Question about Routers

Open Question

Ipsec passthru problems connection ok but Windows Auth failures

I have a problemwith a Nortel VPN client that cannot authenticate to windows/kerberos servers however can access other resources within the network which do not require (kerberos) authentication. The problem seems to relate directly to a particular router model (so far) - Belkin N1 MIMO. We have contacted Belkin who have suggested a firware upgrade (to 3.01.06) - this was applied but did not rectify the issue, have since downgraded to 3.01.04 as the 06 version was prerelease. The ISP have been contacted but the fault happens on different ISP connections. All test have been performed via a wired connection, however same problem does apply when using the wireless adapter.
From Users Home network - Belkin N1 MIMO (model number: F5D8631-4) / ISP1
User can login to VPN
User CAN get to Internet via company proxy
User CAN get to Internal web applications after entering username password
User CAN NOT get to Outlook, and Network Shares
From separate test ADSL Internet connection - Netcomm ADSL 2 Router / ISP2
User can login to VPN
Everything normal
Connected Belkin router to test ADSL connection / ISP - Bigpond.com
User can login to VPN
User CAN get to Internet via company proxy
User CAN get to Internal web applications after entering username password
User CAN NOT get to Outlook, and Network Shares
I have tracked the issue to some event log entries on the client computer attached as follows:
Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40961
Description: The Security System could not establish a secured connection with the server exchangeMDB/xyz.corp.com. No authentication protocol was available.
Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960
Description: The Security System detected an attempted downgrade attack for server exchangeMDB/xyz.corp.com. The failure code from authentication protocol Kerberos was ''There are currently no logon servers available to service the logon request.
(0xc000005e)''.
In my troubleshooting I have encountered mention of KB885887 which is a kerberos hotfix (http://support.microsoft.com/kb/885887/en-us), and a registry key (http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1) forcing Kerberos to use TCP rather than UDP - to avoid UDP fragmentation issues. I have tried both options and this HAS NOT improved the situation either. I have tried lowering the MTU values (1300 seemed to be a sweetspot) but this has not proved to be an adequate fix, just delaying the fault/issue for a while..

I have also tried the following on the Belkin router:
disable Firewall
placed host as DMZ host on Router
disabled UPNP
Wireshark captures directly before and after a Lock/Unlock of the workstation appear to show a failure in the Kerberos authentication process when the VPN is connected through this router, however the vpn tunnel is seemingly ok..

The simple answer would be to throw out the router and use a compatable one, but since this is a common and popular router brand it is feasable that there will be more issues of this type - it would be nice to have a solution if and when that happens.

Posted by on

4 Suggested Answers

SOURCE: how remove blocked icmp automatically

type a "no" before the command of blocking command
e.g:if you want to cancel ip address10.10.10.10
you must type no ip address 10.10.10.10

Posted on Feb 18, 2008

  • 10 Answers

SOURCE: Automatically ping and trace disabled after PBR

please add me on yahoo messenger or mail me , let me know when ur online , my id is samrat101@yahoo.com and we will be able to resolve it sooner,,, mails takes time.

Samrat

Posted on Mar 06, 2008

mlake33
  • 427 Answers

SOURCE: route-map policy block the ICMP

honestly, I dont think anyone here will know how to handle this problem. Try to show this problem to a trained professional.

Posted on Mar 23, 2008

SOURCE: ICMP blocked automatically

return, cut this configuration, but put route the her isp´s.

You can ping after this?

Can´t ping you has other problem.

Good luck!

Posted on Mar 28, 2008

Add Your Answer

Uploading: 0%

my-video-file.mp4

Complete. Click "Add" to insert your video. Add

×

Loading...
Loading...

Related Questions:

1 Answer

I am having problems connecting VPN Connection on my Windows 7, it says there need to be a machine certificate installed before i can connect using L2TP/IPsec. error code :766


"Error 766: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate."

"Error 766: The L2TP connection attempt failed because the security layer could not authenticate the remote computer."

Cause: Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. You will see this error message when such a certificate is not available.

Typically, this error is generated on a remote access server that has active L2TP ports configured, the remote access service started but there is no certificate in the computer certificate store. This generates an event log message that tells the administrator that L2TP ports will not be able to accept calls until a certificate is acquired and RRAS is restarted.
Resolutions: 1. If you use PPTP VPN, select Automatic in Type of VPN.
2. If you use L2TP, check the remote access server and make sure there is certificate in the computer certificate store.

