Router-to-Router VPN Security

Similar Messages

• Router to Router VPN with Overlapping internal networks

  Hello Experts,
  One quick question. How do I configure a Router to Router VPN with overlapping internal networks???
  Both of my internal networks have ip address of 192.168.10.0 and 192.168.10.0
  Any link or config will be appreciated. I've been looking but no luck.
  Thanks,
  Randall

  Randall,
  Please refer the below URL for configuration details:
  Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
  Let me know if it helps.
  Regards,
  Arul
  ** Please rate all helpful posts **

• 2851 router vpn to 851 router lan clients cannot ping

  Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
  Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
  851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
  The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
  The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
  I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
  The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
  From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
  To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
  This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
  So some stripped-down configs:
  For the 2851:
  no service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router2851
  boot-start-marker
  boot-end-marker
  no logging buffered
  no logging console
  enable password mypassword2
  no aaa new-model
  dot11 syslog
  no ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 172.20.0.1 172.20.6.1
  ip dhcp excluded-address 172.20.6.254 172.20.15.254
  ip dhcp pool Internal_2000
     import all
     network 172.20.0.0 255.255.240.0
     domain-name myseconddomain.int
     default-router 172.20.0.1
     lease 7
  no ip domain lookup
  multilink bundle-name authenticated
  voice-card 0
   no dspfarm
  crypto pki <<truncated>>
  crypto pki certificate chain TP-self-signed-2995823027
   <<truncated>>
        quit
  username myusername privilege 15 password 0 mypassword2
  archive
   log config
    hidekeys
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp key mysharedkey address 216.53.254.aaa
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
   description Tunnel to216.53.254.aaa
   set peer 216.53.254.aaa
   set transform-set ESP-3DES-SHA
   match address 100
  interface GigabitEthernet0/0
   description $ETH-WAN$
   ip address 216.189.223.bbb 255.255.255.192
   ip nat outside
   ip virtual-reassembly
   duplex auto
   speed auto
   crypto map SDM_CMAP_1
   no shut
  interface GigabitEthernet0/1
   description $FW_INSIDE$$ETH-LAN$
   ip address 172.20.0.1 255.255.240.0
   ip nat inside
   ip virtual-reassembly
   no ip route-cache
   duplex auto
   speed auto
   no mop enabled
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
  ip http server
  ip http authentication local
  ip http secure-server
  ip dns server
  ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 172.20.0.0 0.0.15.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
  access-list 101 permit ip 172.20.0.0 0.0.15.255 any
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  control-plane
  banner motd ~This is a private computer system for authorized use only. And Stuff~
  line con 0
  line aux 0
  line vty 0 4
   privilege level 15
   password mypassword
   login local
   transport input telnet ssh
  scheduler allocate 20000 1000
  end
  And for the 851:
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router851
  boot-start-marker
  boot-end-marker
  logging buffered 52000 debugging
  no logging console
  enable password mypassword
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  resource policy
  clock timezone PCTime -5
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ip dhcp use vrf connected
  ip dhcp excluded-address 172.21.1.1 172.21.1.100
  ip dhcp pool Internal_2101
     import all
     network 172.21.1.0 255.255.255.0
     default-router 172.21.1.1
     domain-name mydomain.int
     dns-server 172.21.1.10
     lease 4
  ip cef
  ip domain name mydomain.int
  ip name-server 172.21.1.10
  crypto pki <<truncated>>
  crypto pki certificate chain TP-self-signed-3077836316
   <<truncated>>
    quit
  username myusername privilege 15 password 0 mypassword2
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp key mysharedkey address 216.189.223.aaa
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
   description Tunnel to216.189.223.bbb
   set peer 216.189.223.bbb
   set transform-set ESP-3DES-SHA2
   match address 100
  bridge irb
  interface FastEthernet0
   spanning-tree portfast
  interface FastEthernet1
   spanning-tree portfast
  interface FastEthernet2
   spanning-tree portfast
  interface FastEthernet3
   spanning-tree portfast
  interface FastEthernet4
   description $ETH-WAN$
   ip address 216.53.254.aaa 255.255.254.0
   ip nat outside
   ip virtual-reassembly
   ip tcp adjust-mss 1460
   duplex auto
   speed auto
   no cdp enable
   crypto map SDM_CMAP_1
   no shut
  interface Vlan1
   description Internal Network
   no ip address
   ip nat inside
   ip virtual-reassembly
   bridge-group 1
   bridge-group 1 spanning-disabled
  interface BVI1
   description Bridge to Internal Network
   ip address 172.21.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly
  ip route 0.0.0.0 0.0.0.0 FastEthernet4
  ip route 172.21.1.0 255.255.255.0 BVI1
  ip http server
  ip http secure-server
  ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 172.21.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
  access-list 101 permit ip 172.21.1.0 0.0.0.255 any
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  control-plane
  bridge 1 route ip
  banner motd ~This is a private computer system for authorized use only. And Stuff.~
  line con 0
   password mypassword
   no modem enable
  line aux 0
  line vty 0 4
   password mypassword
  scheduler max-task-time 5000
  end
  Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
  I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
  Regards,
  Ted.

