Linksys RV042 VPN

Linksys routers can be such fun. Well, OK, maybe I'm a little unfair: all routers can be "fun". But Linksys just has that "I'm cheap and I'm going to mess up your day" smell.

So when I arrived to configure a new VPN connection for a branch store yesterday, I was not overjoyed that I found a box proudly announcing that its contents were a "Cisco Linksys RV042 10/100 4-Port VPN Router".

Oh well. My mood wasn't improved when the resident tech guy told me that he didn't want any "cookies" to get on his machines. Obviously I'd be dealing with a high tech wizard. Oh joy.

The "cookie" guy was there to physically install the router. Fine, have at it, Tech Whiz. He showed me where he had mounted Verizon's DSL router and started drilling mounting screws near it. I wandered back to the front of the store to wait.

A few minutes later he poked his head out an announced that the router was installed. I repaired the network connection on the front PC and got a 192.168.1.x address. Good. I had the paperwork from Verizon with the static IP info, so this part would be easy. Oh, but Tech Whiz warned me that he needed to install a DSL filter for the fax line. Why are you warning me, I wondered silently, that shouldn't interrupt me. Oh well.. I programmed the router for the static IP and we had Internet access. Great so far.

OK, next question. What's the ip for the router we're going to have the VPN with? Tech Whiz pointed at the paperwork I had from Verizon. No, I said, that's THIS router. He shook his head up and down like a bobble doll. Yes, yes, it's the same address.

I had to take a deep breath. I've been warned that Tech Whiz is related to the owner of the company. "It can't be the same address", I said, as pleasantly as I could manage.

"Why not?", he asked.

Now there's a great question. I started to open my mouth and then closed it again. I looked at him and considered my options. These included saluting him smartly and walking out the door, never to be seen again and throwing my arms in the air while screaming "Omigod-somebody-get-this-idiot-out-of-here". I instead went for the "I'm talking to a child" approach.

"Each store needs to have a unique IP address". Daddy will give you a lollipop later if you'll just go play quietly while I do this.

Fortunately at that moment the guy who had hired me for this called from the main store. He was there for other reasons, but I could get the router info from him. Tech Whiz headed back to install his filter.

My guy set the main router to allow me remote access and moments later I was in and able to start configuring that end of the VPN. Great, this is almost done.

And then everything stopped.

No connection to the other router, no internet, all dead.

We rebooted the router and the modem. No luck. We powered it all off. Nothing. We called Verizon.

"They say there's some problem in Boston". That from a recorded announcement. Oh, great. Good timing. I twiddled my thumbs and we waited. And waited.

I went back to the router. Tech Whiz showed me that the DSL modem had lights. "Yes", I agreed, "but nothing on the Internet LED."

"I don't think that one ever goes on", he offered.

Unix and Linux Support

I sighed. He was still waiting for a Verizon tech. I went back up front and waited.

Now really, I should have known what was coming. After all, I'd had fair warning with the dangerous cookies and the ip addresses being the same. Actually, he had even warned me himself..

He had come out and informed me that the line should be up now. It was. I asked what was wrong, but I had guessed the answer before I asked.

Yes, Tech Whiz had managed to insert the DSL filter right into the main circuit. Don't ask why, because I certainly didn't. The Verizon tech guy probably had a good laugh, but at least we were working again. I finished up programming the VPN's and hit the "Connect" button.

Hmmm. No connection. I checked the log and found this:

 Dynamic VPN client in Main Mode is only supported for Microsoft
 VPN client, please use Aggressive mode instead.

That made no sense. This was a router to router VPN and both sides were static IP's. But since they said "please", I changed to Aggressive mode. This gave me a new error:

Initial Aggressive Mode message from 70.xx.xxx.xxx but no (wildcard)
connection has been configured

OK, this is not working. I noticed that the routers were at different firmware levels. Mine was v1.3.9.2, the one at the main store was v1.3.8.1. We decided to upgrade. I asked the guy at the main store to do his and I'd do mine. The Linksys site showed that the newest available was 1.3.12.6-tm, so that's what we both used.

And that's where things got nasty.

After upgrading the firmware, I could no longer access the other router. Everything was fine, it was enabled for remote access, but no response. We tried it in the opposite direction too, but he couldn't reach me. The VPN's still didn't work and gave the same errors.

Tech Whiz was getting excited. "Isn't it time to call Linksys?", he asked.

Yeah, I guess so.. I HATE doing that because I know that I've done nothing wrong - the routers are set correctly. I even know what they are going to tell me to do, but I guess it's better if they tell me because Tech Whiz isn't going to like it.

What they'll want to do is a hard reset. Stick the paper clip in and hold it until the lights flash. Total wipeout and reset of both routers. The reason Tech Whiz won't like that is that there are already other VPN's programmed in the main router. We'll lose them and they'll have to be redone. Probably the third router will have to be redone also. This is drastic. I don't like it, but I know that's what they'll say.

And of course I was right. I called Linksys and explained the situation to date. I went over the configs with a pleasant tech who confirmed that yes, I had everything programmed correctly. Do a hard reset and reprogram, she said. Of course.

So we did. I did my side and I led my guy through the other end. Instants later, we had a working VPN. I asked Tech Whiz about the third store. Turns out that that wasn't working anyway.. so no real loss.

But this was not the end of my fun. The purpose of the VPN was to access a Terminal Server. I tried the connection and was refused. This wasn't the VPN's fault: I could ping the server and even map shared drives from it, but I couldn't connect with RDP. I asked if TS was enabled and licensed.

"I bought 10 CALS", Tech Whiz said. OK, but did you buy Terminal Server licenses? Blank stare. I brought up the Microsoft Licensing Terminal Server in Windows Server 2003 R2 page which explains:

In addition to a server license, a Windows Server Client Access License (CAL) is required. If you wish to conduct a Windows session, an incremental Terminal Server Client Access License (TS CAL) is required as well.

More blank stares. I got my guy on the phone and he said he'd take it from here. I breathed a long sigh of relief and headed for my car.

I sure hope the poor guy doesn't get any cookies.