WRVS4400N Won't allow L2TP traffic to passthrough
The latest in a series of issues with the WRVS4400N:
As any Mac user knows, you cannot connect to this device with QuickVPN, as there is no Mac version of QuickVPN. That leaves us with one of two options:
1) Obtain iPSecuritas and configure an IPSec tunnel with it. Problematic for many, but it can be done. I've been doing it for two years, but recently learned that with this configuration, you can't route all network traffic over the VPN (email, web browsing, etc), which is sometimes a security concern when on public wifi. This leaves you with solution 2:
2) Get some other VPN device and put it behind the Linksys Router and setup the Linksys to passthrough VPN traffic, and/or forward the necessary ports.
I am running both a PPTP and L2TP server on Mac OS X server behind the WRVS4400N. I have the 4400N setup to passthrough all VPN traffic (select the enable circle for IPSec, PPTP, and L2TP on the VPN Passthrough tab).
After forwarding the appropriate port (1723) to the OS X server's ip address, PPTP goes through just fine.
L2TP is a problem, though. Nothing I try gets through this 4400N. As stated above I have L2TP passthrough enabled. I have also forwarded ports UDP 500, UDP 4500 and even tcp/udp 1701 to the L2TP server's ip address. No go, no traffic gets through.
Suspecting it was something wrong with my L2TP server or client settings, I put the L2TP server into a DMZ zone. Voila! L2TP traffic connects as expected. This proves it is the WRVS4400N not doing its thing.
I have checked the logs on the WRVS4400N and nothing appears at all. I thought maybe that it is reading the L2TP traffic as IPSec traffic destined for its internal IPSec server, even though I don't have any IPSec tunnels or QuickVPN accounts setup on the WRVS4400N, but with the lousy logging and no ipconntrak tables in this version of the firmware, i don't know what else to check.
I am using Firmware v1.0.16 because v1.1.03 is not stable on my router. Using that firmware leaves the router in a corrupted state requiring a power cycle to reset it after any IPSec connection is shut down.
Can anyone suggest what I am missing or doing wrong in getting the WRVS4400N to actually passthrough my L2TP traffic to the working L2TP server?
/rant: I have to say I am begining to hate the WRVS4400N. This temperamental beast has a lot of frustration and long hours over the past two years; in hindsight, considering the hours (in excess of 100, seriously) I have put in to trying to get various forms of VPN working on it, I should have just moved on to a more stable and flexible router.
gv wrote:
1. Never ever forward L2TP port 1701. That's a security risk. Port 1701 is not supposed to be accessible from the internet.
2. Running an IPSec server behind a NAT gateway is a very bad idea and is either very difficult or impossible depending on the server software and kernel version on the server machine. In particular you usually see a lot of problems if the client as well is behind a NAT gateway.
3. Turn off the L2TP and IPSec passthrough options. Passthrough is difficult because NAT will modify the packets passing. When you disable the passthrough options the VPN client and server should switch to encapsulation through UDP port 4500.
Thanks for the reply. Comments/follow-up on each of your numbered responses:
1) Port 1701 is off. Plenty of sites insist it must be open, so I tried it out of desperation. Lots of bad information on the internet, as we all know.
2a) My IPSec server has always been the NAT gateway itself (the WRVS4400N). That's not the problem. My issue with leaving the setup that way is that Linksys has ZERO support for Mac OS X to connect to the WRVS4400N's IPSec VPN. QuickVPN is only offered for Windows OS, and Cisco VPN Client for OS X will not connect with the WRVS4400N. THis leaves me with having to use 3rd partyclient solutions which work flawlessly and completely with other hardware but not with the WRVS4400N.
I'd actually be happy with that solution if I could route all traffic (web and email especially) over the VPN tunnel. THis won't work with the only solutions I have to using IPSec on a Mac to connect to the network. I've considered establishing SSH tunnels binding the various ports, but proxies, slower performance and other issues make that less than desirable. Very frustrating.
I guess since L2TP uses IPSec, your point is relevant, but I don't understand why, if IPSec behind a NAT gateway is such a bad idea, EVERY router on the market offers IPSec passthrough in its specs.
