FIOS G3100 Router - External VPN Issues

Thank you for the reply.  That is not it.  I have since learned that a wired connection allows me to connect via VPN, however a wireless connection does not.  It appears to be something with the new router's wireless settings.  I've tested most of the settings on the router, but still unable to find a resolution at this point in time.  

Thanks for suggestion about trying it wired but it still wont work for me, i had no issues until i got upgraded to the new G3100. i even created some port forwarding rules to the ports that are required for the VPN and still no go. Calling Verizon tech support is no help either, they told me that no one has reported any similar issues therefore it should just be working. I had read on another post that someone had a similar issue and the issue was resolved by getting a new router, i don't know if that really would work, but i'm trying it it out. I will update this post once i get my new replacement.

Did you ever resolve this? Have a colleague with this issue too.

I am having this issue as well.  Just upgraded to G3100.  Anyone able to figure out something to get this working?

Hi! I'm having the exact same issue. Were you able to get this resolved?

Thanks,

John

---

@Riplead wrote:

Hi! I'm having the exact same issue. Were you able to get this resolved?

---

Can you give us more details other than simply not working or not connecting?

What error messages are you getting?

Hello SamerN.

I want to first mention that G3100 and G1100 are built completely differently by two separate manufacturers on two distinct platforms, so there is no meaningful comparison between the two.

To better assist you, can you tell us what type of VPN are you using? Since you said that the VPN can be connected, I am assuming the key exchange is fine. Have you checked whether your VPN requires static routing entries on G3100?

My company uses Shrew Soft VPN Client software. Below is some of it's config and then the connection screen. Hope the attachment below works this time.

Update: sorry, in screenshot red text at bottom, last sentence, it should say "can't ping any internal..."

Shrewsoft, humm...., it is a VPN client software EOL and EOS for a couple years now.

Anyway, when you bring up the tunnel, are you sure that the computer is routing all the traffic to the company router? If you ask Google what's my IP, does it display the company's IP? From my understanding of Shrewsoft and VPN, without tunnel splitting, all traffic is sent through the virtual adapter, encapsulated for security, and sent over the computer's actual adapter to G3100, then over the broadband to your company's VPN router. Your company's router would decapsulate the packet and decide to forward the packet to the internal LAN or to external resources.

I am thinking about the tunnel is not even brought up yet. This could be G3100 blocking the NAT-Traversal by default. You might want to view G3100's Firewall Log to see any alerts. To further troubleshoot, do you know how to use SSH?

Also, who sets up the Shrewsoft in the first place? I know its interface is a little tricky. Did you set it up?

No my VPN is tunnel splitting. Google's What's my IP gives me the public IP of my router not my company's router (while the VPN tunnel is connected). Don't forget, that the VPN works perfectly fine if I use a wired connection between my computer and the G3100. The VPN doesn't work when I use Wifi between my computer the the G3100, yet VPN over Wifi worked fine with the G1100.

The VPN Shrewsoft file is setup by my company and everyone i work with uses the same file and it's the same file I used before with the G1100 and the same file with the G3100 over a wired line.

I have a good understanding of networking.. i used to be a network admin many many years ago and I am now in software and develop on a linux appliance. So, yes I know the fundamentals of routing and VPNs, just been out of the game for a long time so I am not familiar with all the latest details of VPNs. I know how to SSH. But wouldn't know what/where to go on the router to diagnose it. I just tried to ssh to the router and the connection was refused.

I checked the Firewall logs from the router GUI (thanks for the tip) and found these interesting two lines at the time of logging into the VPN wirelessly. These lines aren't there when I log into the VPN with a wired connection:

In the above, the 192.168.1.172 is my computer that I am trying to log in to the VPN with and the destination IP (which i removed) is the IP in the Shewsoft config (i.e. my office's router). Hope that this gives a clue.

Thanks for the help

G3100 does come with better firewall than G1100. Probably this time the firewall is overzealous to drop legitimate packets.

Since you are using split tunneling, I doubt Googling what's my ip would go through the VPN, so this test is meaningless in hindsight. When you have the tunnel showing "up" and trace route a resource in the internal network, what do you see? If the VPN is in fact "up," the trace route should only display the IP address of the said resource, unless your company has layer 3 devices other than the VPN router in the network.

The logs you found are Firewall warning messages. It complains about defragmentation error, which is indicative of MTU mismatches on interfaces. I see you set your Shrewsoft Virtual interface's MTU to 1380, which is smaller than 1500 to account for ESP headers. You might want to double check the router's and your computer's wireless interfaces' MTUs. Make sure they set to either automatic or 1500 when in doubt.

G3100 does have a different wireless controller than G1100, which might be causing the issue. I might need to ask Verizon engineering for further clues.

Also, can you try to mess around G3100's wireless settings to see? Try 802.11ac only on 5GHz and 802.11n on 2.4GHz. Is your device 802.11ax capable?

My PC's NIC is Intel® Dual Band Wireless-AC 8260. So it doesn't do ax. The G3100 let's me only set the wifi to Compatibility Mode which includes ax or Legacy Mode with doesn't include ax. I tried Legacy mode and it didn't help.

Also yesterday I tried changing the MTU in the Shrewsoft config down to 1000 from 1380. Didn't make a difference. I changed the G3100 MTU from Automatic to 1500. No help.  Not sure where I can play with the MTU setting on my device's adapter.

Just to make matters more interesting. I have 3 offices in my Shrewsoft I can connect to. All use the same exact configuration (except for the IP of that office). 1 out of the 3 works without issues while I am on Wifi, but that's the one I don't normally connect to since it's international.

Here is a screen shot of trace routes showing the difference when on wifi vs wired.

The tracert to the office resource shows the tunnel is not really "up." Since your MTUs are set to automatic, just leave them as automatic for now. Can you replicate the Shrewsoft settings onto your phone's built-in VPN? I just want to see whether you can use phone over WiFi to connect. You might need to download some ping and tracert utilities. I will take your observation to Verizon engineering for some insights.

I am not sure what you mean by this (The tracert to the office resource shows the tunnel is not really "up.")?

Both tracert are to the office. The one over wired connection completes and the other over Wifi timesout. Are you referring to the second one? In both cases, the Shrewsoft client says tunnel enabled.

Unfortunately, I have an iPhone and have tried to set it up with VPN in the past to those two office that aren't working now, and it couldn't be done so I can't test that 😞  For what it's worth, I have a laptop already configured with shrewsoft that was also working fine before and now has the same issue. The laptop doesn't have a wire ethernet (unless i get a dock) so i can't use it for work right now.