jmpage2
join:2005-02-24
Littleton, CO
| Trouble getting Greenbow VPN Client working with RV042
Hi there folks, I'm hoping someone can assist with this as I've sort of run out of steam on this one.
I just set up the network at my wife's new office and one of the things she wanted was a VPN connection.
I purchased an RV042 (my first mistake) and updated it to the latest version. Got a static IP from Comcast. Set up the VPN Tunnel on the RV042 per the Greenbow documentation.
I can connect with TheGreenbow VPN client and get the tunnel built. I can ping on the remote network and can get out on the Internet (I'm posting this with the VPN tunnel being described).
However, I am having absolutely no success in getting other types of connections to other servers on the network to work. For example, I can't get WINS or Netbios to resolve the names of the remote machines, can't get UNC path names to work (even with the STATIC IP of the remote server), and I can't get Windows Remote Desktop to work.
What am I missing that I need to do to get Netbios and other services working through the VPN tunnel? This is very frustrating!
I should point out that I am trying to get this working with The Greenbow since I had no success getting Quick VPN client to work after investing many many hours on that product.
Am I wasting time with this? I've got a lot of general network experience but very little VPN experience and obviously this is a budget choice. Would I be better off tossing the RV042 and getting a Zyxel or other VPN going?
Thanks. |
|
jimbopalmer
Tsar of all the Rushers
join:2008-06-02
Greenwood, MS
 ·Windjammer Cable
| I have used (and am happy with) the RV042 in router to router IPSEC VPN use. However it links TCP/IP traffic, not NetBIOS. (NetBIOS is unroutable) So you must use IP addresses:
instead of \\HomePC\mystuff\ you need to use \\192.168.1.100\mystuff\ as an example.
I have not used it in Router to Client use although one of my tech support vendors uses PPTP VPNs into our RV042 and our setup was painless. No idea what his end looked like.
--
I tried to remain child-like, all I achieved was childish. |
|
jmpage2
join:2005-02-24
Littleton, CO
| Well, I have found that I can access some network resources by IP as you indicate, but not others. One problem is that I need remote desktop to function since I use it to start and stop services on the primary server, but I have had no luck getting remote desktop to work via the IP address of the server. Is there a WAN/LAN/Firewall rule I have to set up on the RV042 to pass this traffic out the VPN?
Lastly, I have set up exactly the same Greenbow configuration on my wife's Vista laptop and it won't get through Phase-2. My XP laptop with identical Greenbow configuration gets through Phase-1 and Phase-2 no problem and the tunnel is established. I've tried turning the firewall off on the Vista box, disabling the virus/packet scanning software, etc, and it still won't work. |
|
jimbopalmer
Tsar of all the Rushers
join:2008-06-02
Greenwood, MS
·Windjammer Cable
| reply to jmpage2
I am not familiar with Remote Desktop, I use VNC, as it is not platform specific, but you do not need to forward ports over the VPN using 'local' IPs, only if you are using 'real' IP addresses.
--
I tried to remain child-like, all I achieved was childish. |
|
jmpage2
join:2005-02-24
Littleton, CO | reply to jmpage2
Thanks for the comments. I am hopeful that someone who has set this up and has it working will be able to give me some guidance before the RV042 winds up in the trash. |
|
jimbopalmer
Tsar of all the Rushers
join:2008-06-02
Greenwood, MS | reply to jmpage2
Put it in the mail to me! I am using 8 of them, router to router. flemington at cableone dot net
--
I tried to remain child-like, all I achieved was childish. |
|
jmpage2
join:2005-02-24
Littleton, CO
| reply to jmpage2
Well "put it in the trash" is probably a bit of an exaggeration. I'm just completely flabbergasted that it's so involved to set up one simple client based IPSEC VPN client to this stupid RV042.
I've actually gotten the tunnel to work finally on the RV042 to my wife's PC.
The following things don't work though;
1. Remote Desktop to PCs on the remote network.
2. UNC pathname shares (even using the IP address).
If I can get these two things to work I think I'll be okay with it. I don't mind putting a few LMHOSTS entries in for her couple of Windows boxes.
One of the challenges is I expect that the RV042 needs to be set up to allow traffic out the VPN interface, but I can see no policy to set this up.
