R7000 (Kong 24865M) - VPN Outbound Not Connecting

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
dmars
DD-WRT Novice


Joined: 12 Sep 2014
Posts: 3

PostPosted: Fri Sep 12, 2014 16:07    Post subject: R7000 (Kong 24865M) - VPN Outbound Not Connecting Reply with quote
Hi,

I installed the Kong 24865M version earlier this week and I can no longer connect from my laptop inside my network to an external VPN Server outside of my network.

I have confirmed that the VPN Server works, including connecting my laptop directly to my ISP modem. The connection only fails when going though the DD-WRT.

The VPN connection worked fine when on the factory firmware.

- I have ensured that VPN Passthrough is enabled for:
IPSec
PPTP
L2Tp

- I have tried disabling the SPI firewall (and rebooting) and it didn't help.

- I have tried disabling the FTP Server (PPTP) running on DD-WRT (and rebooting), and it didn't help.

- MTU is set to Auto.

- I confirmed with my company's admin that the internal subnet is different from my internal subnet (They use 10.x.x.x, I use 192.x.x.x).

- He also confirmed that when I connect through DD-WRT, my connection attempts to not reach the Server.

- The VPN Client (Windows) sits at "Verifying the password..." for about 36 seconds, then it disconnects and closes the port with "Error 619".

- Confirmed the account and password are correct (works when bypassing DD-WRT).

- Same thing happens when connected to DD-WRT by wire or wireless.

Any ideas?

Thanks in advance.
Sponsor
dmars
DD-WRT Novice


Joined: 12 Sep 2014
Posts: 3

PostPosted: Fri Sep 12, 2014 16:13    Post subject: Reply with quote
Ok, so after typing out that checklist, I thought about DMZ.

When enabling DMZ, it appears to work. However, that is a bit like using a shotgun to kill an ant.

The good news is that I now know it can work.

So my guess is that certain ports are not being passed through properly. I would also suspect that this means the VPN Passthrough option is not working as expected.

Does anyone happen to know exactly which ports need to be opened for an L2TP connection, including IPSec?

And I don't think I'd be able to just use port forwarding for those, would I?

What about non-TCP/UDP protocols like GRE?
cdmarshall
DD-WRT User


Joined: 09 Jul 2014
Posts: 116

PostPosted: Fri Sep 12, 2014 17:20    Post subject: Reply with quote
odd i have the same load on my ea6900 and i use both SSL based VPN and IPSEC based VPN just fine through mine.... wonder if it is something different with the setup on your router? you don't have hardware nat enabled do you?
_________________
EA-6900-
Current FW - DD-WRT v24-sp2 (09/06/14) std - build 24988
JAMESMTL
DD-WRT User


Joined: 13 Mar 2014
Posts: 244
Location: Montreal, QC

PostPosted: Fri Sep 12, 2014 17:59    Post subject: Reply with quote
This is an issue with 24865 affecting many users including myself. You can roll back to 24800 which does not have this problem.

See http://www.dd-wrt.com/phpBB2/viewtopic.php?p=913556&highlight=#913556

_________________
IPv6 Ready
http://test-ipv6.com (10/10)
http://ipv6-test.com (19/20)
http://test-ipv6.netiter.dk (20/20)
cdmarshall
DD-WRT User


Joined: 09 Jul 2014
Posts: 116

PostPosted: Fri Sep 12, 2014 18:25    Post subject: Reply with quote
I suppose the question is is it PPTP that's broke or random IPSEC/VPN issues also.
_________________
EA-6900-
Current FW - DD-WRT v24-sp2 (09/06/14) std - build 24988
JAMESMTL
DD-WRT User


Joined: 13 Mar 2014
Posts: 244
Location: Montreal, QC

PostPosted: Fri Sep 12, 2014 18:39    Post subject: Reply with quote
Rolfl reported the same issue with ios device trying to connect via L2TP

PPTP server on router works fine. If I remember correctly so does the client.

From memory I would also say that all pptp modules are loaded and iptable rules seem to be present as well. Honestly though i haven't dug any further.

_________________
IPv6 Ready
http://test-ipv6.com (10/10)
http://ipv6-test.com (19/20)
http://test-ipv6.netiter.dk (20/20)
dmars
DD-WRT Novice


Joined: 12 Sep 2014
Posts: 3

PostPosted: Fri Sep 12, 2014 18:56    Post subject: Reply with quote
@cdmarshall - I do not intentionally have hardware NAT enabled. In fact, I have no idea where I would even check on this router.

The closest thing I can think of, is that I followed the guide to create a "virtual" guest SSID and have it be separate from my internal network, along with it's own DHCP Server.

http://tips.desipro.de/2013/12/06/guest-wifi-setup-dd-wrt/

@JAMESMTL - I looked at that thread and it looks like there are several different issues. Not sure if they specifically refer to mine.

@Everyone - I am trying to connect outbound using L2TP/IPSec when it fails. If I create a DMZ to my laptop (VPN client), it works.

I also configured my router to accept PPTP connections and I can connect to that from external clients just fine (ie: iPhone, etc). But I don't think it will work while I have DMZ turned on.