If it's so problematic, and such a bad idea, why allow it? Especially on devices marketed to SOHO consumers who are bound to have less networking savvy? In fact, the Linksys products ship with these options ENABLED by default.
3) I've done all that.
Here are log entries from the WRVS4400N for a few combinations of passthrough and port forwarding:
Passthrough disabled, ports forwarded
Dec 7 07:38:40 - Drop by Port Scan UDP
Dec 7 07:41:25 - UDP Packet - Source:xxx.xxx.xxx.xxx,500 Destination:192.168.2.11,500 - [Firewall Log-IPSecPass Fail]
Dec 7 07:41:30 - [VPN Log]: shutting down
Dec 7 07:41:30 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Dec 7 07:41:32 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Dec 7 07:41:32 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
Dec 7 07:41:32 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Dec 7 07:41:32 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Dec 7 07:41:32 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Dec 7 07:41:32 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 07:41:32 - [VPN Log]: starting up 1 cryptographic helpers
Dec 7 07:41:32 - [VPN Log]: started helper pid=11543 (fd:5)
Dec 7 07:41:32 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Dec 7 07:41:32 - [VPN Log]: Warning: empty directory
passthrough enabled, ports not forwarded
Dec 7 07:47:28 - [VPN Log]: shutting down
Dec 7 07:47:28 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Dec 7 07:47:31 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Dec 7 07:47:31 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
Dec 7 07:47:31 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Dec 7 07:47:31 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Dec 7 07:47:31 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Dec 7 07:47:31 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 07:47:31 - [VPN Log]: starting up 1 cryptographic helpers
Dec 7 07:47:31 - [VPN Log]: started helper pid=12590 (fd:5)
Dec 7 07:47:31 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Dec 7 07:47:31 - [VPN Log]: Warning: empty directory
passthrough enabled, ports forwarded
BLANK LOG! Not a single entry in the WRVS4400N's log files.
Remember, there is nothing wrong with my client or server software, as demonstrated by bypassing the WRVS4400N. L2TP connections work fine until the WRVS4400N is in the mix.
So, I'm back to the same original question:
How do I enable L2TP traffic to an L2TP server behind a WRVS4400N in a manner that actually works...?
Message Edited by DistortedLoop on 12-07-2008 08:02 AM
Similar Messages
-
ASA5505 won't allow Windows Server 2012 r2 to access internet
I have an ASA5505 I am trying to integrate into our network, however the ASA5505 won't allow our server to access the internet via our HP Procurve layer3 switch. Currently, only the server is connected via the switch as well as the two trunk lines to the ASA5505, for testing purposes. What I am hoping to accomplish is: Internet -> ASA5505 -> Layer3 Switch -> VLANS. The configuration is listed below:
CISCO ASA5505 / with Security Plus Lic:
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 1
interface Ethernet0/2
switchport trunk allowed vlan 10,20,30
switchport mode trunk
interface Ethernet0/3
switchport trunk allowed vlan 40,60,250
switchport mode trunk
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.80.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.2.100.2 255.255.255.0
interface Vlan10
no nameif
security-level 100
no ip address
interface Vlan20
no nameif
security-level 100
no ip address
interface Vlan30
no nameif
security-level 100
no ip address
interface Vlan40
no nameif
security-level 100
no ip address
interface Vlan60
no nameif
security-level 100
no ip address
interface Vlan250
no nameif
security-level 100
no ip address
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list inside_access_in extended permit ip any any
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.2.100.1 1
route inside 192.168.10.0 255.255.255.0 192.168.80.1 1
HP Procurve E2620 Layer3 switch:
Status and Counters - VLAN Information
Primary VLAN : DEFAULT_VLAN
VLAN ID Name | Status Voice Jumbo
------- -------------------------------- + ---------- ----- -----
1 DEFAULT_VLAN | Port-based No No
10 SERVER | Port-based No No
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
