Router Setup and VPN

[Tienie]

I am not sure if this is the correct place for this thread. But lets give it a shot. I need some help. At one of my client sites, the were running their internet on small Mecer router, but this connected to a Linksys WRT54GL. The linksys was loaded with the latest DD-WRT firmware.

The linksys started giving problems with connectivity loss etc. So they decided to put in a new router. They installed the new Netgear DGND4000 dual band adsl router. Which by the way is an excellent router. In the mean time I re-setted the linksys and loaded the new DD-WRT firmware on a gain, and I am running tests on it.

The internet is working 100% now with the new netgear router, but they also want VPN access to the office network. Now I am struggling to setup the VPN on the new netgear router, it does not seem to be as intuitive as setting up VPN on the DD-WRT firmware, and according to the netgear documentation this router can only take 5 vpn users? Not 100% sure about that.

Now what I want to try and do is leave the netgear router as the gateway of the network for internet access, but somehow connect the linksys on the network just for VPN purposes? I am new to this so please bare with me.

I linked the linksys router to the switch with a IP ending with 251. The netgear which is the gateway is 250. All the existing VPN settings are still on the linksys router. I then setup the Dynamic DNS on the new router to update the IP from the service provider. I then forwarded a VPN port from the netgear to the IP of the linksys. (I do not have a clue if I am even on the right track here) This did not work, so I tried to link the netgear to the linksys via the WAN port on the linksys. Still no luck.

So I have two options now, try to get VPN running on the new netgear, but I suspect it wont be the same as with the DD-WRT firmware on the linksys.

The other option, and I would like an opinion about this, they have a server running Windows server 2008 R2. And I know VPN can be set up on the OS as a radius server, I have however never done this before.

The ideal will be that VPN access will happen via the native windows 7 vpn setup. Any help will be appreciated. Thank you

(Just a note, I can access the router from outside, so the dynamic dns must be working. I forwarded the RDP port (3389) to the server IP, and by using the DynDNS.org name I created I can remote desktop to the server)

 

[jdabbs]

Netgear VPN: If you post screenshots of the VPN config page on the modem and client, I'll point out any oversights I catch.

Linksys VPN:

In order for devices to communicate over the VPN, they need to use the Linksys router as the gateway (or have a static route in place, which is not feasible for remote access traffic). This means the network would be DGND4000<>Linksys<>Clients. Since the Linksys is unreliable, this is not a good solution. If only a handful of devices will be accessed by VPN users, you could put just them behind the WRT54GL, but then they'll be cut off every time the WRT54GL goes down. Don't do it.

 

[Tienie]

Thanks for the reply Jdabbs.. You are 100% correct, I do not want to put the netgear infront of the linksys, due to the problems they experienced. Since the netgear is in, the internet connection is 100%.

But like I said, it should be fine for VPN. but like you said, by not making it the gateway I cannot really use it for VPN to the network then. I am attaching two screen shots, the one is just the Dynamic DNS, I think this is working correctly, because I forwarded port 3389 ( For remote destop) and by using that DynDNS name I can remote desktop to the server.

The second screen shot is the VPN. I am used to the VPN setup on the DD-WRT firmware which is quite simple. But with these settings I am lost.

For the VPN client, by using the windows native VPN client previously, you just enter the dyndns address as the connection, and then the active directory username and password. and the VPN connection is established.

With these settings, I am not sure how to setup the windows VPN connection?

Thanks again for the help.

Regards

 

[jdabbs]

Port forwarding can be accomplished independently of the VPN's operational status.

I removed a screenshot as your VPN preshared key was in plaintext. It may not have been your actual PSK, but better safe than sorry.

This is a remote access VPN, correct? If so, you need to change how the VPN is set up on the Netgear router.

Local LAN>Subnet Mask needs to be input.
Remote LAN>IP Address needs to be "Single PC - No Subnet"


I've never actually used the Windows 7 VPN client, so when I created a test connection today, I was surprised at how few ISAKMP/IKE settings were available. The PSK option is not selected by default, so you will have to add the key to a VPN profile.

 

[Tienie]

Thank you JDabbs

Yes, I did not realize the key is showing, thank you.
Yes it is for remote access VPN. Meaning that the client can use his / her internet at home or while traveling to make a VPN connection, and then they can either RDP to their desktops at work, or browse to the server or NAS to access documents.

Thus it is not just a single PC that connects. it can be more than one. They probably have about 5 people that wants VPN access to the office network.

Like I mentioned, I only know the Windows 7 VPN connection. Can you suggest a different app for establishing the VPN connection, that is preferable freeware?

I will try the settings as you mentioned, thank you for the help

 

[jdabbs]

Thank you JDabbs

Yes, I did not realize the key is showing, thank you.
Yes it is for remote access VPN. Meaning that the client can use his / her internet at home or while traveling to make a VPN connection, and then they can either RDP to their desktops at work, or browse to the server or NAS to access documents.

Thus it is not just a single PC that connects. it can be more than one. They probably have about 5 people that wants VPN access to the office network.

For remote access, each client would establish their own tunnel. Specifying a remote network is for site-to-site VPNs that have a network behind them.

You may also want to consider identifying the network by IP rather than domain at first. When troubleshooting, you want to eliminate as many variables as possible. For this reason, you should stick with the Windows 7 VPN client as you have already confirmed it worked with the Linksys router.

Getting insight into what is going on is also important. The natural instinct is to start by changing settings, as often a setting mismatch is the cause of the problem. This is a short-sighted approach--a log may tell you that the VPN tunnel failed to generate; this may not seem helpful since you already knew it failed, but if it failed during Phase 2, you've just pared down the potential list of causes by quite a bit.

 

[Tienie]

Thank you for your help and advice JDabbs. After struggling yesterday with the settings on the Netgear, I went another route.

I used Windows server 2008, and created a VPN radius server and forwarded the VPN port. After some tweaking I could successfully connect to the VPN using the windows 7 VPN client.