Also, I probably need to give a blanket "allow" on the remote servers to access the subnet that the VPN user appears on, but the problem is I can't figure out what IP address the VPN tunnel shows up on as there is no log if it anywhere! |
|
jimbopalmer
Tsar of all the Rushers
join:2008-06-02
Greenwood, MS
·Windjammer Cable
1 edit | I am going to talk about how router to router IPSEC VPNs work as they are what I know best, and touch on Router to client PPTP as I see the router side of that. Neither are exactly what you want to do.
In a router to router VPN, the goal is to make no changes on the computers, either the servers or clients.
The computer has a subnet mask and an IP Address, often 255.255.255.0 and 192.168.X.Y X is different at the other end of the VPN. For other addresses in the same X, the router is not involved. If the destination is outside the subnet, the router gets involved.
A VPN adds a second chance to be local, so the destination is compared to the VPN's subnet first, before going to the 'real' routing table. I set my subnet mask there to be 255.255.0.0 and the subnet to be 192.168.0.0, so all 192.168.Z.Z addresses are VPNed, not routed. (this does not effect the local traffic as they never went to the router in the first place)
Finally if the address is outside my VPN range it is routed to the internet at large. (I print screened this in the next message)
With PPTP clients, it is handled differently, they are assigned 4 addresses inside my Subnet. (I print screened this as well, 2 messages down)
--
I tried to remain child-like, all I achieved was childish. |
|
jimbopalmer
Tsar of all the Rushers
join:2008-06-02
Greenwood, MS
·Windjammer Cable
|  I blotted out my 'internet' IP addresses |
|
jimbopalmer
Tsar of all the Rushers
join:2008-06-02
Greenwood, MS
·Windjammer Cable
| I blotted out user names |
|
jmpage2
join:2005-02-24
Littleton, CO | reply to jmpage2
That's great. If someone who is doing client side IPSEC could respond it would really be helpful.
I have no interest in setting up a site to site VPN between my home and her office. |
|
mmcm888
join:2009-03-09
| You can avoid all the grief with hardware by using a hosted VPN service such as »www.accessmylan.com. Full network access from the remote PC using the provided IpSec client. There is a free trial.
mo. |
|
jmpage2
join:2005-02-24
Littleton, CO
| Well, as I would need a 2 user license, the software solution that you linked would cost us about $50 per month. At that price I can buy an amazing hardware solution, including full blown VPN routers for both the home and office, or, alternatively I could buy an SSL VPN appliance with a 2 user license for what one year of software would cost.
I appreciate the link and information but it seems like a horribly expensive alternative, especially when you tally up how much it will cost over a 3 year period of time. |
|
jmmilner
join:2001-11-20
Yorkville, IL
| I've been down the same road with a RV016, which Linksys/Cisco positions as the big brother of the RV042. I had the same difficulty with QuickVPN client (hardly a "Business Series" product in my book). After posting recently in this forum I was able to get the QuickVPN client to work. You might want to review this thread »Client that actually works with RV016? |
|
jmpage2
join:2005-02-24
Littleton, CO
| reply to jmpage2
Thanks for taking the time to respond. In the thread you linked you were going to "try some things" and update the thread but never did respond back and indicate what, if anything ultimately resolved the issue and what your exact final config was that got things to work.
At this point when I try to get Quick VPN going the client connects, gets through some initial authentication and then winds up at a screen asking if you want to wait longer as the remote network is not responding. It never gets past this stage and I have tried it on two different client boxes.
I'm not sure if Quick VPN will suit me either since one of the boxes I would want to use to access the network in question has a different VPN client loaded on it and from what I read Quick VPN will never work if any other client has EVER been loaded on the target client machine.
If you have some further input I would still like to hear it. At the moment using The Green Bow I can get connected but can't get remote desktop traffic and some other things to pass from the remote subnet to the client.
I am tempted to dump the RV042 at this point and even though it's quite a bit more expensive, get the ZyXel USG100 as it offers full web based SSL VPN connectivity. I imagine that this would work it's just too bad that it's so pricey. |
|
jmmilner
join:2001-11-20
Yorkville, IL
| QuickVPN does indeed strongly dislike co-existing with any other VPN client. It is however based on OpenSSL which may be why it trips up with other VPN implementations using the same base.