0.0.0.0/0 192.168.80.1 1 static 1 1
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
192.168.10.0/24 SERVER 10 connected 1 0
192.168.20.0/24 CLIENT 20 connected 1 0
192.168.30.0/24 WIFI 30 connected 1 0
192.168.40.0/24 GUEST 40 connected 1 0
192.168.60.0/24 STORAGE 60 connected 1 0
192.168.80.0/24 DEFAULT_VLAN 1 connected 1 0
192.168.250.0/24 Manage 250 connected 1 0
Load Balancing Method: L3-based (Default), L2-based if non-IP traffic
Port | Name Type | Group Type
---- + -------------------------------- --------- + ----- --------
23 | 10/100TX | Trk2 Trunk
24 | 10/100TX | Trk1 Trunk
Status and Counters - VLAN Information
Primary VLAN : DEFAULT_VLAN
Management VLAN :
Port Information Mode Unknown VLAN Status
1 DEFAULT_VLAN | Port-based No No
10 SERVER | Port-based No No
20 CLIENT | Port-based No No
30 WIFI | Port-based No No
40 GUEST | Port-based No No
60 STORAGE | Port-based No No
250 Manage | Port-based No No
Switch Configuration - VLAN - VLAN Port Assignment
Port DEFAULT_VLAN SERVER CLIENT WIFI GUEST STORAGE Manage
---- + <----------- ------------ ------------ ------------ ------------ ------------ ------------
6 | No Untagged No No No No No
Trk1 | Untagged Tagged Tagged Tagged No No No
Trk2 | Untagged No No No Tagged Tagged Taggedfirst off, what license do you have installed on the ASA (show version will tell you that)?
Second, if I remember correctly trunk in HP terms does not mean the same as trunk in Cisco terms. In HP a trunk refers to the bundling of an interface in what Cisco calls Etherchannels or Portchannels (which the 5505 does not support)
Also you need to configure names for all the VLAN interfaces and either dynamic NAT for each interface or configure a dynamic NAT that matches all the interfaces (with the any keyword)
object network obj_any
nat (any,outside) dynamic interface
Please remember to select a correct answer and rate helpful posts -
CSS11150, 5.00 Build 610s
Standard Feature Set
I have an nql called deny_nql with ip addresses/ranges that we want to block all traffic from.
I'm trying to create an clause in acl 1 that will block all traffic from those addresses. This acl is to be applied to vlan1.
clause 1 deny any nql deny_nql destination any
the CSS won't take this line.
It insists on specifiying only "any":
CSS11150(config-acl[1])# clause 1 deny any ?
any Any combination
CSS11150(config-acl[1])# clause 1 deny any
see, it won't allow an nql spec.
This exact line works just fine in another CSS we have with the same build installed (with the enhanced feature set)
CSS11150(config-acl[5])# clause 1 deny any ?
any Any combination
nql ACL source address Network Qualifier List
<Host or IP> ACL Source IP Address of the form a.b.c.d or Hostname
CSS11150(config-acl[5])#
I've looked at the web docs describing differences between the Std and Enh feature sets and allowing one to specify nqls on an acl doesn't seem to be there.
Anyone have any idea on this?
TIA
Brianattached.
CSS11150# show version
Version: ap0500610s (5.00 Build 610)
Flash (Locked): 5.00 Build 2
Flash (Operational): 5.00 Build 610
Type: SECONDARY
Licensed Cmd Set(s): Standard Feature Set
SSH Server
CSS11150# show chassis
Configuration for CSS 11150:
Name: CSS 11150 SW Version: 5.00 Build 610
HW Major Version: 03 HW Minor Version: 0
Base Mac Address: 00-10-58-03-23-1d
Module Number Module Name Status
1 FEM primary
2 FEM primary
5 SCFM-PLUS primary
Port Number Port Name Status
1 e1 online
2 e2 online
3 e3 online
4 e4 online
5 e5 online
6 e6 online
7 e7 online
8 e8 online
9 e9 online
10 e10 online
11 e11 online
12 e12 online
13 e13 online
14 e14 online
15 e15 online
16 e16 online -
K7n2 delta, won't allow me to connect to the internet via pci modem
motherboard: K7n2 delta, nforce2 ultra
won't allow me to connect to the internet via pci modem
i have got 2 computers with same mobo, can connnect through external 56k
but the 2 internal 56ks (one in each computer), will not connect.
just dials then beeps, or no dialing tone.
the 2 internal ones are differnet makes, but connect through PCI
there must be something wrong with Mobo settings or pci stuff
all internet and modem settings are correct, etc etc etc
can u help
or does anyone have a pci 56k running on that mobo?Quote
Originally posted by Solway
i made my creative one work and dial, using pulse dialing, but it takes ages
but my other one has no dialing tone, its werid.