  Hi,
  First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
  Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
  1.In the RRAS server,Open Routing and Remote Access.
  2.Right-click the server name,then click
  properties.
  3.On the General tab,select
  IPv4 Router check box,and then click Local area network(LAN) routing only.
  Then,announce the 172.16.0.0 network to the router.
  To learn more details about enabling LAN routing, please refer to the link below,
  http://technet.microsoft.com/en-us/library/dd458974.aspx
  Best Regards,
  Tina

• Configure RVS4000 Behind 2700-Gateway Qwest DSL Router VPN

  I have my QWEST DSL Router 2700-Gateway using a static public IP address
  This is setup to be the DHCP and assigned 192.168.0.2-50
  I need some help how to connect my RVS4000 and utilize VPN so I can connect to my work network from home. The 2700-Gateway has some features like Transparent Bridging, etc, but not sure how to me this work. Can anyone point me to article even if it's configuring with another DSL Router.
  Here is how I tried with my medium knowledge of networking...
  I have configured the RVS4000 as:
  LAN Static IP
  192.168.0.115
  Configured as DHCP Relay
  the 2700-Gateway router saw the device so:
  Configured firewall on 2700-Gateway for PORT FORWARDING:
  TCP port 1723 for PPTP tunnel maintenance traffic
  UDP port 47 Generic Routing Encapsulation (GRE)
  UDP port 500 for Internet Key Exchange (IKE) traffic
  UDP port 1701 for L2TP traffic
  --> 192.168.0.115
  This did not work.

  gv,
  Thanks for your help. I discovered the EasyVPN works quite differently then I expected a IPSec to work. Thanks for the suggestions. I documented my finding and procedure below.
  The answer was to use the transparent bridging setting on my DSL modem model 2Wire GATEWAYHG-2700 and and turn off Search PCV,  then setup the PPPoE on the RVS4000 VPN router to accept and authenticate my public IP address.
  Once I had the modem and router configured, I then had my RVS4000 VPN router ready to test VPN client. The documentation is vague. But after doing some research on here and having some difficulty:
  My Finding:
  I already had latest Firmware 1.109 from purchase
  On the client, I discovered from reading that the EasyVPN uses 443. Well I have this forwarding to a exchange server to utilize RPC/HTTPS with outlook. This turns out that it was fixed with the lastest firmware
  The new firmware allows this, as they fixed the vpn listening port override to port 60443..
  I port forwarded this to my router gateway 192.168.1.1
  In order to use this port, you must have the lastest client from the downloads at RVS4000 version. 1.10 which adds a drop box Auto/443/60433. I found auto and 60443 to work with my configuration.
  This configuration let me connect successfully.
  If you read the readme that's included with the EasyVPN client download, you have to export the client cert under VPN, and copy the file *.pem to the root folder of the vpn client.exe stated in readme to get rid of the security popup. This worked for me.
  So everything seems to be connecting.. But know get "The remote gateway is not responding" popup.  I tried the suggested MTU setting with no luck.
  After establishing a network share under map drive, this seems to have stop responding as well once this popup occurs.
  Things like this should just not be so hard..
  So I found this post in regards to my problem and hoping to here if anyone else has found a solution or work around here. Good night, some things are just not worth staying up late for,
  http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=13651#M13651
  Message Edited by MOTOGEEK on 12-10-2007 11:01 PM
  Message Edited by MOTOGEEK on 12-10-2007 11:04 PM
  Message Edited by MOTOGEEK on 12-10-2007 11:05 PM

• Router vpn interface

  Hi,
  I ususally use cisco asa to connect site to site vpn.  The outside Eth0/0 intereface I ususally use for public internet static IP and eth0/1 to connect internal network.
  For router.  I have saw a lot of example over the web.  It usually use FE0/1 for public internet static IP for both site to site VPN connection point and FE0/0 for internal network.  Could you tell me why ?  My concept is outside interface of FE0/0 must use for public IP address because the less security level.  Please help to explain.  Thank you

  Hi,
  The interface ID doesnt have anything to do with the interfaces security on its own. On an ASA the "security-level" is used to define which is the least secure interface (the one facing Internet), not the port ID.
  You are free to use any physical interface on a Cisco Router or ASA to whatever purpose you want.
  Most people tend to use the port with the ID 0/0 for "outside" and the others for local network connections.
  There is nothing stopping you from using something different.
  - Jouni

• 877 using fe as WAN (ISP provider modem/router) - VPN won't come up!

