VPN and a D-Link wireless router.

[iGismo]

I've got a D-Link D-624 router at home and when I installed it I was no longer able to open a VPN connection to my office servers. The client is CheckPoint SecureClient. I finally got it working by disabling IPSec VPN Pass Through in the router and enabling IPSec VPN Virtual Server on UDP port 500. To begin with this puzzles me as I thought that the Virtual Server function was to allow a VPN server on my local network to be accessed by VPN clients on the internet, and that the pass through was intended to support exactly what I'm trying to do. Have I got that backwards?

Also it was necessary to specify a "Private IP" for the Virtual Server. I used the current IP of my laptop, but given that there are three computers on my home network and their IP's are assigned by the DHCP service in the router, I suspect that my VPN client may quit working if the local IP's get re-assigned and I don't want to go with fixed IP's since I use my laptop on other networks where DHCP is required. Any ideas as to whether this will be a problem and what I can do about it if it is?

[Henning]

Quote:

Originally Posted by lancefisher

I've got a D-Link D-624 router at home and when I installed it I was no longer able to open a VPN connection to my office servers. The client is CheckPoint SecureClient. I finally got it working by disabling IPSec VPN Pass Through in the router and enabling IPSec VPN Virtual Server on UDP port 500. To begin with this puzzles me as I thought that the Virtual Server function was to allow a VPN server on my local network to be accessed by VPN clients on the internet, and that the pass through was intended to support exactly what I'm trying to do. Have I got that backwards?

Also it was necessary to specify a "Private IP" for the Virtual Server. I used the current IP of my laptop, but given that there are three computers on my home network and their IP's are assigned by the DHCP service in the router, I suspect that my VPN client may quit working if the local IP's get re-assigned and I don't want to go with fixed IP's since I use my laptop on other networks where DHCP is required. Any ideas as to whether this will be a problem and what I can do about it if it is?

If I had the first clue as to what language you were speaking, I probably still couldn't help you.

[Jesse]

Quote:

Originally Posted by lancefisher

Also it was necessary to specify a "Private IP" for the Virtual Server. I used the current IP of my laptop, but given that there are three computers on my home network and their IP's are assigned by the DHCP service in the router, I suspect that my VPN client may quit working if the local IP's get re-assigned and I don't want to go with fixed IP's since I use my laptop on other networks where DHCP is required. Any ideas as to whether this will be a problem and what I can do about it if it is?

On the router you should be able to specify certain mac addresses always get assigned a specific ip address.

[iGismo]

Quote:

Originally Posted by jangell

On the router you should be able to specify certain mac addresses always get assigned a specific ip address.

If I set that up, does the laptop still use DHCP? IOW is this a change on the router only?

[Jesse]

Quote:

Originally Posted by lancefisher

If I set that up, does the laptop still use DHCP? IOW is this a change on the router only?

Yup you leave the laptop DHCP. The DHCP server on the router then just makes sure that it assigned the IP address that you specified to that laptop always, and only to that laptop.

[Brian Austin]

Quote:

Originally Posted by jangell

Yup you leave the laptop DHCP. The DHCP server on the router then just makes sure that it assigned the IP address that you specified to that laptop always, and only to that laptop.

It's also a good way to tie down your router's ability to give ANYONE an address. If you use MAC authentication, anyone without a MAC address in the table won't get an IP address. Not sure if it's possible with the D-Link, however.

Quote:

Originally Posted by lancefisher

I've got a D-Link D-624 router at home and when I installed it I was no longer able to open a VPN connection to my office servers. The client is CheckPoint SecureClient. I finally got it working by disabling IPSec VPN Pass Through in the router and enabling IPSec VPN Virtual Server on UDP port 500. To begin with this puzzles me as I thought that the Virtual Server function was to allow a VPN server on my local network to be accessed by VPN clients on the internet, and that the pass through was intended to support exactly what I'm trying to do. Have I got that backwards?

Also it was necessary to specify a "Private IP" for the Virtual Server. I used the current IP of my laptop, but given that there are three computers on my home network and their IP's are assigned by the DHCP service in the router, I suspect that my VPN client may quit working if the local IP's get re-assigned and I don't want to go with fixed IP's since I use my laptop on other networks where DHCP is required. Any ideas as to whether this will be a problem and what I can do about it if it is?

The IPSEC VPN passthrough should have worked but it's not unusual for these not to work, especially with some proprietary VPN clients (like Checkpoint's).

