Cure Your Errors

Fix Windows Errors & Optimize Your System

Windows/Mac OS/Linux
Support Guide

Home

WRVS4400N Won't allow L2TP traffic to passthrough

The latest in a series of issues with the WRVS4400N:
As any Mac user knows, you cannot connect to this device with QuickVPN, as there is no Mac version of QuickVPN.  That leaves us with one of two options:
1)  Obtain iPSecuritas and configure an IPSec tunnel with it.  Problematic for many, but it can be done.  I've been doing it for two years, but recently learned that with this configuration, you can't route all network traffic over the VPN (email, web browsing, etc), which is sometimes a security concern when on public wifi.  This leaves you with solution 2:
2)  Get some other VPN device and put it behind the Linksys Router and setup the Linksys to passthrough VPN traffic, and/or forward the necessary ports.
I am running both a PPTP and L2TP server on Mac OS X server behind the WRVS4400N.  I have the 4400N setup to passthrough all VPN traffic (select the enable circle for IPSec, PPTP, and L2TP on the VPN Passthrough tab).
After forwarding the appropriate port (1723) to the OS X server's ip address, PPTP goes through just fine.
L2TP is a problem, though.  Nothing I try gets through this 4400N.  As stated above I have L2TP passthrough enabled.  I have also forwarded ports UDP 500, UDP 4500 and even tcp/udp 1701 to the L2TP server's ip address.  No go, no traffic gets through.
Suspecting it was something wrong with my L2TP server or client settings, I put the L2TP server into a DMZ zone.  Voila!  L2TP traffic connects as expected.  This proves it is the WRVS4400N not doing its thing.
I have checked the logs on the WRVS4400N and nothing appears at all.  I thought maybe that it is reading the L2TP traffic as IPSec traffic destined for its internal IPSec server, even though I don't have any IPSec tunnels or QuickVPN accounts setup on the WRVS4400N, but with the lousy logging and no ipconntrak tables in this version of the firmware, i don't know what else to check. 
I am using Firmware v1.0.16 because v1.1.03 is not stable on my router.  Using that firmware leaves the router in a corrupted state requiring a power cycle to reset it after any IPSec connection is shut down.
Can anyone suggest what I am missing or doing wrong in getting the WRVS4400N to actually passthrough my L2TP traffic to the working L2TP server?
/rant:  I have to say I am begining to hate the WRVS4400N.  This temperamental beast has a lot of frustration and long hours over the past two years;  in hindsight, considering the hours (in excess of 100, seriously) I have put in to trying to get various forms of VPN working on it, I should have just moved on to a more stable and flexible router.  

gv wrote:
1. Never ever forward L2TP port 1701. That's a security risk. Port 1701 is not supposed to be accessible from the internet.
2. Running an IPSec server behind a NAT gateway is a very bad idea and is either very difficult or impossible depending on the server software and kernel version on the server machine. In particular you usually see a lot of problems if the client as well is behind a NAT gateway.
3. Turn off the L2TP and IPSec passthrough options. Passthrough is difficult because NAT will modify the packets passing. When you disable the passthrough options the VPN client and server should switch to encapsulation through UDP port 4500.
Thanks for the reply.  Comments/follow-up on each of your numbered responses:
 1)  Port 1701 is off.  Plenty of sites insist it must be open, so I tried it out of desperation.  Lots of bad information on the internet, as we all know.
 2a)   My IPSec server has always been the NAT gateway itself (the WRVS4400N).  That's not the problem.  My issue with leaving the setup that way is that Linksys has ZERO support for Mac OS X to connect to the WRVS4400N's IPSec VPN.  QuickVPN is only offered for Windows OS, and Cisco VPN Client for OS X will not connect with the WRVS4400N.  THis leaves me with having to use 3rd partyclient  solutions which work flawlessly and completely with other hardware but not with the WRVS4400N.  
I'd actually be happy with that solution if I could route all traffic (web and email especially) over the VPN tunnel.  THis won't work with the only solutions I have to using IPSec on a Mac to connect to the network.  I've considered establishing SSH tunnels binding the various ports, but proxies, slower performance and other issues make that less than desirable.  Very frustrating.
I guess since L2TP uses IPSec, your point is relevant, but I don't understand why, if IPSec behind a NAT gateway is such a bad idea, EVERY router on the market offers IPSec passthrough in its specs.  
If it's so problematic, and such a bad idea, why allow it?   Especially on devices marketed to SOHO consumers who are bound to have less networking savvy?  In fact, the Linksys products ship with these options ENABLED by default. 
3)  I've done all that.  
Here are log entries from the WRVS4400N for a few combinations of passthrough and port forwarding:
Passthrough disabled, ports forwarded
Dec 7 07:38:40 - Drop by Port Scan UDP
Dec 7 07:41:25 - UDP Packet - Source:xxx.xxx.xxx.xxx,500 Destination:192.168.2.11,500 - [Firewall Log-IPSecPass Fail]
Dec 7 07:41:30 - [VPN Log]: shutting down
Dec 7 07:41:30 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Dec 7 07:41:32 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID [email protected])
Dec 7 07:41:32 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
Dec 7 07:41:32 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Dec 7 07:41:32 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Dec 7 07:41:32 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Dec 7 07:41:32 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 07:41:32 - [VPN Log]: starting up 1 cryptographic helpers
Dec 7 07:41:32 - [VPN Log]: started helper pid=11543 (fd:5)
Dec 7 07:41:32 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Dec 7 07:41:32 - [VPN Log]: Warning: empty directory
passthrough enabled, ports not forwarded
Dec 7 07:47:28 - [VPN Log]: shutting down
Dec 7 07:47:28 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Dec 7 07:47:31 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID [email protected])
Dec 7 07:47:31 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
Dec 7 07:47:31 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Dec 7 07:47:31 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Dec 7 07:47:31 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Dec 7 07:47:31 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 07:47:31 - [VPN Log]: starting up 1 cryptographic helpers
Dec 7 07:47:31 - [VPN Log]: started helper pid=12590 (fd:5)
Dec 7 07:47:31 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Dec 7 07:47:31 - [VPN Log]: Warning: empty directory
passthrough enabled, ports forwarded
BLANK LOG!  Not a single entry in the WRVS4400N's log files.
Remember, there is nothing wrong with my client or server software, as demonstrated by bypassing the WRVS4400N.  L2TP connections work fine until the WRVS4400N is in the mix. 
So, I'm back to the same original question:
 How do I enable L2TP traffic to an L2TP server behind a WRVS4400N in a manner that actually works...? 
Message Edited by DistortedLoop on 12-07-2008 08:02 AM