  Hi,
  Due some changes with our ISP, the atm interface on the 877 router won't support stable connections anymore. The fix I'm having to do is to use our ISP provided modem/router, and have the 877 use an fe port as a WAN port and instigate the VPN from there.
  I've had issues with getting the WAN port to work correctly that I got fixed here:
  https://supportforums.cisco.com/message/4090973
  Now I've got to get this bit going then I'm all good!
  Basic set up is:
  Remote firewall <-> internet <-> local ISP (modem/router) <-> Cisco 877 <-> laptop/switch etc
  172.20.0.0/16                             192.168.1.254       192.168.1.139    172.30.99.1     172.30.99.0/24
  Current config is:
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname ITTEST
  boot-start-marker
  boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
  boot-end-marker
  logging message-counter syslog
  logging buffered 10240
  enable secret
  enable password
  no aaa new-model
  clock timezone GMT 0
  clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
  dot11 syslog
  no ip source-route
  ip dhcp excluded-address 172.30.99.1 172.30.99.100
  ip dhcp pool dhcppool
     import all
     network 172.30.99.0 255.255.255.0
     default-router 172.30.99.1
     dns-server 172.30.99.1 172.20.0.120 172.20.0.121
     domain-name gratte.com
     update arp
  ip cef
  ip domain name gratte.com
  ip name-server 192.168.1.254
  ip name-server 172.20.0.120
  ip name-server 172.20.0.121
  no ipv6 cef
  multilink bundle-name authenticated
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key <presharedkey> address xxx.xxx.xxx.xxx no-xauth
  crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
  crypto ipsec profile IPSEC-VPN
  set transform-set 3DESSHA
  archive
  log config
    hidekeys
  interface Tunnel0
  description --- IPSec Tunnel to KX ---
  ip address 172.30.99.10 255.255.255.252
  ip ospf mtu-ignore
  load-interval 30
  tunnel source Vlan1
  tunnel destination xxx.xxx.xxx.xxx
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile IPSEC-VPN
  interface ATM0
  no ip address
  shutdown
  no atm ilmi-keepalive
  interface FastEthernet0
  description DATA
  spanning-tree portfast
  interface FastEthernet1
  description VOICE
  switchport access vlan 100
  switchport voice vlan 100
  spanning-tree portfast
  interface FastEthernet2
  shutdown
  interface FastEthernet3
  switchport access vlan 666
  no cdp enable
  spanning-tree portfast
  interface Vlan1
  ip address 172.30.99.1 255.255.255.252
  ip nat inside
  ip virtual-reassembly
  interface Vlan666
  ip address 192.168.1.139 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  interface Dialer0
  no ip address
  ip default-gateway 192.168.1.254
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 192.168.1.254
  ip route 10.20.0.0 255.255.0.0 Tunnel0
  ip route 10.21.0.0 255.255.0.0 Tunnel0
  ip route 64.156.192.220 255.255.255.255 Tunnel0
  ip route 64.156.192.245 255.255.255.255 Tunnel0
  ip route 74.50.50.16 255.255.255.255 Tunnel0
  ip route 74.50.63.14 255.255.255.255 Tunnel0
  ip route 172.16.0.0 255.240.0.0 Tunnel0
  ip route 172.30.99.0 255.255.255.0 Vlan1
  no ip http server
  no ip http secure-server
  ip dns server
  ip nat inside source list 100 interface Vlan666 overload
  access-list 100 permit ip 172.30.99.0 0.0.0.255 any
  access-list 199 permit icmp any any
  snmp-server community public RO
  snmp-server community blobby RW
  control-plane
  line con 0
  password
  login
  no modem enable
  line aux 0
  line vty 0 4
  password
  login
  scheduler max-task-time 5000
  ntp server 72.8.140.222
  ntp server 172.20.0.120
  ntp server 172.20.0.121
  end
  Hope someone can help!

