D-Link VPN Router > DSR-250N
L2TP/IPSec remote user connection
mcpierce:
Before I purchased our DSR-250N, I asked what client software I would need for remote users to VPN into the router. I was told the Windows built-in client would work, and was directed to the following Windows 7 setup instructions. Perfect!
http://www.dlink.com/us/en/support/faqs/firewall/dfl-series/how-do-i-configure-my-windows-vista-windows-7-computer-to-connect-to-a-l2tp-over-ipsec-tunnel-on-my
Now that I have the router, I can't get it to work. >:( Has ANYBODY established a successful Windows 7 L2TP over IPSec connection with the DSR series using a PSK???
I have tried to gather some information from this document, but it is for a different router GUI, and some of the critical images are missing (are you there D-Link support?):
http://www.dlink.com/us/en/support/faqs/firewall/dfl-series/dfl-1600/how-do-i-add-a-l2tp-over-ipsec-server-using-psk-and-local-user-authentication
I've tried talking to support twice (about 2 hours total time), but they weren't able to help. One rep escalated the issue, but I never received the Level 2 call that was promised. The other rep just told me it couldn't be done, and said I should use PPTP. (We couldn't get PPTP to work either.)
I do see activity in the VPN logs, and can get past Phase 1 IKE negotiation, but it won't go past Phase 2. So I really suspect I am just not setting the correct IPSec parameters to successfully connect to a Windows 7 client. As far as I know, the provider's firewall is passing everything right now.
So I'd really like to see what others have set for all the IPSec parameters. Any help is appreciated!
FurryNutz:
Link>Welcome!
What Hardware version is your router? Look at sticker under router.
Link>What Firmware version is currently loaded? Found on routers web page under status.
What region are you located?
What ISP Service do you have? Cable or DSL?
What ISP Modem do you have? Stand Alone or built in router?
What ISP Modem make and model do you have?
mcpierce:
The router is Hardware Version: A1 Firmware Version: 1.05B20_WW
It's the only firmware version available.
The router is in Dallas, TX. The building we are leasing from provides internet access via CAT5. We have a static IP with them, and we also have a static external IP. For now the NAT translation is direct - everything is forwarded to/from internal to external IP. I don't know if the building is using DSL or T1.
Depending on the settings I have in the DSR-250N, I either see Error 789 or Error 807 in Windows. Anything else to help diagnose the problem?
FurryNutz:
I will be interested in seeing what the public IP says when he goes to whatismyip.com from a computer behind the DSR and compare to the public IP seen in the WAN configuration of the unit...
I been told that Error 789 could be any of these:
- L2TP based VPN client (or VPN server) is behind NAT. (I think this is his problem)
- Wrong certificate or pre-shared key is set on the VPN server or client
- Machine certificate or trusted root machine certificate is not present on the VPN server.
- Machine Certificate on VPN Server does not have 'Server Authentication' as the EKU
Error 807 usually indicates a firewall blocking the traffic. if this is seen at the client side of the vpn.. it could be any local firewall software, like the windows firewall or AVG antivirus or any other security utility. Are you running any of these programs?
"VPNs configuration are cut really clear... They require a WAN port that is truly connected to the internet via a direct modem connection... that public route-able IP must be set on on the WAN port. VPN and NAT are not friends... even with NAT Transversal features... which allows the server to accept connection from clients that are behind NAT gateways, some servers strangle maintaining a connection through NAT."
Let us know...
mcpierce:
FN,
Thanks for the ideas to consider. Here are my responses:
- I had wondered about the IP issue. The client is attempting to contact 12.133.x.x, but the DSR-250N has a WAN IP of 10.1.x.x because it is connected to another network switch. Does that mean it will never work?
- Yes, the server is behind NAT, with everything forwarded. That's what the NAT-T setting (on both server and client) is for, right? The client is not behind NAT.
- I verified the PSK. I don't have any certificates.
- I did set it to use ESP, not SA. I had tried SA in the past but some other settings were different. So this is something to try again.
- I did try without any firewalls, but that didn't change anything.
So I guess the concern is: can we ever have clients connecting over VPN if the WAN IP on the VPN server is not the same as the external (inbound) static IP (i.e. when we are using NAT)?
BUT, unfortunately this is all moot now, since the DSR-250N fried this afternoon. It's the second one in two weeks to do that, so it's going back to be replaced by something else. We'll still want to use VPN, so I have definitely learned a lot that I can try in the future. But it will be with different hardware.
Please do let me know if you think VPN won't be possible with our current setup (through another network). But for now I'll consider this case closed because I can't test anything else.
Thanks!
-M
Navigation
[0] Message Index
[#] Next page
Go to full version