Solution

1. Download & Run DLLEscort - Download Now

2. Click 'Start Scan' to analyze your System.

3. Click 'Fix Errors' and you're done!

 

Related Content

WYSIWYG editor upload with images


WYSIWYG Display in Multi-Author Environment


WYSIWYG Color not showing in PDF


WXP WLAN Driver installation on Satellite Pro A200


WXGA laptop resolution problems


WWW service is not able to start via Microsoft Failover Cluster generic service resource


WWW (What Went Wrong)? Gnome & much more...


Wwv_flow_fnd_user_api.edit_fnd_user to set change password on first use


Wwv_flow.accept: SIGNATURE (parameter names) MISMATCH in Internet Explorer


Wwv_flow.accept, error 404 page not found


WWI SERVICE not starting


WWI Server configuration for EHS


WWC-00000 error while creating the user


Wwc- 41653 The partner application configuration is missing or expired.


WWAN is not reliable in X250


Wwan for x230


WVC54GCA camera can't see video on Internet Explorer but can on Chrome and Safari


WVC210 RTSP URL


WVC210 "File Not Found" error in IE9


WVC200 v1.2 - Successful Wireless & DynDNS Setup with WRT54G v.6 Router


The latest in a series of issues with the WRVS4400N:
As any Mac user knows, you cannot connect to this device with QuickVPN, as there is no Mac version of QuickVPN.  That leaves us with one of two options:
1)  Obtain iPSecuritas and configure an IPSec tunnel with it.  Problematic for many, but it can be done.  I've been doing it for two years, but recently learned that with this configuration, you can't route all network traffic over the VPN (email, web browsing, etc), which is sometimes a security concern when on public wifi.  This leaves you with solution 2:
2)  Get some other VPN device and put it behind the Linksys Router and setup the Linksys to passthrough VPN traffic, and/or forward the necessary ports.
I am running both a PPTP and L2TP server on Mac OS X server behind the WRVS4400N.  I have the 4400N setup to passthrough all VPN traffic (select the enable circle for IPSec, PPTP, and L2TP on the VPN Passthrough tab).
After forwarding the appropriate port (1723) to the OS X server's ip address, PPTP goes through just fine.
L2TP is a problem, though.  Nothing I try gets through this 4400N.  As stated above I have L2TP passthrough enabled.  I have also forwarded ports UDP 500, UDP 4500 and even tcp/udp 1701 to the L2TP server's ip address.  No go, no traffic gets through.
Suspecting it was something wrong with my L2TP server or client settings, I put the L2TP server into a DMZ zone.  Voila!  L2TP traffic connects as expected.  This proves it is the WRVS4400N not doing its thing.
I have checked the logs on the WRVS4400N and nothing appears at all.  I thought maybe that it is reading the L2TP traffic as IPSec traffic destined for its internal IPSec server, even though I don't have any IPSec tunnels or QuickVPN accounts setup on the WRVS4400N, but with the lousy logging and no ipconntrak tables in this version of the firmware, i don't know what else to check. 
I am using Firmware v1.0.16 because v1.1.03 is not stable on my router.  Using that firmware leaves the router in a corrupted state requiring a power cycle to reset it after any IPSec connection is shut down.
Can anyone suggest what I am missing or doing wrong in getting the WRVS4400N to actually passthrough my L2TP traffic to the working L2TP server?
/rant:  I have to say I am begining to hate the WRVS4400N.  This temperamental beast has a lot of frustration and long hours over the past two years;  in hindsight, considering the hours (in excess of 100, seriously) I have put in to trying to get various forms of VPN working on it, I should have just moved on to a more stable and flexible router.  