If your not hearing dial tone you might have your phone plugged into the wrong port. Most modems have 2 outlets, one is labeled line ( that is the one you should have plugged into the jack (RJ11C). If that's correct, query the modem and see if it tests OK, you may have a defective modem. -
My IPhone 5 won't allow me to turn on my bluetooth, when I try to turn bluetooth to the on position, it automatically goes back to the off position. I can't connect bluetooth with anything?
Restart your phone, hold the home and off button at the same time until the apple symbol comes up.
-
My iPhone 5 won't allow me to open pictures from text messages.
My iPhone 5 won't allow me to open pictures from text messages. I tap the picture, then it just goes to a "thinking" screen and says "Restoring..."
I tried restarting, but it still won't allow me to open pictures.
Please help!!My iPhone 5 is also having this problem. I just received it2 days ago and it would let me open mms messages, but ever since yesterday it will have a loading screen and never let me see it. I've just been having to save my picture into my camera roll and view it that way
-
I bought a used iMac recently, and sometimes the app store asks for the user password of the previous owner (and displays former owner's ID). It won't allow me to change ID to mine, even though I am signed into store with my own account (and this is shown in dropdown menu). How can I make the store recognize my ID for downloads?
It is showing updates because your machine is tied to the original purchase and will remain so until you wipe the drive.
As you purchased it used and the seller obviously did not do what he was supposed to do and that is erase the hard drive and reinstall the original system, you will run in to far more difficult problems when you need to reinstall for whatever reason. The new licensing requirements are that any mac is sold with the original OS - any OS or app obtained at the app store is NOT transferable and the buyer needs to purchase their own license. That means you will not be able to reinstall the OS.
At some point, you will need to try to get either the original install disks (from the seller or Apple) and wipe your drive and reinstall. Then you can download your own licensed copy of Mavericks and any apps you want. -
When I connect my iPhone (5s) to my computer it says that it's storage is full and that I have over 4,000 pictures even though I have deleted all of them. It won't allow me to add music or anything else either because it says my phone is full. I have restarted my phone and the computer multiple times, but it still tells me that my phone is full.
iPod touches or any iDevices from Apple sync only to one computer. If you sync to a different computer, all your music will be replace with the music from the new computer's iTunes. If the music were purchased from iTunes, you can re-download them again otherwise the music on iPod touch will be deleted. Do you have iTunes backup?
-
My App Store won't allow me to download any apps. It says such and such app is unable to download try again later every time. I have enough storage all my devices are up to date on all updates please help
I am a librarian at a 1:1 iPad school and we are having this problem with all ~3000 student iPads as well at ~300 teacher iPads. This is extremely frustrating. I have tried suggested fixes found on other discussion boards but none have worked.
-
My app store won't allow me to download any apps because of pervious purchase which I never purchased ?
I'm sure you purchased it since no one else would have your password to download apps
Make sure your CC has funds on it and its up to date on your itunes store account. -
My iPhone 4s won't allow me to scan for any networks and won't even pull up wifi networks near by. How do I fix this?
Settings > General > Network > Reset Network Settings.
If that does not resolve the issue...
Basic troubleshooting from the User's Guide is reset, restart, restore (first from backup then as new). Has any of this been tried? -
My iphone won't allow me to transfer any music. A lot more problems follow in the below paragraph
Hello all,
I really appreciate any help and advice I can get.
First my iphone won't allow me to drag music over to it. I'm old school and I like to drag specific tracks over to my iphone. iTunes won't let me do that. I have tried creating a new playlist and syncing again but still I can't do that. Any help or ideas?
Also, I keep getting the message that "x number of items could not be synced. See iTunes for more information". What does this mean???? I read some where that clearing the photo cache can help. One problem, I CAN'T FIND THIS PHOTO CACHE!!!!! Where is this thing. I read that you need to click "go" on the iTunes menu. My menu doesn't say go. What's going on? How to i find the iphone photo cache and get rid of that annoying message?!?