  And pretty much an hour to the time of when it dropped out, it's kicked back in:
  02:00:40: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
  02:00:40: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer
  02:00:42: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
  02:00:45: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
  02:00:45: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
  02:00:50: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
  02:00:50: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
  02:00:55: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
  02:00:57: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= 172.30.99.1, remote= ,
      local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
      remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
      protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  02:00:57: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 68 seconds
  02:00:57: ISAKMP: set new node 0 to QM_IDLE
  02:00:57: SA has outstanding requests  (local 132.76.193.228 port 500, remote 132.76.193.200 port 500)
  02:00:57: ISAKMP:(2002): sitting IDLE. Starting QM immediately (QM_IDLE      )
  02:00:57: ISAKMP:(2002):beginning Quick Mode exchange, M-ID of 1560671909
  02:00:57: ISAKMP:(2002):QM Initiator gets spi
  02:00:57: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
  02:00:57: ISAKMP:(2002):Sending an IKE IPv4 Packet.
  02:00:57: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  02:00:57: ISAKMP:(2002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  02:00:58: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
  02:00:58: ISAKMP: set new node 1105416027 to QM_IDLE
  02:00:58: ISAKMP:(2002): processing HASH payload. message ID = 1105416027
  02:00:58: ISAKMP:(2002): processing SA payload. message ID = 1105416027
  02:00:58: ISAKMP:(2002):Checking IPSec proposal 1
  02:00:58: ISAKMP: transform 1, ESP_3DES
  02:00:58: ISAKMP:   attributes in transform:
  02:00:58: ISAKMP:      SA life type in seconds
  02:00:58: ISAKMP:      SA life duration (basic) of 3600
  02:00:58: ISAKMP:      encaps is 1 (Tunnel)
  02:00:58: ISAKMP:      key length is 192
  02:00:58: ISAKMP:      authenticator is HMAC-SHA
  02:00:58: ISAKMP:(2002):atts are acceptable.
  02:00:58: ISAKMP:(2002):Checking IPSec proposal 1
  02:00:58: ISAKMP: transform 2, ESP_3DES
  02:00:58: ISAKMP:   attributes in transform:
  02:00:58: ISAKMP:      SA life type in seconds
  02:00:58: ISAKMP:      SA life duration (basic) of 3600
  02:00:58: ISAKMP:      encaps is 1 (Tunnel)
  02:00:58: ISAKMP:      authenticator is HMAC-SHA
  02:00:58: ISAKMP:(2002):atts are acceptable.
  02:00:58: IPSEC(validate_proposal_request): proposal part #1
  02:00:58: IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) INBOUND local= 172.30.99.1, remote= ,
      local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
      remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
      protocol= ESP, transform= NONE  (Tunnel),
      lifedur= 0s and 0kb,
      spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
  02:00:58: Crypto mapdb : proxy_match
          src addr     : 0.0.0.0
          dst addr     : 0.0.0.0
          protocol     : 0
          src port     : 0
          dst port     : 0
  02:00:58: ISAKMP:(2002): processing NONCE payload. message ID = 1105416027
  02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027
  02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027
  02:00:58: ISAKMP:(2002):QM Responder gets spi
  02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  02:00:58: ISAKMP:(2002):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
  02:00:58: ISAKMP:(2002): Creating IPSec SAs
  02:00:58:         inbound SA from to 172.30.99.1 (f/i)  0/ 0
          (proxy 0.0.0.0 to 0.0.0.0)
  02:00:58:         has spi 0x48E03F51 and conn_id 0
  02:00:58:         lifetime of 3600 seconds
  02:00:58:         outbound SA from 172.30.99.1 to (f/i) 0/0
          (proxy 0.0.0.0 to 0.0.0.0)
  02:00:58:         has spi  0xD4AF8B3C and conn_id 0
  02:00:58:         lifetime of 3600 seconds
  02:00:58: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
  02:00:58: ISAKMP:(2002):Sending an IKE IPv4 Packet.
  02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
  02:00:58: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
  02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  02:00:58: Crypto mapdb : proxy_match
          src addr     : 0.0.0.0
          dst addr     : 0.0.0.0
          protocol     : 0
          src port     : 0
          dst port     : 0
  02:00:58: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
  02:00:58: IPSEC(create_sa): sa created,
    (sa) sa_dest= 172.30.99.1, sa_proto= 50,
      sa_spi= 0x48E03F51(1222655825),
      sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
      sa_lifetime(k/sec)= (4450631/3600)
  02:00:58: IPSEC(create_sa): sa created,
    (sa) sa_dest= , sa_proto= 50,
      sa_spi= 0xD4AF8B3C(3568274236),
      sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
      sa_lifetime(k/sec)= (4450631/3600)
  02:00:58: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
  02:00:58: ISAKMP:(2002):deleting node 1105416027 error FALSE reason "QM done (await)"
  02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  02:00:58: ISAKMP:(2002):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
  02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  02:00:58: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
  02:00:58: IPSEC(key_engine_enable_outbound): enable SA with spi 3568274236/50
  02:00:58: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI D4AF8B3C
  02:00:59: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
  02:00:59: ISAKMP: set new node -1124267365 to QM_IDLE
  02:00:59: ISAKMP:(2002): processing HASH payload. message ID = -1124267365
  02:00:59: ISAKMP:(2002): processing DELETE payload. message ID = -1124267365
  02:00:59: ISAKMP:(2002):peer does not do paranoid keepalives.
  02:00:59: ISAKMP:(2002):deleting node -1124267365 error FALSE reason "Informational (in) state 1"
  02:00:59: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  02:00:59: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
  02:00:59: IPSEC(key_engine_delete_sas): delete SA with spi 0xBDD33AB1 proto 50 for
  02:00:59: IPSEC(delete_sa): deleting SA,
    (sa) sa_dest= 172.30.99.1, sa_proto= 50,
      sa_spi= 0x539777E6(1402435558),
      sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
      sa_lifetime(k/sec)= (4412467/3600),
    (identity) local= 172.30.99.1, remote= ,
      local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
      remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
  02:00:59: IPSEC(delete_sa): deleting SA,
    (sa) sa_dest= , sa_proto= 50,
      sa_spi= 0xBDD33AB1(3184736945),
      sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
      sa_lifetime(k/sec)= (4412467/3600),
    (identity) local= 172.30.99.1, remote= ,
      local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
      remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
  02:01:00: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
  02:01:00: ISAKMP: set new node -2105526428 to QM_IDLE
  02:01:00: ISAKMP:(2002): processing HASH payload. message ID = -2105526428
  02:01:00: ISAKMP:(2002): processing NOTIFY DPD/R_U_THERE protocol 1
          spi 0, message ID = -2105526428, sa = 844CC060
  02:01:00: ISAKMP:(2002):deleting node -2105526428 error FALSE reason "Informational (in) state 1"
  02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  02:01:00: ISAKMP:(2002):DPD/R_U_THERE received from peer , sequence 0x22D
  02:01:00: ISAKMP: set new node 971443288 to QM_IDLE
  02:01:00: ISAKMP:(2002):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
          spi 2220478360, message ID = 971443288
  02:01:00: ISAKMP:(2002): seq. no 0x22D
  02:01:00: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
  02:01:00: ISAKMP:(2002):Sending an IKE IPv4 Packet.
  02:01:00: ISAKMP:(2002):purging node 971443288
  02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
  02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  02:01:02: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
  02:01:02: ISAKMP:(2002): processing HASH payload. message ID = 1560671909
  02:01:02: ISAKMP:(2002): processing SA payload. message ID = 1560671909
  02:01:02: ISAKMP:(2002):Checking IPSec proposal 1
  02:01:02: ISAKMP: transform 1, ESP_3DES
  02:01:02: ISAKMP:   attributes in transform:
  02:01:02: ISAKMP:      encaps is 1 (Tunnel)
  02:01:02: ISAKMP:      SA life type in seconds
  02:01:02: ISAKMP:      SA life duration (basic) of 3600
  02:01:02: ISAKMP:      SA life type in kilobytes
  02:01:02: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  02:01:02: ISAKMP:      authenticator is HMAC-SHA
  02:01:02: ISAKMP:(2002):atts are acceptable.
  02:01:02: IPSEC(validate_proposal_request): proposal part #1
  02:01:02: IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) INBOUND local= 172.30.99.1, remote= ,
      local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
      remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
      protocol= ESP, transform= NONE  (Tunnel),
      lifedur= 0s and 0kb,
      spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  02:01:02: Crypto mapdb : proxy_match
          src addr     : 0.0.0.0
          dst addr     : 0.0.0.0
          protocol     : 0
          src port     : 0
          dst port     : 0
  02:01:02: ISAKMP:(2002): processing NONCE payload. message ID = 1560671909
  02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909
  02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909
  02:01:02: ISAKMP:(2002): Creating IPSec SAs
  02:01:02:         inbound SA from to 172.30.99.1 (f/i)  0/ 0
          (proxy 0.0.0.0 to 0.0.0.0)
  02:01:02:         has spi 0x84F77E7D and conn_id 0
  02:01:02:         lifetime of 3600 seconds
  02:01:02:         lifetime of 4608000 kilobytes
  02:01:02:         outbound SA from 172.30.99.1 to (f/i) 0/0
          (proxy 0.0.0.0 to 0.0.0.0)
  02:01:02:         has spi  0xCA486707 and conn_id 0
  02:01:02:         lifetime of 3600 seconds
  02:01:02:         lifetime of 4608000 kilobytes
  02:01:02: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
  02:01:02: ISAKMP:(2002):Sending an IKE IPv4 Packet.
  02:01:02: ISAKMP:(2002):deleting node 1560671909 error FALSE reason "No Error"
  02:01:02: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  02:01:02: ISAKMP:(2002):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
  02:01:02: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  02:01:02: Crypto mapdb : proxy_match
          src addr     : 0.0.0.0
          dst addr     : 0.0.0.0
          protocol     : 0
          src port     : 0
          dst port     : 0
  02:01:02: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
  02:01:02: IPSEC(create_sa): sa created,
    (sa) sa_dest= 172.30.99.1, sa_proto= 50,
      sa_spi= 0x84F77E7D(2230812285),
      sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 7
      sa_lifetime(k/sec)= (4550947/3600)
  02:01:02: IPSEC(create_sa): sa created,
    (sa) sa_dest= , sa_proto= 50,
      sa_spi= 0xCA486707(3393742599),
      sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 8
      sa_lifetime(k/sec)= (4550947/3600)
  02:01:02: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI CA486707
  02:01:02: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=48E03F51
  02:01:02: IPSEC(early_age_out_sibling): sibling outbound SPI D4AF8B3C expiring in 30 seconds due to it's a duplicate SA bundle.
  02:01:03: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
  02:01:03: ISAKMP: set new node 2041302203 to QM_IDLE
  02:01:03: ISAKMP:(2002): processing HASH payload. message ID = 2041302203
  02:01:03: ISAKMP:(2002): processing DELETE payload. message ID = 2041302203
  02:01:03: ISAKMP:(2002):peer does not do paranoid keepalives.
  02:01:03: ISAKMP:(2002):deleting node 2041302203 error FALSE reason "Informational (in) state 1"
  02:01:03: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  02:01:03: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
  02:01:03: IPSEC(key_engine_delete_sas): delete SA with spi 0xD4AF8B3C proto 50 for
  02:01:03: IPSEC(delete_sa): deleting SA,
    (sa) sa_dest= 172.30.99.1, sa_proto= 50,
      sa_spi= 0x48E03F51(1222655825),
      sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
      sa_lifetime(k/sec)= (4450631/3600),
    (identity) local= 172.30.99.1, remote= ,
      local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
      remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
  02:01:03: IPSEC(delete_sa): deleting SA,
    (sa) sa_dest= , sa_proto= 50,
      sa_spi= 0xD4AF8B3C(3568274236),
      sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
      sa_lifetime(k/sec)= (4450631/3600),
    (identity) local= 172.30.99.1, remote= ,
      local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
      remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
  02:01:48: ISAKMP:(2002):purging node 1105416027
  02:01:49: ISAKMP:(2002):purging node -1124267365
  02:01:50: ISAKMP:(2002):purging node -2105526428
  02:01:52: ISAKMP:(2002):purging node 1560671909
  02:01:53: ISAKMP:(2002):purging node 2041302203

