Vigor VPN - Top Checks
Vigor VPN Routers
The following is a list of the most common errors made in setting up a Vigor-to-Vigor VPN connection, as well as some general advice for VPN operation :
- On LAN-to-LAN VPNs, for your own ease of use, but also when requesting help/support from your dealer you should keep an accurate plan of your setup. Most common problems are due to confusion over the VPN layout, so keeping your notes/planning clear and up to date is essential. We recommend a table, as shown in this example :
|LAN Subnet Mask||255.255.255.0||255.255.255.0|
|Router Admin Password||shilton||keegan|
|Public IP Address||22.214.171.124||126.96.36.199|
|VPN Profile Name||Liverpool||London|
|Protocols||PPTP only||PPTP only|
|Pre-Shared Key||n/a (IPSec only)|
- If you want a VPN tunnel to be permanently active, rather than dial-on demand, select Always On in the VPN profile of the dial-out router. At the other (receiving) end, select '0' as the inactivity timeout (indefinite). If the connection is interrupted, the calling end will retry until reconnected.
- In a LAN-to-LAN VPN, ensure that the two networks are in different subnets. i.e. if both LANs are numbered 192.168.1.X then they cannot route to each other because they are within the same logical subnet.
- Do not confuse the term 'subnet' with the term 'subnet mask'. A subnet is any subset of a universal network - a subnet can include one IP address, or millions of IP addresses. A subnet mask is a parameter used in combination with an IP address to inform the clients/servers the size of the local subnet. This is best explained in detail elsewhere, but as a quick example, a subnet mask of 255.255.255.0 gives you a local subnet of 253 local addresses and that if a local IP address is 192.168.1.42, it is the final octet only (.42) which varies around the local network - the first three octets must be the same on all local clients, otherwise the IP address falls outside the local IP subnet range and is considered by the PC and router to be remote.
By default, VPN tunnels have a 300 second (5 minute) inactivity timeout. If you want the tunnel 'always on' then you need to set one of the routers to 'always on' (that router will then always instigate the VPN tunnel and reconnect automatically if the connection is lost) and the other end needs to have an indefinite timeout (zero) and will always 'receive' the VPN call:
'Always On' set on
the calling router.
Indefinite (zero) timeout set
at the other end.
- PPTP is a much simpler, and simpler to set up protocol than IPSec (and the combinations of IPSec). If you are troubleshooting, we therefore recommend you start with PPTP and confirm that the basic connection and settings work. You can then switch to IPSec or other protocols later, once the basic concepts and connection have been tested.
- Do not use the same username for a dial-in (teleworker) user profile as for a LAN-to-LAN profile. The router is unable to tell which one you want when the call comes in and so will default to the Teleworker. A LAN-LAN connection can still be established but no routing will occur as the IP allocated will be for a single teleworker only.
- In a LAN-to-LAN profile, enter 0.0.0.0 as instructed. The Vigors are able to determine their VPN WAN and remote VPN gateway IP addresses automatically from the remote Vigor, therefore you should not normally enter an IP address. Here is the example from the setup guide :
- For a teleworker dial-in, do not enable "mutual authentication" under VPN/PPP setup. This is not normally used with a Windows dial-in and may prevent the connection if enabled.
- Unless you have Vigor firmware 2.3 or later, do not enable encryption on a PPTP connection. Microsoft use MPPE and this was not supported in Vigor firmware earlier than 2.3
- When troubleshooting, do use the logs. They may show a simple explanation for a problem (for example password/username errors). To view/capture the logs, use Windows Hypertermin (select TCP/IP instead of a modem or COM port for connection). Firstly, with no VPN active or trying, flush the logs with the command:
log -F a.
Next, start a text capture (Transfer menu -> Capture text) and then use these commands to generate the log output :
log -c -t
log -p -t
The output from the call log will be simplest to understand, particularly if it's a username/password error. Otherwise the PPP log may show the cause.
- Don't set up lots of VPN profiles on the router to start with. Set up a single profile, for one remote LAN/teleworker VPN and check that it works as expected.
- If you are using Windows 98 as your VPN teleworker client, sometimes it will prefix the local domain to the login name when connecting to the VPN host. This will cause the authentication (logging in) to fail (normally with a Windows 'Error 629'). You can confirm this by examining the telnet ppp log or syslog. To get around this for that VPN user, just add the domain to the login name stored on the Vigor's teleworker profile. e.g. 'john' becomes 'acme\john'.
- In WindowsXP SP1, if the teleworker client connection drops after approximately one minute, check Microsoft's knowledgebase here.
- If you have multiple public IP addresses, you may want to use your fixed public subnet address for hosting the VPN instead of the WAN address the router picks up from the ISP. To do this, you need to enable and set the 2nd IP address on the LAN interface as shown in this example :
Then, by issuing the command vpn 2ndsubnet on from the router's telnet interface, the address you set above will then be able to receive VPN calls from the Internet, and tunnel them onto the local private subnet (1st IP address, within the 192.168.1.0 subnet, in this example).
- When using the Windows XP VPN client, by default, once a VPN is established, Windows will route all outgoing traffic from that PC via the tunnel, including your regular Internet surfing - this therefore uses the remote Internet resources and VPN bandwidth. Unless you want to do that (route all Internet traffic via the remote end of the VPN) edit the VPN profile properties in Windows XP as per this screenshot and untick the box:
- Fixed IP Devices & Teleworker Clashes - For Teleworkers, the Vigor will allocate an IP address starting from the address set under VPN General Setup menu. (by default that's 192.168.1.200). If you have changed the default LAN private IP subnet, you will need to change that to match too. For any internal devices/servers on your LAN, you should avoid using addresses in the same range as that used for VPN teleworkers as they will clash when the teleworker dials in and one or both will lose connectivity.
©2005 SEG Communications. All rights reserved. Information and products subject to change at any time without notice.