To me, it sounds as though VPN passthrough is not properly passing through L2TP and/or IPSec. I don't have an external PPTP Server to test outbound.
Giraffe
DD-WRT Novice


Joined: 07 Sep 2014
Posts: 10

PostPosted: Fri Sep 12, 2014 20:28    Post subject: Reply with quote
I'm experiencing exactly the same problem, with my R7000 running kongac 24865M.
I cannot connect to a external VPN Server using PPTP

I've tried everything, PPTP Passtrough is enabled, i've tried port-fowarding, setting firewall ip-tables, disabling SPI-firewall, but none of it is working.

I'm glad i've stumbled upon this thread since i just couldn't figure out wat i was doing wrong....
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 2068
Location: Germany

PostPosted: Fri Sep 12, 2014 20:52    Post subject: Reply with quote
Highly unlikely, that this is anything in the firmware. The passthrough option in the firmware does only filter traffic in case it is set to disable, if it is set to enable, then dd-wrt does nothing. Thus you should troubleshoot on the client computer.
_________________
Development Units I use for Development:
R7000/R6300V2/R6300

Kong K3 AC DD-WRT Builds for Mipsel R6300/WNDR4500/D1800H/AC66U/EA6500V1
Kong K3 AC DD-WRT Builds for ARM 1450AC/R6250/R6300v2/R7000/AC56U/AC68U/DIR-868
Kong DD-WRT Guides
Giraffe
DD-WRT Novice


Joined: 07 Sep 2014
Posts: 10

PostPosted: Fri Sep 12, 2014 23:15    Post subject: Reply with quote
<Kong> wrote:
Highly unlikely, that this is anything in the firmware. The passthrough option in the firmware does only filter traffic in case it is set to disable, if it is set to enable, then dd-wrt does nothing. Thus you should troubleshoot on the client computer.


When i connect my laptop directly via the EURODOCSIS modem i'm able to establish a connection to the remote SERVER via PPTP / VPN.

When trying to connect via the DD-WRT router i get the following error:
"Error 619 A connection to the remote computer could not be established".

It's not my cliënt computer (laptop) since it works fine when directly connected to WAN via modem? Is it?

Only when trying to establish a PPTP/VPN connection via the DD-WRT router the connection fails.
JAMESMTL
DD-WRT User


Joined: 13 Mar 2014
Posts: 244
Location: Montreal, QC

PostPosted: Fri Sep 12, 2014 23:28    Post subject: Reply with quote
<Kong> wrote:
Highly unlikely, that this is anything in the firmware. The passthrough option in the firmware does only filter traffic in case it is set to disable, if it is set to enable, then dd-wrt does nothing. Thus you should troubleshoot on the client computer.


Also seeing pptp connections from devices on LAN do not connect to external severs with versions 24850, 24865, and now v25000. Everything works with versions < 24850 ex 24800 works just fine.

No changes to any of my clients just FW

_________________
IPv6 Ready
http://test-ipv6.com (10/10)
http://ipv6-test.com (19/20)
http://test-ipv6.netiter.dk (20/20)
_Robb_
DD-WRT User


Joined: 14 Jan 2012
Posts: 210
Location: Wr PL

PostPosted: Fri Sep 12, 2014 23:40    Post subject: Reply with quote
Maybe this is a mtu issue?

Did you try to ping your vpn server with:
Quote:
ping -f vpnserver.com

_________________
http://speedtest.net/result/3185937120.png

DO NOT 30-30-30 or erase nvram newer routers! It can brick them.

EA6700: Build 25015M (nvram below 32K, ipv6 - HE 6in4)
E4200: Build 22000++M
WRT54GL: Retired - waiting in the closet for an emergency.
nathulal
DD-WRT Novice


Joined: 22 Jan 2008
Posts: 22

PostPosted: Fri Sep 12, 2014 23:52    Post subject: Reply with quote
JAMESMTL wrote:
<Kong> wrote:
Highly unlikely, that this is anything in the firmware. The passthrough option in the firmware does only filter traffic in case it is set to disable, if it is set to enable, then dd-wrt does nothing. Thus you should troubleshoot on the client computer.


Also seeing pptp connections from devices on LAN do not connect to external severs with versions 24850, 24865, and now v25000. Everything works with versions < 24850 ex 24800 works just fine.

No changes to any of my clients just FW


Same issue here when trying to connect to Work VPN (Microsoft PPTP VPN) for any firmware above 24800.

24800 connects to PPTP VPN just fine.
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 2068
Location: Germany

PostPosted: Sat Sep 13, 2014 6:51    Post subject: Reply with quote
Then it must be a kernel issue and I have to tell BS to update the binary broadcom modules. I can't sync with kernel from 25000 because the public binaries don't work anymore. I have the same issue with AC mipsel units, which kind of annoys me.
_________________
Development Units I use for Development:
R7000/R6300V2/R6300

Kong K3 AC DD-WRT Builds for Mipsel R6300/WNDR4500/D1800H/AC66U/EA6500V1
Kong K3 AC DD-WRT Builds for ARM 1450AC/R6250/R6300v2/R7000/AC56U/AC68U/DIR-868
Kong DD-WRT Guides
MrDoh
DD-WRT User


Joined: 04 Dec 2012
Posts: 227

PostPosted: Sat Sep 13, 2014 8:03    Post subject: Reply with quote
<Kong> wrote:
Then it must be a kernel issue and I have to tell BS to update the binary broadcom modules. I can't sync with kernel from 25000 because the public binaries don't work anymore. I have the same issue with AC mipsel units, which kind of annoys me.


Good to see you back, Mr. <Kong>!

_________________
Netgear R7000
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum