VPN behind Router

[forkedt]

I upgraded from a Linksys WRT54G to a Linksys WRT400N, now I cannot VPN through to work. The UPD connection works far enough to request the password but cannot verify it, the TCP connection wont even connect. Does anyone know what may be wrong? All VPN Passthrough options are enabled...

Thanks!

 

[YeOldeStonecat]

Latest firmware on the new one?
What make/model modem is in front of it?
Try manually setting the MTU on the new 400n....1500 if cable or bridged DSL, 1492 if PPPoE DSL.

 

[forkedt]

The modem is a Motorola Surfboard SB5101.
Comcast provider the service, but I own the box if it makes a difference.
Firmware is what came with it (however I did check their site, and it matched the firmware there - they only have 1 firmware available (original release) at this time)

 

[k1pp3r]

Have you checked for VPN passthrough on the modem? If so check your logs, i be UDP 500 is being blocked

Your not using a Linksys router with a dell wireless laptop are you?

 

[forkedt]

I have passthrough enabled, I tried setting port forwarding on 500 as enabled for TCP, but it still blocked it, I'll try UDP tonight. I'm not sure if it's a dell wireless card or not (I'll check tonight as well). If it is am I SOL or do I just need to take some extra steps?

 

[YeOldeStonecat]

SHouldh't have to do anything..
Port forwarding is only for allowing unitiated traffic from the untrusted side (the internet) into your network to the LAN IP address it's forwarded to. Like if you're running a mail server or a web server or a game server.

VPN traffic initiated from any node inside/behind the router will be allowed back in...SPI.

What type of VPN are you using? Client software or just Windows native?

 

[forkedt]

Client software, its of a sensitive nature so I'm not allowed a lot of access or information (and likewise cant disclose much either). My biggest confusion is why it seems to work with my old WRT54G but not the new 400N, some default must have changed between the models or I missed a setting in the new one but I cant seem to figure it out. (Though I think the 400N is an atheros and the 54g is a broadcom chip but I dont see why that should make a difference)

 

[YeOldeStonecat]

There's only so many VPN clients out there....nothing top secret about mentioning which one you use.

I've seen quite a few instances where a router will be incompatible with certain IPSec VPN client software...sometimes it's just a matter of updating the firmware (which you cannot in this case..but newer firmware releases usually have some bugfixes).

Other times doing a factory hard reset on the router will clear the baffles....and it will start working.

Other times...sometimes due to some bug in the firmware...the SPI firewall may disagree with it...so try logging into it and turning off the additional SPI firewall. Don't worry...the NAT hardware firewall will still be protecting you. SPI on home grade routers is really quite useless and very very limited in abilities...no harm in turning it off.

And did you try manually setting the MTU on the router? Sometimes that "auto" setting doesn't work very well.

 

[k1pp3r]

I'm not sure if it's a dell wireless card or not (I'll check tonight as well). If it is am I SOL or do I just need to take some extra steps?

Wireless cards in dell laptops have a plague of issues with VPN over wireless to linksys routers

Normall enabling MMC in QOS will resolve it, or just plug the darn thing in lol

 

[LoStMaTt]

If you are using the Microsoft Small Biz server or other Windows Server based VPN you will need to open up TCP 1723.

 

[YeOldeStonecat]

If you are using the Microsoft Small Biz server or other Windows Server based VPN you will need to open up TCP 1723.

PPTP VPN is done by more than Windows Servers..many VPN appliances, VPN capable routers, *nix routers, etc.

If he's hosting the VPN server behind this router, yes need to open/forward port 1723...as well as allow IP type 47 GRE to pass through. But if he's connecting to a VPN server across the internet...and he's going out through this router at home...there is no port forwarding that needs to be done. Port forwarding is only for allowing unknown/untrusted traffic from the internet to flow into your network unchecked.