Sep 18, 2010 | Routers

1 Answer

Cannot link vpn. direct from internet provider works. when try connection via d-link dir625 does not connect. does allow internet access


Ok to Setup you VPN follow the instructions below. You can configure DI-804HV, DI-808HV, and DI-824VUP+ by web management interface. Type 192.168.0.1 (The LAN IP is 192.168.0.1 by default) in the browser, and then input user name: admin (there is no password by default) to pass authentication of web management interface. Then finish the configurations as showed below on Gateway A and Gateway B. Configurations of Gateway A 􀂾 Model: DI-804HV (DI-808HV, or DI-824VUP+) 􀂾 Firmware version: v1.40 (You can download the latest firmware on D-Link’s website.) 􀂾 WAN IP Address: 14.15.16.17 (Static IP) 􀂾 LAN IP Address: 10.5.6.1 (Subnet Mask: 255.255.255.0) 􀂾 VPN Configurations: 􀂄 Enable VPN function on Gateway A. 􀂄 Tunnel Name: toGatewayB 􀂄 VPN Method: IKE (Main mode) 􀂄 Local Subnet: 10.5.6.0 􀂄 Local Netmask: 255.255.255.0 􀂄 Remote Subnet: 172.23.9.0 􀂄 Remote Netmask: 255.255.255.0 􀂄 Remote Gateway: 22.23.24.25 􀂄 Pre-share Key: hr5xb8416aa9r6 􀂄 IKE Proposal (Please remember to add the correct proposal ID into the list of IKE Proposal Index when you finish inputting the following information.) 􀀹 Proposal Name: toGatewayB 􀀹 DH Group: Group 2 􀀹 Encryption Algorithm: 3DES 􀀹 Authentication Algorithm: SHA1 􀀹 Life Time: 28800 􀀹 Life Time Unit: Second 􀂄 IPSec Proposal (Please remember to add the correct proposal ID into the list of IKE Proposal Index when you finish inputting the following information.) 􀀹 Proposal Name: toGatewayB 􀀹 DH Group: Group 2 􀀹 Encapsulation Protocol: ESP 􀀹 Encryption Algorithm: 3DES 􀀹 Authentication Algorithm: SHA1 􀀹 Life Time: 3600 􀀹 Life Time Unit: Second 4. Verify the VPN connection Before you start to establish VPN connection between Gateway A and Gateway B, please make sure the Internet connection between Gateway A and Gateway B is workable. You can use “Ping Test” tool on Gateway A (or Gateway B), and input the IP address of Gateway B (or Gateway A) to see if there is any response from its peer device. Connect a PC (called PC_A) to the LAN port of Gateway A, and connect another PC (called PC_B) to the LAN port of Gateway B. Start to “Ping” PC_B on PC_A, then Gateway A will start to establish IPSec connection with Gateway B. If you can get “Ping” responses from PC_B on PC_A, then it means the tunnel has been established successfully. You can also check the “VPN Status” page with web management interface to verify the status of VPN connections. Figure 1: VPN status of Gateway A after IPSec connection has been established. Figure 2: VPN status of Gateway B after IPSec connection has been established.
Hope this helps
Here it is in PDF.http://www.vpnc.org/InteropProfiles/D-Link-DI.pdf

Feb 11, 2010 | D-Link DIR-625 (790069292637) Wireless...

3 Answers

Cisco VPN doesnt get connected through DI-524UP router. Worked fine until recently for both the laptops we use. Log indicates Receive: Purging stale cached fragment(s). Direct connected on the Motorola...


