Linksys BEFSX41, VPN..What am I doing wrong?

[MountainNetworks]

Hello:

I'm trying to setup a vpn so than anyone from any location with a preshared key can get in to the office network. Of course, nothing is as simple as it should be.

Here's a text diagram of my network:

Internet
Linksys-BEFSX41..192.168.2.2
Windows 2000 Workstations (Static IP) 192.168.2.x

Remote PC trying to access...Windows XP Home over Dialup.

I purchased the Linksys device with the belief that it was an endpoint which would authenticate and connect so that I could map network drives to any shared network device.

Here's how I set up the Linksys VPN:

This Tunnel: Enable
Tunnel Name: whatever
Local Secure Group: Subnet 192.168.2.0
Mask: 255.255.255.0

Remote Secure Group: Any (This Gateway accepts request from any IP address!)

Remote Security
Gateway: Any (This Gateway accepts request from any IP address!)

Encryption: DES 3DES Disable
Authentication: MD5 SHA Disable

Key Management:
Auto. (IKE)Manual
PFS (Perfect Forward Secrecy)
Pre-shared Key: (something-stupid)
Key Lifetime: Sec. 3500


Now, on the WinXP Home side, I've tried any number of configuration combinations. None of them work. What am I missing?

Here's the VPN Log from the Linksys:

2003-05-22 12:26:06 IKE[6] Rx << MM_I1 : 66.248.81.40
2003-05-22 12:26:06 IKE[6] TX >> MM_R1 : 66.248.81.40
2003-05-22 12:26:06 IKE[6] ISAKMP SA CKI=[9f8b9fee 7dc2b8c5] CKR=[c6f48884 17286057]
2003-05-22 12:26:06 IKE[6] ISAKMP SA 3DES / SHA / PreShared / MODP_1024 / 28800 sec
2003-05-22 12:26:08 IKE[6] Rx << MM_I2 : 66.248.81.40
2003-05-22 12:26:08 IKE[6] Tx >> MM_R2 : 66.248.81.40
2003-05-22 12:26:10 This connection request matches tunnel 1 setting !
2003-05-22 12:26:10 IKE[1] Rx << MM_I3 : 66.248.81.40
2003-05-22 12:26:10 IKE[1] Tx >> MM_R3 : 66.248.81.40
2003-05-22 12:26:11 IKE[1] Rx << QM_I1 : 66.248.81.40
2003-05-22 12:26:11 IKE[1] **Check your Encryption and Authentication method settings !
2003-05-22 12:26:11 IKE[1] Tx >> Notify : NO-PROPOSAL-CHOSEN
2003-05-22 12:26:11

As I'm trying to use the Linksys as the endpoint, I've tried loggin in as &quot;Admin&quot; with the password. When I do this, I don't get the error on the VPN Log, but I don't get in either. Otherwise, I enter a login and password of someone on the network. Then I get the error. But I shouldn't be actually logging in at all because there's nothing to authenticate the login. I haven't set up any of the workstations behind the network to authenticate with VPN. That's what I thought the Linksys was supposed to do!

I'm totally confused. Help.

 

[markku]

Linksys uses IPSec, use SSH Sentinel instead.

Windows IPSec is a joke.

 

[MountainNetworks]

Forgive me for my blathering ignorance. I have no idea what ssh sentinel even is.

You may be of the opinion the IPSec is a joke, but for right now, that's all they've got. My client is not a large conglomerate corporation with millions of dollars in the bank to spend on infrastructure. So I ask again, does anyone know how to make VPN work with the equipment we've got?

Thanks

 

[markku]

Hi,

You can get Windows IPSec working with BEFSX41 by following the instructions provided by Linksys in their site,however, the only sensible IPSec client is SSH Sentinel.

The instructions can be found here:

http://forum.homenethelp.com/tm.asp?m=5590&p=1&tmode=1&smode=1

And the software here:

http://www.olin.wustl.edu/computing/reference/wireless/ipsec.cfm

 

[MountainNetworks]

Hello:

I was able to get VPN working. The problem was that I was trying to configure the client using the &quot;Create New Connection&quot; wizard. I was expecting to have a client log on and put in the password each time they connect. I wasn't expecting to have an IPSec policy which created an always on type of connection.

Once I configured IPSec, I was able to access the network.

However, now I've got a new problem. The connection I successfully established was just over an uprotected dialup connection from an XP Home machine at my house.

My client's remote computer is behind a Linksys SR11. I've tried setting up port forwarding and port triggering. 47-47, 500-500 and 1723-1723. Nothing works. All the ping says is &quot;Negotiating IP Security&quot; which means it's not connecting.

Any thoughts?

Thanks...

 

[markku]

Use Sentinel. Do not waste your time with Windows IPSec. Sentinel works over your BEFSR11 as well.

 

[Deonroman]

Hey Markku,

I have a similar setup with sentinel. I am able to get a connection but I am unable to see the computers on the network at the office. Any suggestions.

 

[markku]

Sentinel does not support NetBios broadcasts. True men use only \\rem.ote.LAN.IP\\sharedresource...

 

[MountainNetworks]

markku:

As I've said before, I've never heard of sentinel, don't know how to get it, wouldn't know how to configure it, and if there's a charge, my client won't buy it. Additionally, my client is a small mortgage firm. They can barely find the mouse! You expect them to \\remote anything? Don't hold your breath.

