Playing with VPN...

[ddrueding]

So, am I missing something here?

I have 2 Linksys/Cisco NV042 VPN routers, each connected to a high-speed internet connection with a static IP.

Each router has been competely configured and connects to the internet flawlessly. Each has been configured with a "Gateway to Gateway" VPN link and shows a status of "connected".

One of the LANs is 192.168.0.0, the other is 192.168.1.0; each have a subnet mask of 255.255.255.0. With this connection in place, I should be able to ping 192.168.0.6 from 192.168.1.100, correct? Or am I completely misunderstanding things?

 

[P5-133XL]

Yes, you are misunderstanding. Unless there is routing going on (You need a routing protocol turned on) the gateways have to be on the same subnet/network. Otherwise the packets have nowhere to go when they are received at the destination but they are on different networks so they get dropped.

 

[ddrueding]

So simply changing the subnets to 255.255.0.0 would suffice? I was under the impression that you wanted them in different subnets so that the traffic would go though the default gateway.

 

[P5-133XL]

With no routing between them, gateways have to be on the same network. A default gateway is merely where a packet goes when something doesn't know where to send a packet.

Think of each device as watching for traffic that is addressed to it. It simply examines everything to see if it should let the packet enter. If the network portion of the IP address is different, then that device simply ignores the packet and thereby it will be dropped.

When dealing with VPN's you need to seperate the internal packets IP addressesfrom the external packets. The external IP addresses have to be network consistant to get from point A to point B. But also the internal IP addresses have to be network consistant too. Once the internal packet has been encoded, then you are using the external IP addresses to get from place to place untill the packet is decoded and then the internal address is used to get from place to place.

Does this make sense and is helpful?

 

[ddrueding]

It is very helpful, thank you, but it's a bit late for it to be making sense.

Basically what you are saying is that the VPN gateways and all the machines on each end can exist within the same network, and that the gateways themselves will identify what traffic needs to be passed through the VPN and takes care of it automatically? Cool, I just thought it was an effective way of setting up secure routing.

 

[time]

I may well be asking for a basic lesson in Networking 101 here, but I think you and Mark are on different wavelengths.

Firstly, a gateway is the junction between two networks. Modern definitions like to be more specific by also requiring a change of protocol, but IMO that's just turning an ordinary word into jargon.

Routers are a subset of gateways - no protocol change. A router is not magical, it just keeps a table of where to direct packets so that they reach their destination in an efficient manner.

A VPN is the union of two networks (hence the Virtual) via a secure tunnel (hence the Private). A tunnel has two ends, so it requires two routers (even if one is software). These do not need RIP (or other routing protocols) to set up the tunnel, although the result will be added into their routing tables. RIP enables them to exchange the rest of the table information.

In short, you should indeed be able to ping one network from the other; if the VPN was successfully established, the necessary routes will be in the routing tables (with LAN to LAN they're already specified in the VPN configuration).

Things to try:

- Can you ping each router on its local address through the tunnel?
- Check each routing table (don't think you can with the RN042).
- Inspect the logs to confirm successful phase 2 negotiation.
- Try the latest firmware (this stuff is a perpetual work in progress).
- If you're running XP with SP2, buy yourself a decent whip and self-flagellate properly. Or do your best to disable its firewall and other crap, and then tell me how so I can avoid future embarrassment.

Cheers.

P.S. I'm more than happy to test your setup if you want to PM me the info (I've got two different VPN routers here and others at other locations). I'd be really interested to see if the Linksys is a good proposition. There's also bound to be others here who could check your router config if you enable remote management and tell them the password.

 

[ddrueding]

Alright...well, I'm almost there.

