SecureClient not working with DLink DSL-G604T

[SeanR]

Hi all,

Sorry to post another one of these 'CP not working with router' queries, but I haven't been able to implement the fix suggested in the 'Routers Known (Not) To Work With Secure Client' thread, pasted below.

I'm running a D-Link G604T on NT4 (!), which means I have to use SecureClient R55. It works fine with a NetComm router elsewhere, but I've salvaged a couple of these DLink G604Ts and upgraded the firmware to V2.00B12.AU_20070509, which is the DSL2/2+ upgrade, and I get a '-122 failure to make tunnel' diagnostic message, and no connection. The new upgraded HTML config screens don't correspond exactly with any online manual I've been able to find for the router. The notes in the 'Routers Known (Not) To Work With Secure Client' thread suggest I only have to enable IPSec passthru to make it work, or possibly use 'Visitor mode' in CP. Visitor mode in my version is greyed out for some reason. Further, there is no clear 'IPSec passthru' option in the modem config, except for the list of predefined 'rules' under 'Virtual Server', which includes a line saying 'IPSEC L2TP' (together) as a VPN rule. Applying this rule to the static IP address of the NT4 laptop in question doesn't make it work. (Which is something about port 500...)

I've had it working on a different modem type, so I've enabled UDP encapsulation, IKE wotsit, etc in CP, it just doesn't like this modem type. Visitor mode for some reason isn't enabled in CP. I tried to make the laptop DMZ and that didn't work either. I've also enabled external IKE in the modem's firewall, to no avail.

This is all client side.

My knowledge of these protocols is pretty rudimentary, I work more in DBs and software, can anyone tell me how to fix this config problem? Answer here or in e-mail reply is fine...

Thanks,
Sean

-------------------------------
D-Link 802.11b/g Routers
DI-614+ - works if you enable IPSEC Passthru and upgrade the firmware

DSL-604+ - works if you enable IPSEC Passthru and upgrade the firmware

DSL-G604T - works if you enable IPSEC Passthru

go to ftp://ftp.dlink.com for the firmware upgrades.

[Robby Cauwerts]

I would try to make the visitor mode working. That will solve this (and other) type of connection problems.

You say it's grayed out in your version:
1) I suppose you first selected "connectivity enhancements"?
2) do you have the necessary rights to change the config of the vpn client?

If you want to use visitor mode you will also need to enable this on your firewall.

[SeanR]

Quote:

Originally Posted by Robby Cauwerts

I would try to make the visitor mode working. That will solve this (and other) type of connection problems.

You say it's grayed out in your version:
1) I suppose you first selected "connectivity enhancements"?
2) do you have the necessary rights to change the config of the vpn client?

If you want to use visitor mode you will also need to enable this on your firewall.

Yes, 'connectivity enhancements' is selected, and I have the choice of 'Use NAT traversal tunneling' or 'Visitor mode', except visitor mode is greyed out. Our standard settings are to both 'support IKE over TCP' and 'Force UDP encapsulation'.

I have admin privileges on the system, so can't understand why it's not available -- unless of course the Checkpoint server needs to allow visitor mode on clients -- it's possible/likely this is not set on ours.

I can talk to our CP administrators, the support is a little limited in this area, hence I'm trying to troubleshoot it myself as far as possible -- with occasional suggestions from the network guys. They may not want to enable visitor mode on the CP server, for instance...

Tx,
Sean

[SeanR]

Hi all,

Can anyone make any further suggestions in regard to the thread question?

The latest info is that 'visitor mode' is not enabled on our CP server, hence I can't do much with it on the client. The network guys are loathe to research the implications of enabling visitor mode, if there are any.

Someone else at work says that they have also got a G604T on ADSL2, and it works to connect remotely with CP, but haven't had to do anything special to get it working.

I've also tested it on XP now, with R60 or whatever the latest version is, and it still doesn't connect... A connection with a different modem and ISP works even with R55 and NT4 using the same laptop.

Thanks

[RayPesek]

Hi Sean,

What does "doesn't work" mean precisely? Cannot connect at all? Can connect and authenticate but not pass traffic? Or what?

You may be stuck, though. We fought this battle about three years ago with the 604 and never could get it to work without using Visitor Mode. It sounds like they never fixed it in the later firmware, if there was a later firmware. The 614's worked first time every time.

Do you know how to lower the MTU on the router and on NT? If so, drop it to about 1350 and see what happens. PPPoE, the authentication protocol usually used for ADSL, adds eight bytes to the packet size and that can cause VPN systems a lot of problems. The usual symptom is "can connect and authenticate but not pass traffic."

The only real implication of enabling Visitor Mode on the firewall is that the admins may have to move the firewall HTTPS admin port to something other than 443. If it's not on 443, then there are no security implications. They would have to create a rule allowing HTTPS to connect to the external interface of the firewall depending on what version they're using.

Generally the firewall admins will have two Remote Access Connection Profiles, one for regular IPSec and one for Visitor Mode. This allows people to select one or the other if they are having issues.

Visitor Mode is probably the best value-added part of the SecureClient license cost. We had execs sitting in a hotel lobby able to connect in by Visitor Mode while their counterpart they were traveling with spent the time on a Help Desk call because their company used Cisco.

Ray

[SeanR]

Quote:

Originally Posted by RayPesek

Hi Sean,

What does "doesn't work" mean precisely? Cannot connect at all? Can connect and authenticate but not pass traffic? Or what?

Do you know how to lower the MTU on the router and on NT? If so, drop it to about 1350 and see what happens. PPPoE, the authentication protocol usually used for ADSL, adds eight bytes to the packet size and that can cause VPN systems a lot of problems. The usual symptom is "can connect and authenticate but not pass traffic."

Thanks Ray. Yeah, sorry, it can locate the CP server and do Radius authentication to access the policy, etc, but it can't establish a normal data connection. Hence, you can set up a 'site', but not connect.

I've just tried the MTU=1350 thing, and it didn't work.

The thing is, other modems will connect happily with the VPN out of the box, this is the only one that is not working, and we have remote users using a variety of cheapo entry level modems with just 1 USB and Ethernet port, etc.

I can try D-Link Tech Support on this, they may actually respond with some definitive answer as a known problem, although I think the Oz tech people are snowed under with grievances that the 604T only likes working with some DSL2/+ DSLAMS as a whole other problem...

[RayPesek]

Good luck. We just gave up on the 604 series in favor of the 614 series or Linksys.

Ray

[SeanR]

I've finally got an easy solution to this problem after finding the solution had been recently posted on the whirlpool broadbandchoice site.

The problem is that the default IP address of many DLink routers is 10.1.1.1 -- if you try to connect to a network that also starts with 10, it won't work -- you therefore simply have to change the base address on the router to something not starting with 10, like 192.168.0.1 or whatever.

I got no response from DLink tech support on this problem when I sent emails, by the way.