cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1621
Views
0
Helpful
2
Replies

Cisco VPN Behind Linksys Router (NAT Issues)

iconick
Level 1
Level 1

Hi. I am having some problems with my setup and was looking for some help. The only thing I know about Cisco I have taught myself, as nothing really practical was taught to me in undergrad, just theory. I think you guys in advance!

I have a unique setup that involves a Cisco 2611XM and a Linksys BEFSR41.

I am trying to setup a Cisco VPN that accepts Cisco VPN Clients (Windows 2000) that sits behind a BEFSR41 (NAT router). Before I go any farther, let me give you the product specifics:

Cisco VPN Client Version 4.8.02.0010

IP Address 172.16.0.2 MASK 255.255.255.0

Linksys BEFSR41 Firmware Version 1.04.09

WAN IP Address 172.16.0.1 MAKS 255.255.255.0

LAN IP Address 192.168.0.1 MASK 255.255.255.0

Cisco 2611XM IOS C2600-A3JK9S-M Version 12.3(22)

BEFSR41 Link IP Address 192.168.0.160 MASK 255.255.255.0

Backend Server IP Address 10.0.0.1 MASK 255.255.0.0

I have attached running-config.txt as the running configuration of this router.

Backend Server

Windows XP Professional

My test setup is as follows:

Cisco VPN Client <-> BEFSR41 <-> 2611XM <-> Backend Server

My problem is that the VPN client times out with Reason 412: Remote peer is no longer responding.

I have forward UDP port 500 and TCP port 10000 from the BEFSR41 to the 2611XM and have verified that the VPN client is using UDP to do VPN. Also, when I turn on debug crypo ipsec error and debug crypo isakmp error I see errors flash by on the console. I have attached isakmp_errors_with_linksys.txt as a log of these.

I have also placed Ethereal before and after the BEFSR41 and have verified that the ISAKMP packets are indeed UDP encapsulated and the only difference I see between the packets is the source and destination values and the time to live field, all three of which I consider to be part of normal routing.

While Ethereal was there, I never saw any return packets from the 2611XM back towards the BEFSR41.

When I take the BEFSR41 out of the picture, and instead connect the VPN client directly to the 2611XM (naturally the IP address is changed to that of the BEFSR41), I have no problems with connecting the VPN client. What is interesting is that I see even more errors with the debug crypo ipsec error and debug crypo isakmp error commands but the VPN seems to setup correctly. I have attached isakmp_errors_no_linksys.txt as a log of this.

Ethereal also shows the 2611XM sending connection packets back to the VPN client.

Once again, any help you guys can provide would be really appreciated!

2 Replies 2

jmiller
Level 1
Level 1

Linksys products are known for not passing protocol 50 (ESP) correctly. I have installed the linux hack for my linksys systems to resolve this issue.

jmiller:

Thanks for the response. That is what I was guessing but don't fully understand why it matters if the packets are UDP encapsulated. In any event, I am working on getting rid of the Linksys from the equation completely.