

‎01-16-2015 03:52 PM

Well ... just FYI, I gave up on trying to make this work.  Although I didn't want to go the "3rd party software" route, I finally did exactly that.  I just downloaded the free TeamViewer software and after about 15 minutes am able to successfully access my LAN computers via Windows Remote Desktop (which was my goal all along).  15 minutes for TeamViewer ... as compared with some 30 or 40 hours I spent over the past two weeks trying to get QuickVPN to work (and a few hours with Shrewsoft VPN Client). I feel like there MUST be a way to get the RV180W's VPN working with a client VPN package, even if the RV180W must be "behind" the Verizon router ... but it is beyond my abilities to figure it out.  In my case the Verizon router (supporting MOCA) must be the public-facing router.  Kremena ... thanks for trying to help.  Cisco ... thanks for nothing.

 

0 Helpful

Adam White
Level 1
Level 1
In response to Kremena Ivanova

‎01-15-2015 09:31 PM

I didn't have any luck putting RV180W in the Westell DMZ, so I installed Shrewsoft Client VPN and am making some progress but still need some help.  I configured the IKE policy and VPN policy and VPN user on the RV180W.  And created the VPN client profile.  And when I click "connect" from the VPN client it says it brings up the tunnel and shows me to be connected.  I can also see the connection from the RV180W under IPSEC connection status (which shows Policy Name = the virtual IP entered into the VPN client profile and Endpoint  = the actual IP currently assigned to the LAN interface / NIC card in the laptop where the shrew VPN is running).  With all of this in mind ...

From a DOS box on the laptop (with Shrew VPN connected) I cannot successfully ping anything on the RV180W's LAN, so something isn't quite right.

Can you elaborate on the three places I must enter IP addresses, and what exactly those values should be: 
1. RV180W / Advanced VPN / Local Traffic Selection / Start Address (with "Local IP" = Subnet).  Your DOC shows this to be 192.168.10.1 but doesn't explain why.  Should this address be an unused range in the RV180W's subnet?  Or the address of the RV180W itself?  Or what?
2. Shrewsoft VPN client / General tab / Local Host:  Set to "use virtual adaptor" with assigned address = 192.168.2.10.  Again, there is no mention of why this address was used in the doc and if it is supposed to have a particular value in my setup.  Does this need to be a valid address on the RV180W's subnet?
3.   Shrewsoft VPN client / Authentication tab / Address string:  the doc says this will be the same address as my item #2 so I'm good on this one (once I understand what goes into #2)

Thanks.
Adam

0 Helpful
Customers Also Viewed These Support Documents