• T1114 4g router with security camera setup?

  Has anyone been able to set up security cameras with the 4G LTE Broadband Router with Voice model T1114 ? I have been talking to Verizon, Foscam and Novotel and I am getting absolutely no where. I'd hate to have to keep my DSL service just because of my security cameras, but at this point it's looking like that may be a possibility. If anyone has a solution or guidance, I'd appreciate it.

  > is that a complicated work around or is it fairly simple?
  Its simple in design, but could be complicated to configure and maintain depending on your network comfort level.  Considering your goal is to access cameras and not a PC you will need the assistance of an additional VPN router.  Setup the Jetpack(or USB modem) to act like a modem and link him to a VPN router with a wireless bridging feature.  From there you configure the VPN router to automatically connect to your desired VPN server as long as the Jetpack is online and providing a connection.
  The setup would look something like this:
  - VZW ))) Jetpack ))) VPNRouter === Cam1
  - VZW ))) Jetpack ))) VPNRouter === Cam2
  - VZW ))) Jetpack ))) VPNRouter === Cam3
  - etc
  If the cameras happen to be wireless then the VPN router should be able to accommodate those connections too, but I wouldn't recommend relying on wireless any more than you need to considering how much is going on already.
  VPN connectivity is a feature on some more advanced home routers and can also be re-flashed on others with the use of custom firmware.  DD-WRT can enable this functionality for free if you happen to have a compatible router lying around that supports wireless bridging.  VZW does not offer any products for you that can do this so you will have to look elsewhere.
  Wireless bridging is the process of connecting one router to another over WiFi.  On devices that support this functionality there is generally a mode called "Bridge mode", "AP mode" or something along those lines that can enable the configurations for you.  From there you would need to decide if you want the device to perform only as a bridge and Ethernet cable connect the cameras or perform a "repeater" function and rebroadcast the Jetpacks signal to the cams.
  The goal being to get everything that requires remote access to automatically connect to the chosen VPN server.  That way whenever you want to remotely connect and view the cameras all you need is a way to connect to the VPN server where everything is resting.  All you should have to do from there is keep the Jetpack/USB modem online and everything else will take care of itself from there.