Configuration:

Site 1
Linksys RV042 10/100 4-Port VPN Router (Firmware 1.2.3)
Internet Connection: Full T-1
Internal IP: 192.168.0.1
Subnet Mask: 255.255.255.0

Site 2
Linksys RV042 10/100 4-Port VPN Router (Firmware 1.2.3)
Internet Connection: Wireless Link (2MB/2MB)
Internal IP: 192.168.1.1
Subnet Mask: 255.255.255.0

The link shows that it works, and I am able to ping each router's local address from both ends. I am also able to ping any machine that got it's IP from the DHCP server integrated with the router. It's looking like all I need to do is ad the servers to the DHCP using MAC reservations. More to come later.

 

[time]

The IP address doesn't have to come from the router. It's the gateway setting that they're getting from the router that makes them accessible.

Rather than mess about with MAC addresses, just assign server IP addresses outside the pool used by the router's DHCP server. As long as you enter the router's internal address as the gateway, all will be well.

 

[ddrueding]

The IP address doesn't have to come from the router. It's the gateway setting that they're getting from the router that makes them accessible.

Rather than mess about with MAC addresses, just assign server IP addresses outside the pool used by the router's DHCP server. As long as you enter the router's internal address as the gateway, all will be well.

I'm afraid not. Here is the configuration I had.

Router Internal IP: 192.168.0.1
Gateway: 192.168.0.1
Subnet Mask: 255.255.255.0
DHCP Pool: 192.168.0.100-192.168.0.200
Servers Assigned IPs: 192.168.0.10-192.168.0.25

All systems have the same gateway and subnet mask. All are within the IP range that the router is aware of and that has been programmed into the other router as part of the VPN. I can ping 192.168.0.100 but not 192.168.0.16. I'll have a chance to test my reservation idea later today, I'll let you know how it goes.

 

[ddrueding]

err....or not?

I am no longer able to ping any machines on the other end. I am still able to ping the internal IP of the opposite gateway wihout issue. Don't know what's going on right now...

 

[ddrueding]

Well, thanks to a significant and most generous amount of time and effort by or most knowledgeable member, time, my stuff is running almost as it should.

About every 30 minutes or so it drops for about 15 seconds (just enough time to screw everything). I haven't been aboe to verify whether the internet connection itself is dropping, or whether the VPN is resetting itself. Here's what happens in the log every time it occurs:

11/19/2004 1    VPN    received Delete SA payload: replace IPSEC State #15841 in 10 seconds
11/19/2004 1    VPN    received Delete SA payload: deleting ISAKMP State #15840
11/19/2004 1    VPN    Initiating Main Mode
11/19/2004 1    VPN    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
11/19/2004 1    VPN    [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
11/19/2004 1    VPN    [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
11/19/2004 1    VPN    [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
11/19/2004 1    VPN    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
11/19/2004 1    VPN    [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
11/19/2004 1    VPN    Main mode peer ID is ID_IPV4_ADDR: '12.151.47.215'
11/19/2004 1    VPN    [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
11/19/2004 1    VPN    [Tunnel Negotiation Info] Initiator Cookies = 891b 566c e53b 9bb3
11/19/2004 1    VPN    [Tunnel Negotiation Info] Responder Cookies = cb8f 1fc8 6212 b990
11/19/2004 1    VPN    initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
11/19/2004 1    VPN    [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
11/19/2004 1    VPN    initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
11/19/2004 1    VPN    [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
11/19/2004 1    VPN    [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
11/19/2004 1    VPN    [Tunnel Negotiation Info] Inbound SPI value = a69f937f
11/19/2004 1    VPN    [Tunnel Negotiation Info] Outbound SPI value = 2fbd318a
11/19/2004 1    VPN    [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
11/19/2004 1    VPN    [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
11/19/2004 1    VPN    Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4fd8431e (

Anyone care to enlighten me why the last message given before 30 minutes of successful operation is is an error :eekers:


Thanks muchly,
David

 

[ddrueding]

Make that a running average of about 55 minutes...

 

[ddrueding]

^bump

Any suggestions? I've been searching google, and found a lot of people with different hardware and the same problem...just no answers.