One odd thing I have seen with QuickVPN is that it sometimes sticks at the "Verifying Connection" screen but it is actually connected. To check this out, you can use a DOS box to ping a known IP address on the remote LAN. If you get a response, you are connected. At that point I open Firefox and am able to access the web-based GUIs of the network elements.
Point well-taken on my need to update the other thread. If I don't get over to the site this weekend, I'll be there Wednesday for my scheduled visit.
Did you ever add firewall rules to allow traffic between your home subnet (e.g. 192.168.X.Y/24) and your wife's office subnet (e.g. 10.0.A.B/24). On the RV016 this is done under the "Firewall"/"Access Rules" tab:
HTTP [80] WAN1 192.168.X.0 ~ 192.168.X.255 10.0.A.0 ~ 10.0.A.255 Always
HTTP [80] LAN 10.0.A.0 ~ 10.0.A.255 192.168.X.0 ~ 192.168.X.255 Always
As for dumping the RV042, I'd consider it if business conditions allow. My RV016 customer is struggling just to stay in business these days so we either make it work or do without. When better times return I'll be considering other vendors as Linksys by Cisco doesn't really cut it for a single-vendor basic VPN small business solution. |
|
jmpage2
join:2005-02-24
Littleton, CO
| reply to jmpage2
Well, I can try and see if Quick VPN is actually connected at the time I get the error dialogue that indicates that there is a network problem and it is still trying to connect.
However, this seems problematic to tell a user that they will get annoying pop up error dialogue boxes that they should simply ignore.
In troubleshooting my problems with certain services for The Greenbow I have completely turned off the firewall on the RV042, and it still has not resolved the problems that I have had with getting file sharing and remote desktop to work correctly.
I suppose that it's possible that turning off the Firewall completely somehow inhibits traffic flow but this seems counter intuitive to me. |
|
jmmilner
join:2001-11-20
Yorkville, IL
| I agree that QuickVPN's behavior isn't sometimes pretty but wanted to be sure you knew you could at least still press on with your testing before everything was working smoothly. I use it for remote support of client networks themselves rather than access to the normal business functions of the clients, so I put up with the silly bits so I can do much of my work remotely.
Does the RV042 allow you to log both "allow" and "deny" policies? On the RV016 this is controlled on the "Log"/"System Log" menu. This may help you see what packets are getting passed and blocked by the RV042. You may also, based on the RV016's behavior, be able to create explicit firewall rules that force logging of packets to specific port numbers (e.g. 3389 for Remote Desktop). Another possible issue is the firewall on the target PC inside your wife's LAN - it may be blocking ports, especially if the firewall settings have been adjusted after Remote Desktop was set up. You can set Windows up to log its firewall activities - see the Microsoft KB for OS version-specific details. If all else fails, check out Wireshark to watch the packet traffic in detail. |
|
jmpage2
join:2005-02-24
Littleton, CO
| I tried Quick VPN again and still no success, even with a rule in the Firewall that was to explicitly allow all traffic from my home lan segment to the remote office lan.
I do agree that at this point logging and sniffing are the next things that will need to be attempted to sort this out.
Unfortunately I don't know if I am going to invest the many hours this will take and I don't have a feeling that this will necessarily even result in a system that is working the way I want.
I bought this router a year ago in spite of some of the negative reviews. I have a fair amount of experience working on networks and simply assumed that the naysayers were missing obvious steps and so on.
It turns out that in fact I should have considered a better router from the start. Ever since Cisco acquired Linksys the support has gotten steadily worse.
In any event thanks for your help I will have to decide if it is worth my time to continue investigating this problem or if I would actually be better off instead to replace this RV042 with something better supported for client based VPN, either IPSEC or SSL. |
|
jmmilner
join:2001-11-20
Yorkville, IL
| said by jmpage2  :Ever since Cisco acquired Linksys the support has gotten steadily worse. Sad but very true. Linksys was once a good brand at a fair price. Cisco appears to have purchased it on the assumption they could migrate Linksys customers to the heavy iron that Cisco makes and that customers would pay the premium price. Rebranding the Linksys Small Business while cutting support and firmware upgrades may have worked for the bean counters but they've lost my confidence.
Good luck. |
|