• Router VPN Issue

  I have the verizon 4GTE Router and I am unable to access my company's  VPN from home.  I can access the VPN at McDonald's, Panera Bread, and all other wifi stations, just not at home.  No one has been able to help me as of this point.  Any suggestions??

  Definitely speak to the community over at Verizon Wireless if you're running into problems with an LTE connection. This forum is for the wireline company, Verizon.
  Perhaps this may be a starting point as to why your VPN is not working: https://secure.dslreports.com/forum/r28875622-Troubleshooting-Verizon-Mifi-Novatel-4620 check the first few posts. Also, just make sure if you've been poking around in your LTE router, that you have not set the Firewall to too high of a setting. That can block a VPN from connecting. Also, try playing around with the passthrough settings (PPTP, IPSec, etc) in the router to see if one of those is causing a problem. Those should simply be On/Off switches.
  ========
  The first to bring me 1Gbps Fiber for $30/m wins!

• Setup router to router VPN connecting 2 windows domain networks via 2 RV042 routers

  I am using 2 RV042 routers.  I have created a point to point VPN with Remote Security Group Type= Subnet, using the default IPSec settings. 
  Under advanced settings-  Aggressive Mode, Keep Alive enabled.
  Location A- SBS 2011 standard, Servername=SBSServer, Domainname = Smallbusiness.Local, IP address 10.1.10.50
  DHCP range 10.1.10.100 to 10.1.10.175.  DNS and Print services. No WINS.  
  Location B- Server 2008 R2, Sername=SBSServer, Domain name=Smallbusiness.Local, IP address 192.168.10.50
  DHCP range 192.168.10.100 to 192.168.10.175,  DNS, Print Services and Remote Desktop Services.  No WINS
  I am wondering 2 things.  Can I setup the VPN tunnel to route traffice between the 2 networks without changing the server names.  Leaving the servernames the same.  I have it setup that way but also had netbios broadcast enable.  If I disable netbios broadcast will that be enough for these networks to be independent of each other.  I was hoping not to have to rename the domain and there are advantages to having the same user and domain name when mapping drives between networks.  I have not needed to authenticate those drives or provide credititals for printing either. 
  2) Should I change the domain name so that each network has a unique domain name or, if I change the servername of the 2008 R2 server will that essentially solve my network issues, the primary issue being that location b has clients that occasionally can not find the 2008 R2 domain controller.  After a restart the usually resolve to the correct domain controller.
  Essentially what I am asking is what are the best practices to connect 2 separate Windows domain networks via a VPN and have those networks capable of file sharing to the each others domain server and printing to the network printers at both loations.
  Should I have separate domain names-
  Should I have separate server and computer names-

  "reserved not zero on payload" generally means your pre-shared keys don't match. Try removing the "crypto isakmp key ...." line and retyping it in again on both sides. In particular DON'T cut/paste it from one router config into another, this quite often puts a space character onto the end of the key, which the router interprets as part of the key and they therefore don't match.

• Upgraded router VPN no longer working - LCP: timeout sending Config-Request

  I recently upgraded my small office router from a Linksys WRT54G to a Linksys WRT610N. I duplicated all of the port forwarding configs from my previous router, but everytime I try to connect to my server I get the following error:
  Could not negotiate a connection with the remote PPP server. Please verify your settings and try again.
  The ports I have forwarded to my server are the following:
  1701 UDP
  500 UDP
  1723 TCP
  4500 UDP
  While I am connecting I have been watching the log from Server Admin, and this is what I see:
  2008-07-11 06:09:35 PDT Incoming call... Address given to client = 192.168.1.63
  Fri Jul 11 06:09:35 2008 : Directory Services Authentication plugin initialized
  Fri Jul 11 06:09:35 2008 : Directory Services Authorization plugin initialized
  Fri Jul 11 06:09:35 2008 : PPTP incoming call in progress from '76.172.xxx.xxx'...
  Fri Jul 11 06:09:35 2008 : PPTP connection established.
  Fri Jul 11 06:09:35 2008 : using link 0
  Fri Jul 11 06:09:35 2008 : Using interface ppp0
  Fri Jul 11 06:09:35 2008 : Connect: ppp0 <--> socket[34:17]
  Fri Jul 11 06:09:35 2008 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xef7517xx> <pcomp> <accomp>]
  Fri Jul 11 06:10:05 2008 : LCP: timeout sending Config-Requests
  Fri Jul 11 06:10:05 2008 : Connection terminated.
  Fri Jul 11 06:10:05 2008 : PPTP disconnecting...
  Fri Jul 11 06:10:05 2008 : PPTP disconnected
  2008-07-11 06:10:05 PDT --> Client with address = 192.168.1.63 has hungup
  I am still using 10.5.3. This may be very obvious to someone, but I'd appreciate any help.
  Thanks!
  Scott

  I am having sever issues with routers vs. VPN and I am hoping someone here can tell me how they got PPTP and L2TP working through the Apple Airport Extreme.
  Basically, I used to have a cheap, old, but perfectly working Linksys router. I opened ports for PPTP and L2TP pass through and VPN worked fine. I decided to upgrade the router because I wanted something with basic firewall functionality...
  I tried two new linksys products and gave up in disgust. Then I thought I had a brainwave and ordered the Apple Extreme Base Station. Well, this is almost as hopeless.
  I can get PPTP to connect now but the remote clients can't connect to the AFP server. L2TP simply won't work. I have 1701, 500, 1723 and 4500 ports forwarded to my server so I don't know what I am doing wrong.
  Also, I see on Apple's Server page that the Server will set up the Apple Extreme Base Station automatically??? How does this work?
  Lastly, Do I want to enable NAT port mapping protocol?
  Thank you,
  Gareth

• Feature Request : Router to Router VPN support

  I realize this has been highlighted earlier as not being supported currently, but it would be very useful to allow additional subnets into the NM sphere (my assumption would be one Home network and additinal subnets treated as foreign networks).  Any clues as to whether the PN platform would be flexible enough to support this (in the future), for example with the facility to add subnet ranges as an additional option?  I think some basic assumptions would have to be made (e.g that NETBIOS is supported to allow identification of devices)
  My main reason for requesting this would be to get an overview of resources available at the other end of the VPN (file servers, printers etc.) - currently I have to do this with an addional application.
  Look forward to your thoughts,
  Simon T.