The Virtual Server function is really just Port Address Translation forwarding to a fixed address. Anything coming in on UDP 500 will get forwarded to your laptop, regardless if it's the VPN traffic or not. It doesn't know it's a VPN tunnel.

I don't remember how Checkpoint worked but some clients have a management port and a floating "tunnel" port. The management port (typically 500) is used to start and maintain the connection (ours reauthenticates and changes keys every 30 seconds) while traffic goes through on a separate port, usually in the 5000+ range. Some firewalls don't work well with port shifting (similar to FTP or H.323 port shifting). You might check to see if there is a firmware upgrade for the D-Link that addresses it if you don't like the fix you've already set up.

[Jesse]

Quote:

Originally Posted by Brian Austin

It's also a good way to tie down your router's ability to give ANYONE an address. If you use MAC authentication, anyone without a MAC address in the table won't get an IP address. Not sure if it's possible with the D-Link, however.
.

I have used all consumer level routers. Dlink, Linksys, Netgear, Belkin, Microsoft from about 2000 up to the current models.

Every single one of them you can specify that certain computers have a reserved ip address based on their mac address. This does not effect the DHCP server from assigning ip addresses to the computers that are not in the table. You leave all the computers still as DHCP and it just reserves that ip address for that computer.

Now. We might be confusing what we are talking about. Routers also have a feature to where you can allow only certain mac addresses to access your wireless network. If you activated this, then yes other computers not in the table would not have network access.

[Brian Austin]

Quote:

Originally Posted by jangell

Now. We might be confusing what we are talking about. Routers also have a feature to where you can allow only certain mac addresses to access your wireless network. If you activated this, then yes other computers not in the table would not have network access.

It sounds like it. I've gotten to the point where I just buy dedicated 'stuff' nowadays for myself and the company. Anytime I get a router/firewall/DHCP server/VPN box, I just get parts of the features I really want. Now, if I want a firewall, I buy a firewall. If I want a VPN concentrator, that's what I buy. And etc..

More expensive? Definitely. But then I don't have to worry about this kind of stuff any longer, either.

[Jesse]

Quote:

Originally Posted by Brian Austin

It sounds like it. I've gotten to the point where I just buy dedicated 'stuff' nowadays for myself and the company. Anytime I get a router/firewall/DHCP server/VPN box, I just get parts of the features I really want. Now, if I want a firewall, I buy a firewall. If I want a VPN concentrator, that's what I buy. And etc..

More expensive? Definitely. But then I don't have to worry about this kind of stuff any longer, either.

Oh man. The worst I ever had to deal with was a school district who absolutely refused to use anything but their consumer linksys routers / switches all over. This was a windows 2000 domain based network of over 400 computers.

They'd basically overheat and all kinds of strange things would happen. It was always very difficult to track down.

The end result? Me telling them to throw all of that in the trash and start over with the dedicated equipment with a duty cycle built for their needs. Or find someone else to help them.

They chose the second option. I was happy.

[iGismo]

Quote:

Originally Posted by jangell

Yup you leave the laptop DHCP. The DHCP server on the router then just makes sure that it assigned the IP address that you specified to that laptop always, and only to that laptop.

Got it set up. Thanks for the help.

[Jesse]

no problem.

[iWin]

Lance,

#1 Go to the DHCP setup on the Linksys and set the address range that DHCP can dynamically assign to be specific and limited, say n.n.n.50 to n.n.n.100.

Then you should be able to see what IP address it has assigned to your MAC address...what you want to see is what your MAC address is, which you can see on your PC, Control Panel ->Network->Properties...you'll figure it out. Copy it or write it down.

#2, Set a fixed DHCP assignment on the Linksys. If it's not populated and you can't paste it, you may have to enter that long string of the MAC, and the IP address to assign, say n.n.n.101. That means it will always assign .101 to your laptop and you haven't changed a thing on the laptop.

#3, Now set the Virtual server pass through rule so that outside traffic gets routed to n.n.n.101

You are right that you shouldn't need to create the server entry. The IPSec rule should do it. You could try putting the PI address on the IPSec rule and remove the virtual server one.

With my new Linksys WRT54 I didn't have to set up a thing for running the Cisco (Juniper Networks) VPN client on my desktop and laptop, wired and wireless It just plain works. Same at Jann's with a 2Wire SBC DSL portal.