cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3628
Views
0
Helpful
1
Replies

Setting up IPSec connection on RV220W

spookyneo
Level 1
Level 1

Hi,

We bought a RV220W in order to get a VPN in our Small Business. The RV220W will only be used to let clients connect to it and not a tunnel between another VPN box.

We could use QuickVPN, but it won't be working in our case, because in order to use QuickVPN, the router wants to change its IP 10.x.y.1. Because we have multiple servers/services that are using a static IP, it would be quite painful to change the subnet. Therefore, we would like to stay on the same subnet and change it in worst case scenario only. This is why QuickVPN is not an option here.

We could use SSL VPN, but most of our clients who will connect to the VPN are using Windows 7 x64. I have tried the Windows 7 x64 fix told in the latest firmware release notes, but I can't get it to work on my computer, which is a Win7 x64. It might still be broken. Many of them are not very tech-savyy, so I can't tell them to use a virtual machine to connect.

We want a secure connection, therefore IPSec is better than PPTP. I've been trying to setup IPSec for the past hours but I can't get it working. At first, I wanted to use an SSL certificate, but having no luck with this, I switched to a Pre-shared Key (PSK) in order to get things simpler. Eventually I would like to use an SSL certificate, however I would like to get PSK working first to confirm that the IPSec connection is working.

I have attached with this post, screenshots of the IKE and VPN Policies. I have used the VPN Wizard in order to complete these fields. The local identifier is the WAN DynDNS FQDN. However, as for the remote FQDN, there should be none really, because clients are connecting to it, so the RV220W won't know in advance who's connecting and from where. I have read in the Help that when using the Responder type, the remote settings should not matter. Also, the PSK is 25 caracters long.

After setting the RV220W up, I have set up a L2TP/IPSec VPN connection on my Windows 7­. I have set up the connection to connect to the DynDNS address and set up the PSK in the Advanced settings. After I typed my IPSec username and password to connect (which was created in the IPSec users section), Windows tries to connect and times out :

Error 789 : The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

At the same time on the RV220W, this error shows up in the logs :

2012-08-26 23:45:24: [rv220w][IKE] ERROR:  Could not find configuration for 24.54.xx.xx[500]

I can't figure out what I am doing wrong. I've read the Administration manual quite a few times and it seems that I have followed everything by the book.

I have tried to enable/disable my Windows firewall, but did not get any luck. The RV220W is located at a remote office, to make sure that I can connect from the outside, before you think that I'm trying to connect to the outside, from the inside I have changed few settings in the IKE policy to try to make it work. Settings such as the Exchange Mode, because I've read that the Aggressive mode had issues. At this moment, the settings are back to default, once the wizard has been run.

I am running out of ideas...I'm thinking about setting a PPTP to confirm that this works, then move up to IPSec PSK, then to IPSec SSL Certificate.

Anyone can help me out ?

Thank you,

Guillaume.

1 Reply 1

spookyneo
Level 1
Level 1

Hi all,

I have made some progress regarding my IPSec VPN Connection. First of all, the above issue has been resolved. It turned out that it was a misconfiguration on the client side (TheGreenBow).

I have another issue and a question.

I am not able to establish the VPN connection when NAT-T is set to Automatic or Forced in TheGreenBow. Everytime I try to connect with NAT-T set to Automatic or Forced, this error message appears in the log of TheGreenBow : unequal_payload_lengths. In the RV220W logs, this appears :

2012-09-03 17:47:46: [rv220w][IKE] INFO:  For 24.54.14.48[500], Selected NAT-T version: RFC 3947

2012-09-03 17:47:48: [rv220w][IKE] ERROR:  Phase 1 negotiation failed due to time up for 24.54.14.48[500]

I have done some researches on Google and did not find much about this issue. The only thing that I have found is that TheGreenBow uses port UDP 500 for Phase 1 and UDP 4500 for Phase 2. These ports must be configured for any firewalls, such as the Windows Firewall. When installing TheGreenBow VPN Client, it creates firewall rules automatically to let the traffic passthrough and these are enabled in my Windows Firewall. Since the RV220W is at a remote location and I am connecting to it from a location behind a Tomato router, I have also set Port Forwarding for UDP 500 and 4500 in my Tomato to my computer. I have also tried with my Windows Firewall disabled, but no luck. I have tried bypassing my ISP/Tomato router by using my Android phone in tethering mode. Using my cellular network on my comptuer resulted in the same error in TheGreenBow, unequal_payload_lengths. Therefore it does not seem to be my ISP or my Tomato router.

Anyone has ideas for this NAT-T issue ?

As for the question...I know it is a Cisco forum, but I know some users have experience with other VPN softwares such as TheGreenBow. Is there anyway that I can get a VPN Client IP set automatically when the connection is establish ? At this moment, I can only access the remote network if I set a static IP in TheGreenBow settings or use the default one (192.168.175.10) . If I don't set any VPN Client IP, I am not able to access the remote network. I am able to establish VPN connection, but not access the network ressources on the other end. Since I have few VPN clients to setup, I would like the RV220W to automatically send their IP when they connect to it. Also, if possible, pass the DNS settings. I heard about something called "mode-config"...but I don't see that anywhere in the RV220W.

Thank you guys,

Guillaume.