  Hi, at this time NM only can scan inside your local subnet, but that sounds like a good idea.
  My Cisco Network Magic Configuration:
  Router: D-Link WBR-2310 A1 FW:1.04, connected to Comcast High Speed Internet
  Desktop, iMac: NM is on the Windows Partition, using Boot camp to access Windows, Windows 7 Pro 32-bit RTM, Broadcom Wireless N Card, McAfee Personal Firewall 2009,
  Mac Partition of the iMac is using Mac OS X 10.6.1 Snow Leopard
  Laptop: Windows XP Pro SP3, Intel PRO/Wireless 2200BG, McAfee Personal Firewall 2008
  Please note that though I am a beta tester for Network Magic, I am not a employee of Linksys/Cisco and am volunteering my time here to help other NM users.

• Router turns security on for no reason

  I have a BEFW11S4 V2 router, with latest firmware, and no security set up in a household of one wired wesktop and four laptops (including an additional WUSB11S4 v2 connected new HP desktop)
  For no reason I can see, it sometimes turns its security on, not allowing additional wireless access. If any of the original laptops are disconnected, they can't reconnect either.
  The router security turns off and goes back to normal when all PCs , Cable Modem and Router are turned turned off and on again.
  Thx Steve

  Why do you think that your router is suddenly getting "wireless security" turned on?
  Since you run an unsecured wireless network, perhaps your neighbor is playing tricks on you!   Teens love to do this.  They get on your network, guess your password (is it still admin? or something else that is easy to guess?), then log into your router, and boot everybody off!
  Alternatively, you could be loosing connection simply because your unsecured computers are getting confused, and trying to connect to a neighbor's unsecured network.  Let me guess - your SSID is still "linksys".  Am I right?
  Another possibility is that your neighbors' networks, or your own 2.4 GHz devices, are interfering with your wireless signal.  This would include wireless 2.4 GHz phones, Bluetooth, wireless baby monitors, wireless mice or keyboards, microwave ovens, etc. 
  At a minimum, you need to assign your network a unique SSID, and secure your router login with at least a 12 random character password.  Unless you live far (at least 1000 feet) from your neighbors, and far from public roads, you also need to set up wireless security.  If you can, change the channel that the router is using.  Channel 1, 6, or 11 usually work the best.  Also, unplug any wireless 2.4 GHz devices that you have (other than your network devices), and see if that corrects your problem.
  Actually, to set up wireless security correctly, you will need a new router.
  From the user guide, it looks like your current router can only do WEP.  WEP can be broken in less than 5 minutes, using software tools that are available over the internet.  You really need to be using WPA or preferably WPA2.
  If you don't get a new router, and if nothing above fixes your problem, then you should update your firmware to the latest version.
  Hope this helps.
  Message Edited by toomanydonuts on 02-18-200707:47 PM
  Message Edited by toomanydonuts on 02-18-200707:51 PM
  Message Edited by toomanydonuts on 02-18-200709:54 PM

• Not able to connect my Iphone to my WRT54GS router with security enabled

  As the subject line states, I'm not able to connect my Iphone to my WRT54GS router when the security is enabled. When ever I attempt to connect to my network with my phone it always tells me the password is incorrect. I have double checked the password in the easylink advisor and it matches up. I have also tried both WPA and WEP with the same result, I know that the wireless is working on the router as I turned the security off and was able to connect to it. I updated the firmware this evening also with no changes. If anyone could help me with this issue it would be much appreciated.

  First of all, in the router, give your network a unique SSID. Do not use "linksys". If you are using "linksys" you may be trying to connect to your neighbor's router. Also, in the router, set "SSID Broadcast" to "enabled". This will help your iPhone find and lock on to your router's signal.
  To connect using WEP, enter WEP "key 1"  (found in the router)  into the iPhone, not the WEP password or passphrase.
  To connect using WPA, make sure that there is not an encryption nomenclature problem.  For example, WPA is not the same as WPA with AES.  Please note the following:
  WPA    =   PSK    =   WPA with TKIP  =  WPA   personal
  WPA2  =   PSK2  =   WPA with AES   =  WPA2 personal
  I am not certain, but your iPhone probably does just ordinary WPA  (not WPA with AES).  Assuming that this is correct, then the router should be set to:
  "WPA personal"  with  "TKIP"
  Also, in the iPhone, be sure to delete the entry for your unsecured connection to your router, before you try to input info regarding the secured connection to the router.
  Hope this helps.
  Message Edited by toomanydonuts on 07-16-2008 03:12 AM

• External Router, VPN, Configuration

  Dear Community,
  at our company we've bought a Cisco 876 Router with the Enterprise Feature Set.
  Now I have to configure the System.
  I would like to do the following:
  Our Carrier has assignes us a transfer net for routing and a network for our router. In this Network for the router are official IP Adresses included, they should be usable via ports 2-4 on the router, port 1 should be a port which is directly attached to the internal network. This port should have an external ip address and a VPN & NAT Server on it so external users can connect via VPN and the internal network can connect to the external.
  Any suggestions for this configuration.