Hello,
With the latest firmware installed (the one suporting fixed IP based on MAC), I have one problem: the DHCP server is not assigning addresses when the WAN link is down. When it is up, it generally assign IP based on the configuration binding (MAC/IP). But it sometimes fail to do so. Before using the wrvs4400n I had no issues with DHCP wrt54G and other routers.
Any hints ?
Thanks.
V.

I've been searching high and low and although I've found many results of people having this same exact problem there doesn't seem to be a fix, or at least no one was kind enough to post one.
Background:
I have many vlans but the 3 in question are 10, 20, 30.
10 is for my laptops and desktops with an ip range of 192.168.10.10 - 192.168.10.50.
20 is my home automation network with an orange of 192.168.20.20 - 192.168.20.150
30 is my guest network with a orange of 192.168.30.84 - 192.168.30.89
I have a dell powerconnect configured with vlans as my core switch. I trunked a port on the switch assigning 3 vlans (10,20,30) and connected it to port 1 on the wrvs4400N. On the wrvs4400 I trunked port 1 tagging vlan 10,20,30. For some reason vlan 1 is untagged on port 1 and I don't know why.
I also have a router connected to the powerconnect. Of the 3 vlans I mentioned vlan 10 and vlan 30 are the only ones with interfaces on the router. Vlan 20 is an internal network with a separate router and until I figure this out that router is physically turned off. Also the router currently turned on has no routes configured to connect my vlans. Currently there is no configured way to jump vlans.
I created 4 ssid on the wrvs4400N. Private, home, guest, and wrvs.
private - is assigned to vlan 10
home - is assigned to vlan 20
guest - is assigned to vlan 30
wrvs - is assigned to vlan 1 - this is temporary until I can get this working. I want it so the only way to manage the wireless is to walk over to it and physically plug in.
There are a couple DHCP servers.
Vlan 10 has a windows server 2008 r2 dhcp server.
vlan 20 uses it's powered off router for dhcp
vlan 30 uses the main router connected to the power connect
vlan 1 on the powerconnect uses the main router - this dhcp scope is only used until I'm done with my rebuild since I don't plan on actually using vlan 1 - the scope is 192.168.2.0
dhcp is turned off on the wrvs4400.
on the wrvs4400 I made sure to turn off inter vlan routing, and I enable ssid isolation.
The problem:
No matter what ssid I connect to I get a dhcp response from vlan 10. all my test indicates that I'm actually on vlan 10. I get internet and I can hit all devices on vlan 10. If I connect to ssid guest and change my ip address to match vlan 30 I can not ping the gateway for vlan 30 and I have no internet access. Some times I get something different. Sometimes I get an ip address from vlan 1 on the powerconnect. If I renew my ip address then I'll grab one from vlan 10 but I should be getting one from 30 or none at all for vlan 20. The absolute crazy part is my droid sometimes gets a 192.168.4.x ip address. I don't have a 192.168.4.x network or dhcp scope anywhere on my network! If I physically plug into a port on the power connect I get to the correct network 10 out of 10 times. If I configure vlans on the other 3 ports on the wrvs4400 and physically plug in, I get to the correct network 10 out of 10 times. Over the wireless all hell breaks lose.
I've reset to factory a few times and I've been all inside and out of the wrvs4400. I have no clue what could be wrong with this thing. Please help!!!
More info is available upon request.
Thanks.

I have a WRV200 router and want to access the internal (Private Network) connected on the inside. I have successfully conected to the router with the Linksys VPN Client, but it does not appear to allow access to the internal network.
How do I enable NAT Transversal or Passthru? I have already selected all of the PPTP, L2TP and IPSEC Pass Through.
Has anyone gotten this to work?