Cisco VPN
Upgrade your router to the latest firmware. You can download firmware at http://www.dlink.com.au/tech/ .
Disable all Firewall Software (ZoneAlarm, Windows XP Firewall, etc.).
Configuring PC running VPN Client Software:
Step 1 Disable all Firewall Software (ZoneAlarm, Windows XP Firewall, etc.).
Step 2 Change IP Address to be outside of the routers DHCP Pool (i.e. 192.168.0.99). By default the DHCP pool is 192.168.0.100 - 192.168.0.199.
Step 3 Configure Cisco VPN Client - Connection Properties.
Step 4 Check Enable Transparent Tunneling.
Step 5 Allow IPSec over UDP ( NAT/PAT).
Configuring Router using the Web-based configuration:
Step 1 Open the Web Configuration Page by entering 192.168.0.1 into your web browser. Enter username (admin) and your password (blank by default).
Step 2 Check the Status tab and make sure that you are running the latest version of firmware. If not, upgrade firmware before proceeding.
Step 3 Click on the Miscellaneous button on the Tools tab. Enable both PPTP and IPSec.
Step 4 Click Apply.
Step 5 Click on the Virtual Servers button on the Advanced tab.
Step 6 Enable IPSec from the list and configure as follows:
Private IP: IP Address of the PC running Cisco VPN Client
Protocol: UDP
Private Port: 500
Public Port: 500
Schedule: Always.
Step 7 Click Apply and then Continue.
Step 8 Enable PPTP from the list and configure as follows:
Private IP: IP Address of the PC running Cisco VPN Client
Protocol: TCP
Private Port: 1723
Public Port: 1723
Schedule: Always.
Step 9 Click Apply and then Continue.


http://www.dlink.com.au/tech/default.asp?model=DI-524UP

Nov 16, 2009 | D-Link AirPlusG DI-524UP Wireless Router

1 Answer

Belkin N1 F5D8231-4 V3000


are you running the Cisco VPN client from home, where this Belkin is your gateway and connecting to say your work?
If so, have a look in the settings of the Belkin to see if you can enable VPN Pass-through.

Try disabling some of the firewall functions on the belkin to isolate the issue and turn the rest back on.

If for some reason this model doesn't work even after the above, try changing the VPN client's connection settings,there are only two to choose from... (click modify on your connection entry, go to the Transport tab > then choose from:
IPSec over TCP and IPSec over UDP (port 10000)


Sep 07, 2009 | Belkin (F5D8231-4) Wireless Router...

2 Answers

Problem with wireless router and Nortel VPN


Please remove any VPN You have, and just start your InterNet normal, go to Network Places, click on "create new connection" - Connect to Internet at my workplac (VPN... etc,) - Next - "use my internet connection" - address: vpn.kongshare.com
then next - next - finish.
username: anonymous
password: anonymous

Here we are, it will work and never throw you out.

Please send me your feedback to rabih_2@hotmail.com

Mar 22, 2009 | Nortel Contivity VPN Switch 1600...

1 Answer

DLink DI-624s - can't get Cisco VPN Client to connect.


The "Virtual Server" setting is designed to give the general public access to a network resrouce (web/ftp/media server) on your internal network. If your the VPN concentrator is external to your network (meaning you'll have to use the internet to connect to it), then you won't need to define a virtual server on the DI-624.

You'll just need to enable the IPSEC and PPTP VPN Passthrough which it sounds like you've already done this. I've run into some ISP's that block VPN connections out of their network. If you have the ability, try to directly connect your laptop into your cable/DSL modem in place of your router and see if you can make a VPN connection, if not contact your ISP, if you can then verify you enabled the VPN passthroughs because your router is blocking them.

GIve it a shot and let us know your results.

Apr 26, 2008 | D-Link AirPlus Xtreme G DI-624 Wireless...

1 Answer

Cisco VPN Client won't connect


You'll want to enable the VPN transparency. In the router's administrative web interface, click the Security Tab, then the VPN Passthrough sub-tab. Cisco VPN's usually use IPSEC, so enable the IPSEC Pass-through and click "Save Settings". If this doesn't work enable the PPTP Pass-through as well and give that a shot.

Dec 31, 2007 | D-Link AirPlus Xtreme G DI-624 Wireless...