  Hi
  i have configured Cisco 877 as VPN Server....what kind of help do you need ?
  thanks & regards.

• Is my router effectively secured?

  I was wondering if the following what I have done is the best possible, if there is any possible way to improve the security:
  I have a WRT320N
  SSID: just let it broadcast. Removing this broadcast will not improve overal security. SSID will be shown even if you diable periodic broadcasts.
  Change Router default name to something that does not suggest it's location or brandname/type
  change the default password (the one to access the router from your browser)
  Disable remote management: don't want anyone using Wi-Fi to try to hack my router
  disable Upnp, automatic configuration of router has possible security leaks.
  use WPA2 personal (just choose the highest encryption) and use the longest, uppercase, lowercase numbers and letter combination you can think off.
  mac filtering can be set to on, but hackers can clone MAC addresses, the extra security is doubtfull.
  AP isolation: Prevent wi-fi users on my router from accessing eachother, isolate all wi-fi users from eachother.
  enable SPI firewall: blocks incoming network packets that originate from the internet. And were not started by me: internet at port 80, my firefox tries to open a webpage, these kind of incoming packets will be alowed by the router to pass from internet to my computer.
  use webfilter and prevent any network packet with java, proxy, activex  to pass my router: at this moment I am blocking proxy. I am filtering webcasts.
  Blocking any port except 20,21,25,53,80,110,443. (port range is from 0 to 65523)Blocking both UDP and TCP for all IP addresses 192.168.0 to 192.168.0.254 So only these mentioned ports are allowed to be used.
  Thanks for helping out.
  Solved!
  Go to Solution.

  Re SSID broadcast.
  1. Correct. Even with SSID broadcast disabled the router will still broadcast a periodic beacon which means a wireless scanner will immediately pick up the existence of a wireless network.
  2. The SSID is transferred in plain text during association with the router. Any network sniffer will learn the SSID at the moment a (legitimate) device connects to your network.
  3. By sending some rogue packets to the AP it is easily possible to disassociate any connected wireless device forcing a re-association. This way you can learn the SSID immediately.
  1-3 means that a SSID of a wireless access point with SSID broadcast disabled is unknown as long as no wireless device is connected to the router because there is no way to force an association request of a legitimate device. Some people therefore believe the disabled SSID broadcast is a important means for increased security, in particular when the wireless is not used very often. Of course, if you don't need the wireless for most of the time you should turn it off completely.
  On the other hand, disabling the SSID broadcast technically breaks the 802.11 standard and is known to cause connectivity and stability problems with some wireless cards. Therefore, I usually recommend not to disable the SSID broadcast.
  Re "router default name". If you mean the SSID, of course, changing it is important. Mostly to prevent your wireless devices to connect to your neighbor's router who still uses the default SSID.
  Changing the "router name" on the main setup is not necessary. It's only necessary for the internet connection and only if required by your ISP.
  Changing SSID or "router name" won't change the MAC address on the wireless. The first half of that MAC address will reveal the manufacturer (Linksys or Cisco)
  Re remote management. Disabling remote management is good. Of course, verify that it really works. Some routers had a firmware bug which opened the web interface to the internet regardless of that setting.
  Re UPnP. Correct. It should be disabled at all times.
  Re WPA2 Personal with AES only encryption and a strong passphrase is the best wireless security you can have at this time. Passphrase can be up to 63 characters long.
  Re wireless mac filter: MAC addresses are always transferred unencrypted (even with WPA2) and are easily cloned. Thus a simple network sniffer will be able to pick up MAC addresses of legitimate devices which you can use to connect.
  Re AP isolation. Can be used if no wireless-wireless connections are required. Of course, if an intruder hacked into your wireless network he can try to hack into your router from there. The protection of the web interface on the LAN side is quite weak.
  Re SPI firewall. Must be on. It protects the router from the internet.
  What you write on that subject is the "protection" due to NAT, i.e. because you use private IP addresses. NAT technically does not block unsolicited incoming traffic. It simply drops unsolicited incoming traffic because it does not know what to do with it, i.e. it does not know where to deliver it to unless you configure port forwarding or similar. By design, NAT is not a security mechanism as its design goal is to allow connections and not to block them. Some (older) NAT implementations tried to deliver unsolicited incoming traffic by some heuristics. Some (older) NAT implementations had FTP helper functionality (to make FTP work properly through a NAT router) which made it possible to get any port opened on the router.
  Re webfilter: depends. Will cause trouble with HTTPS web sites as HTTPS requires secure end-to-end security.
  Re blocking all ports except 20,21,25,53,80,110,443. Well depends again. In your list for instance, you block port 995 (POP3S) and only accept 110 (POP3). Depending on your mail client and the pop server this may lead to an unencrypted connection between the client and the server because port 995 is not accessible. Similar with port 25 (SMTP). Some web servers run on port 8080 or other ports which won't work or work only partially (because some content is on a web server with different port number).
  So technically, your block list will probably more affect you and your ability to use the most secure protocol which might be currently on your block list. In addition, as most people have ports 80 and 443 open for outgoing traffic most malware uses it to talk to the outside. Thus, your list although the idea sounds good probably won't help you.
  Thus I would say that in most home networks such a blocking list based on a list of a few excempt ports won't really help your security and mostly will cause problems for you and nothing else. Such a list will work in a corporate setup where you can narrow down the legimite traffic very well. But for home use and general browsing habits it won't really work.
  In addition, I think you cannot set up such a list on a Linksys router. You can only block ports but not all ports except a few.
  Another, extremely important point missing from your list: Always change the router default password (admin) to a strong password. But I guess you already did that, too.
  Overall, I would say you have got everything right...