Accessing the internet through my router no longer works. I've tried connecting my computer directly to the cable modem, and the internet works fine (as I am using it right now to write this message). I use the same cable (as well as other ethernet cables) from the router's internet port, to my cable modem's ethernet port... nothing. The internet light on the router does not light up, and the PC link light on my cable modem stays dark. Ports 3 and 4 on the router also seem effected. Anything plugged into these ports do not give a link light. Ports 1 and 2 seem fine. I've tried the usual... power cycling both router and cable modem... reset the router to factory settings... reinstalled firmware... unplug the router for an hour.. etc. ...and I'm still having an issue.
Side note: There is a USB light on the modem that is on... I'm not sure if this has always been on during normal operation, but there is nothing plugged into the USB port on the router.
Side note 2: I've plugged the ethernet cable from the cable modem into ports 1 and 2 of the router, and I do get link lights and activity. ...but when I plug it into the correct 'internet' port on the router, no light.
There have been no changes to my router before this. I checked my email last night before I went to bed. I wake up in the morning, and I have no internet (through the router). No one else has access to my router. I even disable the wireless connection when it's not in use. As I said before, my internet (comcast) is working perfectly without the router.
Any suggestions? I've had no problems with the router up until now.
Thanks.

We have an excellent wireless network working in the house, but my desktop (which isn't wireless) can't get internet access.  It says that a network cable is unplugged - it's not.  When a cable is plugged into one of the 4 ethernet ports in the back of the router, the ethernet lights on the front don't light up or flash or anything.  I think that part isn't working.  Is there anything I can do?  Should I update the firmware?  Or just get a new router?  I have tried using different cables, but nothing changes.  The only way for the desktop to get online is to take the router out of the configuration, but then the wireless network and the Vonage phone are out.
I went to ipconfig at the command prompt and under Ethernet adapter Local Area Connection: my Media State is Media disconnected.  So, I'm guessing the ethernet ports on the router are not working at all. 
Thanks for your help.
Message Edited by scraig8877 on 07-30-2009 12:41 PM
Solved!
Go to Solution.

I have a WRTP54G (router with 2 Vonage phone ports).  The phone works just fine.  However, every few minutes the PC displays a "network cable is unplugged" error message and I am unable to access the Internet.  After a few seconds, the error goes away, and everything works fine for a few minutes.  I have changed the network cable, used another computer, and I get the same results.  Does anyone have any idea how I can fix this?

I have a WRT610N v2 router, which I LOVE.  I need an ethernet bridge (to connect a LG BD370) Blu-Ray DVD player.  I've spoken with Linksys tech support & I'm sad to say, got misinformed.  I'd actually ordered a PLS300 (which I cancelled) when I found out there weren't any updates for it.  I'm running Windows 7 Home Premium 64 bit. 
The tech support person first told me I needed a WET610N & then changed her mind.
The WRT610N is located in the office about 15 yards from where I need to connect the  ethernet support to the entertainment system.   I also have a wireless printer (Lexmark Platinum PRO905 that is about 5 feet from the LG Blu ray player.  Is the ethernet bridge going to interfere with the Blu ray player?
I'm just wanting to get connected to NetFlix.  I've paid for this service since last spring but am just now getting around to sorting this out.
Any help would be greatly appreciated!  TIA

I just purchased a 610N router and I want to connect an external hard drive (Seagate 160GB) to it in order to view photos and other media primarily on my PS3, but also on my laptops.  By stumbling through the process, I seem to have the drive mapped to my primary computer but I am not happy with the results.
The external hard drive already has tons of folders on it, and the photos are categorized into their own folders and sub-folders.  I can access them from the computer after lots of clicking.
Question #1)  The PS3:  can it see only one media server at a time?  The WRT610N is the media server it sees right now, but none of my files and directories that are on the external hard drive are viewable on the PS3.
Question #2)  Do the files need to be in a particular folder located on the drive?  The PS3 is looking  for the "mp_root" on the router/external hard drive.
Question #3)  Do all the media files, photos, movies, music, all have to be on the root drive or in the same directory?  I was told that they had to be in one place, not scattered among sub-directories?
Question #3)  The network shows a "default" folder, a "config" folder and two others (I'm writing this from memory as I'm not in front of the computer right now).  What are those folders?  Did the router or network create them?
Question #4)  What can I do to improve the experience of using the drive on the network?
Thanks for any advice or guidance you can provide.

Hi, I've just upgraded the new firmware, everything seems fine but now my USB Hard disk is not recognizable unless i restart the router. I have a Seagate FreeAgent 500Gigs, and it worked perfectly with the previous firmware. Just wondering if its just me or anyone else has the same problem. 
Thanks 
I forgot to add that afterawhile the hard disk isnt recognizable again and i have to reset it to get it working 
Message Edited by jellydish on 02-13-2009 06:09 AM