Also, before I get to any of the stages above, sometimes during syncing on iTunes with my iPhone 4S, it keeps getting stuck at "waiting for changes to be applied". Once again, anyone have ideas about how I can overcome this?
Please I need someone to go on before I throw this phone into the thames.Is your iPhone restricted? Check Settings > General > Restrictions
-
Help!
I reset my iPhone last night and now it won't allow me to do an update on my software. It says error occurred. And when I download apps such as kik and snapchat it says app cannot me downloaded. But I am able to text and imessage. That's better?
-
I used iphoto to create a photobook. I want to send this book to my aunt in california but it won't allow me to put in her address. I would like to know how
i can have this book sent directly to her home.FOR ASSISTANCE WITH ORDERS - iTUNES STORE CUSTOMER SERVICE
For assistance with billing questions or other order inquiries, please refer to our online support page by clicking here: http://www.apple.com/support/itunes/store/. If you cannot find the answers you are seeking in our robust knowledge base, you can contact us by visiting the following URL http://www.apple.com/support/itunes/store/, clicking on the appropriate Customer Service topic, then using the contact button or email form at the bottom of the page. Responses to emails will be provided as soon as possible.
Phone: 800-275-2273 How to reach a live person: Press 0 four times
Hours of Operation: Mon-Fri: 9am-5pm ET
Email: [email protected]
How to report an issue with Your iTunes Store purchase
http://support.apple.com/kb/HT1933
iTunes Purchase Problems: How to Report a Problem to iTunes Support
http://tinyurl.com/7tscpa7
How to Get a Refund from the App Store
http://gizmodo.com/5886683/how-to-get-a-refund-from-the-app-store
Getting Refunds for your iTunes Store Purchases
http://www.labnol.org/software/itunes-app-store-refunds/13838/
Canceling a Digital Subscription
http://gadgetwise.blogs.nytimes.com/2011/10/14/qa-canceling-a-digital-subscripti on/
Cheers, Tom -
How can I access my apps? They are all greyed out in itunes. I have tried restoring my iphone to factory settings but that didn't work. I have a feeling it may have something to with the restrictions settings on my phone restrictions are on) but it won't allow me to change the restrictions without putting in a passcode. I don't remember ever having a passcode and after several attempts have not been able to get the right code.
Also. on my phone, in settings, personal hotspot, iCloud and Twitter are greyed out. And, the App Store icon is missing from my screen as well.
Can anybody help me with this?
Thanksyep, unfortunately can't reset without the passcode either.
With regards to doing a restore, do you mean:
open itunes on my computer
click on my device on the left
go to the device summary
click restore
it then asks if i want to back up before i restore (to which i say no)
then it asks me if i'm sure I want to restore to factory settings and that all of me media and data will be erased and replaced with the newest version ( to which I say yes)
then it takes about 90 mins to do this but when I look at my phone, everything is exactly the same.
Am I missing something? Obviously I'm technologically challenged, but I HAVE to get to the bottom of this!
Maybe you are looking for
-
Java - Axis2: How to get an error code / error message from the Javascript via SOAP
Hi In our Java applicsation we call a Javascript in a Indesign CS Server using the following code: --- SNIP BEGIN --- // calls the remote service on the indesign server try { // create service ServiceStub oIndsgnSrvStub = new ServiceStub(sIndesignSer
-
i have a ipad mini , ios version 8.3 .... i am not able to download any app currently on my ipad.... i am not able to figure out the problem , it shows the app is loading in app store , but its never getting downloaded....how do i fix this problem ??
-
I would like to create a very simple report that 1) takes as input the url of a web site 2) open an http connection to the site taking its html 3) print the html as proof of hit I want to do it the SAP server and not the GUI with fm like call_browser
-
Do you know where document of the siebel8 in Chinease can be downloaded?
Do you know where document of the siebel8 in Chinease can be downloaded? If you know please connect me by emai or msn:[email protected]! Thank you! Travis
-
Migrating essbase application through shared services
Hi All,I want to migrate my essbase application (11.1.2.2) from dev to prod. please suggest me the steps to migrate