# Solved: VPN Problem over Wireless WRT300N



## danmcman (May 25, 2006)

A client of mine just bought a new Linksys WRT300N wireless router for his home network. He has one PC wired into it, and one PC that connects using a Linksys WUSB54GC usb adapter. I just set him up with a VPN connection that connects back to his office at a Cisco 501 PIX.

Using the wired PC, he can connect through the VPN and everything works great. When his wife tries to connect using the PC over wireless, she cannot establish a connection. She can get to the internet and surf just fine, but using windows VPN or the Cisco VPN client, she cannot connect. The wired PC is NOT connected to the VPN simultaneously with the wireless PC. I went there myself and verified that all of the settings were correct on the wireless PC for the VPN to function.

Does anyone know if their wireless devices could be the culprit behind this? I've never heard of VPN not working over wireless before, and am leaning toward their new router as the most likely problem. It's just weird that they can get through while wired and not through wireless. I haven't tried to connect the second PC over a wired connection to make sure the VPN configuration was functioning, but I am 99% certain it is correct. Any ideas?


----------



## StumpedTechy (Jul 7, 2004)

First order of business is have the wireless PC wired to the router to see if it then works.

IMHO if the router works wired with PC 1 and wireless does not work on PC 2 if PC 2 is direct ocnnected more than likely VPN still wont' work and its a problem with the PC 2.

HAve you verified IPconfigs on the 2 machines pre connection to VPN? All match except last octet of the Ip address?


----------



## danmcman (May 25, 2006)

Yes to the IPconfigs. Both PC's are the on the same LAN, 192.168.1.x, where x is different on either machine. I'm going to check and see if he tried to connect PC 2 over wired yet.

My thought was that maybe the VPN packets didn't like flowing over their wireless network for some reason.


----------



## StumpedTechy (Jul 7, 2004)

Really that shouldn't be an issue from my experience unless the wirless is REALLY poor. Connecting the PC wired though should narrow down if that's the case.


----------



## Ablack86 (Jan 12, 2006)

I am very curious about this, as I will be setting up a branch office at the end of the month that will be using an IPSEC VPN and I was asked to provide Wireless Connectivity to the office. I don't see why their would be a problem with the combination of VPN and Wireless unless like Stumpy said the link is VERY poor. But please post feedback on what ends up happening!! = )


----------



## O111111O (Aug 27, 2005)

Your crypto map on the PIX needs to be configured for IPSEC w/ NAT transparency. This isn't on by default unless you're running 7.x


----------



## danmcman (May 25, 2006)

O111111O said:


> Your crypto map on the PIX needs to be configured for IPSEC w/ NAT transparency. This isn't on by default unless you're running 7.x


Do I need to config IPSEC w/ NAT transparency for running VPN over wireless or in general? I can connect fine from other machines, just not from this one over wireless. I haven't heard back yet to see if the machine worked while wired.


----------



## O111111O (Aug 27, 2005)

Yes, generally all of your systems would need to be configured to run w/ NAT transparency.

Many SOHO routers do IPSEC fixup, they'll look for the IKE/ISAKMP and allow UDP 500/ESP/AH to the first host to establish an IPSEC tunnel. The problem is you can only do that once per IP address. So the first machine to connect is probably working fine.


----------



## danmcman (May 25, 2006)

Right, I am aware that I can only have one IPSEC tunnel per IP address. The machine I'm testing cannot connect, even though PC 1 isn't connected to a VPN.

The goal is, however, to connect both PC's using different VPN client's: PC 1 using Windows VPN, and PC 2 using the Cisco client. This has worked from the same IP in the past, as Windows/Cisco clients use different encapsulation methods if memory serves me right.


----------



## O111111O (Aug 27, 2005)

Yeah. 

Windows VPN uses PPTP. Cisco is standard IPSEC by default (no NAT transparency.)

Both of those aren't going to work well through a PAT'd address.

Try rebooting the router, and then connect first with the Cisco VPN client w/ NAT Transparency. If the wireless system can't connect at all, then the protocol fixup running on the router has the MAC/state table hung on the first system - or your wireless system isn't using NAT transparency/has firewall running.


----------



## O111111O (Aug 27, 2005)

By the way, one more thing to add before we start down the path of "they both should work".

Microsoft PPTP protocol uses the GRE protocol (IP protocol 47) and TCP 1723 to connect an endpoint. If you're behind a router providing PORT ADDRESS TRANSLATION (PAT), it needs to perform some kookery to translate the GRE tunnel from the outside address of your session to the internal IP address.

Standard IPSEC without NAT transparency uses AH (UDP 500), ESP (IP protocol 50), and ISAKMP/IKE to carry out the key negotiation. 

You can't port address translate both of those at the same time. The IPSEC session will need NAT transparency, therefore encapsulating the ISAKMP/ESP/AH headers over a single TCP connection.


----------



## danmcman (May 25, 2006)

I'm still waiting for this guy to test out the wired connection through his WRT300N... but in the mean time I did test out connecting to the same PIX over wireless at my own house through a Linksys WRT54G router, using PPTP Windows VPN. I know they're different model routers, but still.


----------



## danmcman (May 25, 2006)

I did some more digging into this and found a few other people at the Linksys forums were having a similar issue. The most common fix seems to be updating the firmware of the router, so I'm going to have him try that too. Another person found that disabling the VLAN setting in the wireless card properties got him to connect through. Here are some links to each scenario:

http://forums.linksys.com/linksys/b...eless_Routers&message.id=7682&jump=true#M7682 
http://forums.linksys.com/linksys/b...s_Routers&message.id=1265&query.id=2290#M1265


----------



## O111111O (Aug 27, 2005)

Firmware is mildly understandable.

It would be interesting to know if disabling VLAN priority solves your issues. DSCP tagging with 802.1x shouldn't be working at all - so that's a curiosity.


----------



## danmcman (May 25, 2006)

Upgrading the firmware to the most recent release let both VPN's go through just fine  Thanks for your help guys!


----------

