VPN Passthrough

sebus05
Posts: 29
Joined: Sat Aug 24, 2013 6:46 pm

Re: VPN Passthrough

Post by sebus05 »

With this firmware I can NO longer connect from iDevice (iPad/iPhone iOS 8.1.1) from internal network using iOS build-in Cisco client to iPSec server

Error is either

DHCP assigned wireless IP = "VPN Server did not respond"

or

Static wireless IP = "The VPN Shared Secret is incorrect"

Both messages are rubbish, as I can connect to this server from either Windows or Mac iPSec client or from iDevices using data network

Basically unusable
Even made rule for UDP 500/4500 to go out (so can see log):

I tested, l2tp (ipsec) connect from Mac Mountain Lion (works), then disconnect
Try to connect with iDevice (fails)
Try to connect with Windows l2tp (ipsec) which fails
Reboot router, connects with above Windows client which works

Code: Select all

Mac l2tp - WORKING fine
Jan 24 18:18:46 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=508 UDP packet from [br0] 192.168.50.25:500 to xx.xx.xx.xx:500 
Jan 24 18:18:46 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=228 UDP packet from [br0] 192.168.50.25:500 to xx.xx.xx.xx:500 
Jan 24 18:18:46 daemon info kernel: PacketFilter: Forward SPT=4500 DPT=4500 LEN=104 UDP packet from [br0] 192.168.50.25:4500 to xx.xx.xx.xx:4500 

iDevice - fails to connect
Jan 24 18:21:47 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=771 UDP packet from [br0] 192.168.50.33:500 to xx.xx.xx.xx:500 
Jan 24 18:21:50 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=771 UDP packet from [br0] 192.168.50.33:500 to xx.xx.xx.xx:500 
Jan 24 18:21:53 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=771 UDP packet from [br0] 192.168.50.33:500 to xx.xx.xx.xx:500 
Jan 24 18:21:56 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=771 UDP packet from [br0] 192.168.50.33:500 to xx.xx.xx.xx:500 

Windows l2tp - straight after previous iDevice = fails, reboot router = WORKING
Jan 24 18:23:03 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=392 UDP packet from [br0] 192.168.50.98:500 to xx.xx.xx.xx:500 
Jan 24 18:23:04 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=392 UDP packet from [br0] 192.168.50.98:500 to xx.xx.xx.xx:500 
Jan 24 18:23:06 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=392 UDP packet from [br0] 192.168.50.98:500 to xx.xx.xx.xx:500 
Jan 24 18:23:10 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=392 UDP packet from [br0] 192.168.50.98:500 to xx.xx.xx.xx:500 

Jan 24 18:30:40 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=392 UDP packet from [br0] 192.168.50.98:500 to xx.xx.xx.xx:500 
Jan 24 18:30:40 daemon info kernel: PacketFilter: Forward SPT=500 DPT=500 LEN=268 UDP packet from [br0] 192.168.50.98:500 to xx.xx.xx.xx:500 
Jan 24 18:30:40 daemon info kernel: PacketFilter: Forward SPT=4500 DPT=4500 LEN=80 UDP packet from [br0] 192.168.50.98:4500 to xx.xx.xx.xx:4500 
So iDevice IPSec "destroys" router session after which NOTHING else can connect without router reboot

With previous firmware there were NONE of this problems, please fix it! as it was done for 8800 model - viewtopic.php?f=19&t=3391

sebus
sebus05
Posts: 29
Joined: Sat Aug 24, 2013 6:46 pm

Re: VPN Passthrough

Post by sebus05 »

Firmware version 2.32d.dm12 that I had from Billion Support DOES fix the issue!

Thanks

sebus
Comedy79
Posts: 29
Joined: Sat Jan 31, 2015 1:00 pm

Re: VPN Passthrough

Post by Comedy79 »

So I think I have a similar problem to swampylee?
swampylee wrote:Hi, I've just raised a ticket for a similar sounding issue to the original poster. Just upgraded from a 7800n to a 7800dxl and since the upgrade my Cisco VPN client on Win 7 64bit refuses to connect to my corporate VPN. I'm able to ping the VPN IP address without a problem. Apparently the Cisco VPN software uses ipsec/UDP.
I have been using the 7800dxl for a year and a half and had been stable on the 2.32c firmware. But I recently notice my speed was dropping off from 40/10 to 6/1 the past few days. I rebooted the router and modem and did all the other tests before ringing Sky to get them to send out an engineer to fix the problem, that's a separate battle and one that I won today... Engineer imminent within 72 hours!
We need to call you at home to run you through some tests sir, I just told you I have done that already, please test the line.... 25 mins later... ah yes sir, there appears to be a fault on your line and we will need to send an engineer.. Sigh, that's what I told you 25 mins ago..
Anyway, I noticed that there had been some slight adjustment to the firmware, so switched to the latest, originally 2.32d.dh2 but now 2.32d.dm12 as a result of reading this forum. Unfortunately unlike sebus05, it hasn't fixed my issue.

I am trying to sign into my corporate VPN, which was easy until the firmware update. It too is a Cisco system, "Cisco AnyConnect Security Mobile Client" to be exact. It keeps saying that "The VPN connection failed due to unsuccessful domain name resolution". IT support are at a loss at work and have checked my laptop, it and the VPN are working fine they say, so it must be the router?

I am going away for a few days and if nobody has any suggestions by the time I return, I guess I will have to raise a ticket?