I've received an email from a senior Linksys tech who has agreed to work with me on troubleshooting why the textbook configurations don't seem to work with this device. After I have a solution, I'll post the results for the benefit of all.

Thanks....

 

[markku]

Hi MountainNetworks,

Can't read either?

Have given you links to free software and instructions, what else do you expect?

Windows IPsec requires static known IPs both ends which never is the case with dialup.

Youe only change is to forget IPSec in the router and use PPTP instead with necessary port forwarding, port 1723 to your PPTP server.

 

[irish21]

SSH Sentinel can be found at

http://www.ssh.com

and costs $130. You can get an evaluation copy on their site to see if you like it first. The good thing about this software is that Linksys will help you configure it if you run into problems.

 

[MountainNetworks]

I've read your links. This is how I was able to configure the IPSec from my XP home machine, connected over dialup, to the sx41 VPN endpoint. So...I guess that crack about my own literacy didn't apply.

However, the connectivity problem still remains with sr11. Althought I've read the directions..to the letter, I still can't establish a connection. And this connection is over a static ip DSL on an XP Home machine, which I gave a static IP address 192.168.1.70 and is outside the DHCP pool.

 

[irish21]

I don't know how you guys understand and are able to help over posts! I have set this sentinel to linksys up several times with success and I just don't understand where the breakdown is. VPN device setup properly? Client sentinel software configured properly? What is the error in your log file? I would need a lot more info than this to help you. I am glad markku understands.

 

[markku]

Hi MountainNetworks,

If you still are trying to use Windows IPSec I doubt it never works thru BEFSR11, because Windows IPSec does not support NAT-T.

If you are using Sentinel, just allow IPSec passthru in BERFSR11 and it works.

The IP schemes behind routers should be in different networks, e.g. 192.168.1.x and 192.168.2.x. IPSec is routing, not bridging.

 

[MountainNetworks]

Hi Marku:

Since I can't really draw or attach a diagram in this newsgroup, allow me to try and give a text diagram...

Functional, working, accessible VPN configuration:

Main Office - :

Cloud (T1 brought in by Telepacific) -> BEFSX41 (WAN IP 64.60.xxx.xx LAN IP 192.168.2.2) -> Cobalt Qube3 ( 192.168.2.1 pretty cool little php driven Linux box from Sun) -> Windows 2000 workstations (static IPs).

My house - :

Cloud (a simple dialup connection) -> IPSec (manually configured, works great) -> VPN -> and we're in! Since IPSec can't handle DHCP, I have to unassign the policy, change my local IP Address, then reassign the policy. Life sucks, haven't tried sentinel at home.
--------------------------------------------------------------------------------------------------

Non-functional configuration - :

Main Office (same as above)

Remote Satellite Office - :

XP Home (LAN IP: 192.168.1.70) -> Manually configured IPSec policy -> BEFSR11 (VPN Piss through enabled!, port forwarding of 47-47, 500-500, 1723-1723)

Couldn't connect. So I tried port triggering instead. Still doesn't work.

Sentinel won't work either. The problem is with the SR11, not with the XP client configurations. Old Firmware? Should I have power cycled the thing? I dunno.

 

[markku]

For your remote office I would recommend another BEFSX41, it is less expensive than legal Sentinel licence. There are some glitches with this box, but in SX/SX combo they do not apply.

I have used Sentinel -> BEFSR41 -> Internet -> BEFVP41 combo, see the referred document chapter4.

At the moment I do not have a working test setup in hands, but [ trying to remember... ] tweaking IPSec passthru on/off in the BEFSR router and enabling/disabling NAT-T in Sentinel should do the trick.

Since Sentinel/Linky combo accepts dynamic client IP by default it is far more flexible than M$ IPSec policy.

 

[Deonroman]

Is there any configuration that will allow you to use Win XP's remote desktop feature over the VPN connection?

 

[markku]

Hi,

Remote Desktop ( = Terminal Server ) works perfectly over VPN. VPN tunnel is transparent to any application.

This is used typically to run SQL-based client/server applications remotely. They do move a lot of data locally, which is OK in 100 Mb/s LAN. Remote users cannot have anywhere near of this bandwidth, so Remote Desktop by running the actual application in remote server and transferring only the display, keyboard and mouse information in compressed form speeds up the application enormously.

 

[MountainNetworks]

Finally got it working. What I ended up doing was getting rid of the SR11 and putting in a SX41 in it's place. After updating the firmware, I just did a site to site, hardware to hardware vpn connection.

But who knew the connection would be about a slow as dialup :-/

Conclusion...Linksys isn't the solution for a Business Enterprise solution. It's great for grandma and other low-end residential users, or for the one-person business who doens't give a rip about security.

My own personal adventure will continue with some proven SonicWall SOHO3 boxes.

 

[markku]

Hi MountainNetworks,

You should use Terminal Server if you need speed. Windows networking is slow by definition. SOHO3 will not help this situation, since BEFSX/BEFSX combo is capable of 1.5 Mb/s 3DES speed.

Your speed is limited by upload/upload speed of your connections.

Nice we ended up with same solution