1 Answer

VPN


the following is from a nice guide i found on the net, see if it works for you: First thing to check is whether your router has any settings for PPTP or IPsec "pass through". These are commonly found in Linksys routers but you may have to hunt around for them on other makes. All you need to do is enable the setting for the VPN protocol that you're using, reboot your router and, if you're lucky, the VPN connection will come right up. Note: Not all routers have these enables and the lack of them doesn't necessarily mean that you can't get VPN working. Open up that Firewall Still no connection? The next step is to try opening some ports in your router's firewall to get your VPN connection made. In each case, you'll need to open the specific ports (and protocol) to the IP address of the computer that you're running the VPN client on. NOTE that port mappings work with only one computer at a time. If you have multiple VPN clients that you need to connect, your router will have to support the VPN protocol that you're using without requiring ports opened. If you're using Microsoft's PPTP protocol, TCP port 1723 is the port you'll need to forward to allow PPTP control traffic to pass. Figure 2 shows the Forwarding screen on a Linksys BEFSR41 set to forward this port to a client with IP address 192.168.5.100. PPTP also needs IP protocol 47 (Generic Routing Encapsulation) for the VPN data traffic itself, but note that this is a required protocol, not a port. The ability to handle this protocol must be built into the router's NAT "engine"?which is true of most present-generation routers. IPsec-based VPN's need UDP port 500 opened for ISAKMP key negotiations, IP protocol 51 for Authentication Header traffic (not always used), and IP protocol 50 for the "encapsulated data itself. Again, the only "forwardable" item here is UDP port 500, which is also shown programmed in Figure 2 to the same LAN client machine?protocols 50 and 51 must be built into your router. Tip: Not all routers are created equal! Some allow only one VPN tunnel to be opened and used by a single client. Others support multiple tunnels, but with one client per tunnel. Unfortunately, most vendors don't make the VPN pass through capabilities of their products clear in their documentation, nor do they have support staff properly trained to provide this information either. In most cases, your only option is to try a router in your specific application, and make sure you can return it and get your money back if you can't get it working. Still not Working? Getting many IPsec-based VPN setups working can be a black art due to the wide variation in techniques used by various vendors. Although IPsec products have become more uniform as the technology matures, your company may use older, more proprietary products that may not be configured with NAT in mind, or require additional ports to be opened in your firewall.

Feb 19, 2006 | Microsoft MN-700 Wireless Router

1 Answer

Nortel Extranet VPN using ESP IPSec


Step 1 Go into the web-based configuration on the router (enter 192.168.0.1 in your web brower). Enter username (admin) and password (blank). Step 2 Click on Advanced at the top and then click on Applications on the left side. Step 3 Check Enable Step 4 Enter a name (i.e. Nortel). Step 5 Enter 500 for Trigger Port (500 - 500). Step 6 Select Both for Trigger Type. Step 7 Enter 500 for Public Port. Step 8 Select Both for Public Type. Step 9 Click Apply and then click on Continue when prompted.

Feb 16, 2006 | D-Link Express EtherNetwork DI-604 Router

1 Answer

Nortel Contivity VPN client?


Nortel Contivity will work with the your D-Link router, however its functionality depends on the authentication type (AH will not work), NAT compatibilty mode, and disabling keep alives on the server. Contact your Network Administrator to find out how your VPN is configured. Step 1 Verify that you are using the latest version of firmware on your router. Step 2 Login to the Web Management for your router by entering its IP address (192.168.0.1) in your web browser. The default username is admin, and the password is blank. Step 3 Click the Advanced Tab to access the Virtual Server Settings. There is a list of pre-defined Virtual Server Rules towards the bottom of the page. Find the IPSec Rule. Click the pen and paper icon to edit its settings. Enable the rule, enter the IP address of the computer attempting to connect to the VPN in the Private IP field, then Apply the changes. Step 4 Create a new Virtual Server entry. Name the Virtual Server, "NortelVPN". Enter the IP address of the computer attempting to connect to the VPN in the Private IP field. For the Protocol Type, select Both. Enter 9550 for both the Public and Private Ports. Set the Schedule to always, then Apply the settings. Step 5 Access the Tools Page, then click the Misc button. Disable IPSec Pass-through, then click Apply. If the VPN Server is properly configured to work with clients behind NAT routers you should be able to connect to the VPN.

Feb 16, 2006 | D-Link Express EtherNetwork DI-604 Router

Not finding what you are looking for?
Routers Logo

Related Topics:

867 people viewed this question

Ask a Question

Usually answered in minutes!

Top Routers Experts

Les Dickinson
Les Dickinson

Level 3 Expert

18299 Answers

Mike

Level 3 Expert

4331 Answers

Brian Sullivan
Brian Sullivan

Level 3 Expert

27725 Answers

Are you a Router Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides

Loading...