Many thanks in advance

David
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: VPN Passthrough

Post by billion_fan »

Comedy79 wrote:So I think I have a similar problem to swampylee?
swampylee wrote:Hi, I've just raised a ticket for a similar sounding issue to the original poster. Just upgraded from a 7800n to a 7800dxl and since the upgrade my Cisco VPN client on Win 7 64bit refuses to connect to my corporate VPN. I'm able to ping the VPN IP address without a problem. Apparently the Cisco VPN software uses ipsec/UDP.
I have been using the 7800dxl for a year and a half and had been stable on the 2.32c firmware. But I recently notice my speed was dropping off from 40/10 to 6/1 the past few days. I rebooted the router and modem and did all the other tests before ringing Sky to get them to send out an engineer to fix the problem, that's a separate battle and one that I won today... Engineer imminent within 72 hours!
We need to call you at home to run you through some tests sir, I just told you I have done that already, please test the line.... 25 mins later... ah yes sir, there appears to be a fault on your line and we will need to send an engineer.. Sigh, that's what I told you 25 mins ago..
Anyway, I noticed that there had been some slight adjustment to the firmware, so switched to the latest, originally 2.32d.dh2 but now 2.32d.dm12 as a result of reading this forum. Unfortunately unlike sebus05, it hasn't fixed my issue.

I am trying to sign into my corporate VPN, which was easy until the firmware update. It too is a Cisco system, "Cisco AnyConnect Security Mobile Client" to be exact. It keeps saying that "The VPN connection failed due to unsuccessful domain name resolution". IT support are at a loss at work and have checked my laptop, it and the VPN are working fine they say, so it must be the router?

I am going away for a few days and if nobody has any suggestions by the time I return, I guess I will have to raise a ticket?

Many thanks in advance

David
Once on firmware dm12 you need to disable ALG >> IPSEC, found once logged into the router under 'Configuration >> NAT >> ALG' here disable 'IPSEC' and click on 'Apply' and then test your VPN client out again.
Comedy79
Posts: 29
Joined: Sat Jan 31, 2015 1:00 pm

Re: VPN Passthrough

Post by Comedy79 »

billion_fan wrote: Once on firmware dm12 you need to disable ALG >> IPSEC, found once logged into the router under 'Configuration >> NAT >> ALG' here disable 'IPSEC' and click on 'Apply' and then test your VPN client out again.
Brilliant I will try that upon my return and let you know how I get on.

Many thanks for the swift response.

Kind regards

David
Comedy79
Posts: 29
Joined: Sat Jan 31, 2015 1:00 pm

Re: VPN Passthrough

Post by Comedy79 »

Ok, so I am back and have tried your suggestion....

However, one small problem, 'IPSEC' is not an option? It only lists 'SIP' and 'H.323' as parameters? SIP is disabled and H.323 is enabled. I have tried varying them with no success, so I am at a bit of a loss as to what to do next?

EDIT - Ok, I now see the problem, I thought I had dm12, I have dm6 from the previous page and assumed it was dm12! It was late, I was tired... :oops:

Is the firmware for the 8800NL ok to use, I assume not, but thought I would ask? Or can you post the latest 7800DXL firmware version here please?

I see you posted the dm12 firmware in the 8800NL thread Cisco VPN passthrough for 'IPSec over UDP (NAT / PAT)'? But then I see mention of dh37, will we need the firmware "2.32d.dh37" that they are discussing in the 8800NL thread too, as it does look like an identical Cisco VPN issue there to the one I am facing?

Many thanks

David
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: VPN Passthrough

Post by billion_fan »

Comedy79 wrote:Ok, so I am back and have tried your suggestion....

However, one small problem, 'IPSEC' is not an option? It only lists 'SIP' and 'H.323' as parameters? SIP is disabled and H.323 is enabled. I have tried varying them with no success, so I am at a bit of a loss as to what to do next?

EDIT - Ok, I now see the problem, I thought I had dm12, I have dm6 from the previous page and assumed it was dm12! It was late, I was tired... :oops:

Is the firmware for the 8800NL ok to use, I assume not, but thought I would ask? Or can you post the latest 7800DXL firmware version here please?

I see you posted the dm12 firmware in the 8800NL thread Cisco VPN passthrough for 'IPSec over UDP (NAT / PAT)'? But then I see mention of dh37, will we need the firmware "2.32d.dh37" that they are discussing in the 8800NL thread too, as it does look like an identical Cisco VPN issue there to the one I am facing?

Many thanks

David
Attached is dm12, which has the fix for IPSEC passthrough (you will need to disable ALG >> IPSEC once on this firmware), and this will allow your cisco IPsec client to connect (already tested by others)
You do not have the required permissions to view the files attached to this post.
Comedy79
Posts: 29
Joined: Sat Jan 31, 2015 1:00 pm

Re: VPN Passthrough

Post by Comedy79 »

billion_fan wrote:Attached is dm12, which has the fix for IPSEC passthrough (you will need to disable ALG >> IPSEC once on this firmware), and this will allow your cisco IPsec client to connect (already tested by others)
Ok, perfect! All now working ok! I can now work from home again...

Many thanks

David
ams001
Posts: 3
Joined: Tue Feb 11, 2014 2:50 pm

Re: VPN Passthrough

Post by ams001 »

> you will need to disable ALG >> IPSEC

Finally, I can connect my Linux Mint laptop to my work's FRITZ!Box 3490 through my BiPAC 8900RX R2 (w/ firmware 2.50a.d16). I was having to use my phone's mobile hotspot over 3G to connect and downloading 550GB was not fun. My FTTC connection at home is 79Mbps so MUCH better.

If only I found this thread 4 hours ago...
Post Reply