Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Linksys BEFVP41 VPN problems

Status
Not open for further replies.

ScottCudmore

Technical User
Jan 24, 2002
3
US
Hi,
I just purchased the new Linksys VPN router. I want to be able to connect to my home network from a remote Windows 2000 machine. There are no stpes or docs on how do do this. Only Linksys to Linksys VPN. When I connect from a Windows VPN conenction, all I get is an error on the Linksys.

Does anyone have any ideas?

Scott

 
I was able to change the NetBIOS setting under the IPSecAdvance.htm page on both ends. Unfortunately, I am still unable to browse/Ping/Map to the remote network...

This wouldnt have nothing to do with trust relationships between the two domains would it???

Thanks
Tcompe
 
I just ran into the browse/ping/map issue recently. I had just set up a lab at home with 2 BEFVP41s and 1 W2K server behind each one to simulate a network VPN connection going across a WAN connection.

Initially, after setting up the VPN tunnel successfully with netbios broadcasts enabled, I was able to ping and browse and map to shares.

I then stress tested the VPN connection by transferring large amounts of data (650MB to 1.6GB) from network a to network b. After the transfer was complete, I let the computers and routers sit for a while. I had the VPN connection set to 0 for the lifetime of the connection so the connection still should have been active.

About half an hour later, I tried getting to some of the shares on the other computer through the VPN. Lo and behold, I could not ping or get any shares. To try and resolve, I went to the VPN interface page and found that the tunnel was still intact.

So, I tried disconnecting the link and then reconnecting the link. The disconnect, reconnect worked no probs, but I still was not able to ping or access any shares. I went to one of the VP41 routers and rebooted it. Guess what? After that it worked. However, the darn problem still persisted after a little while. Rebooting the suspect VP41 seems to clear the problem temporarily.

To test further, I used ping to see where the ping would stop in relation to the computer I was using. From one of the computers, I would ping the default gateway, the wan ip address of the closest vp41, then the wan ip address of the remote vp41, and then the ip address of one of the computers on the remote network.

I found that when I was having this problem, I was able to successfully ping all points except the remote network (this is from both sides mind you). Pinging the defaultgateway, wan ip of local vp41, wan ip of remote vp41 work great. Just not able to hit the remote network for some reason.

Further testing has revealed to me that one of the NIC cards that I am using seems to be the culprite. One of the NICs that I am using is based on the Realtek 8139 chipset and this is the one that seems to be causing all my problems. Using the other NIC (on board NICj- motherboard) works great. I don't have any problems at all. I will be doing further testing later on over the next few days.

So far, that's all the info I have. You might want to try running your ping commands and see how far it goes.

To summarize, I suspect that the Realtek NIC (8139) is probably incompatible. I have tried using the latest drivers from the Realtek website.

Rebooting one or both of the VP41s might help.

Test to see how far the pings will go from network a to b - try pinging default gateway, wan ip address of local vp41, wan ip address of remote vp41, and a computer on the remote network.

Another thing, what are the IP address schemes you are using? The IP address schemes you use have to be different. ie 192.168.1.0 for net a
192.168.2.0 for net b

Make sure that these are reflected in the VPN config page.

Hope that this helps...
 
Hey all,
Just an FYI.
I am running 2 BEFVP41's on cablemodems linking 2 remote networks. I am having no problems, (I actually run 2 2000 servers in the same domain via this tunnel, It's flawless)
I am running a newer rev of the firmware (1.40.2, It actually allows the use of FQDN's now!) Works great. I also pass pptp thru it to the 2000 servers, That works fine.

I wish it had a real telnet interface, I hate sloppy GUI's, But I am used to Cisco, Can only afford Linksys personally.

If you need the new rev (You think) Email their tech support.

 
If you have both ends of the router with the same ip scheme(ex. 192.168.1.X), you will run into file sharing problems...

To fix it, just change one side to 192.168.0.X and the other side keep it at 192.168.1.X.

 
Ok, as my previouse post I connected two linksys VPN routers together and the connection has been established (on both sides). But I do not know what I need to do next to be able to see the computers on the other side. We have XP Pro machines on the one side and win 98 on the other side. For the LAN ip I used 192.198.1.X on both sides, otherwise I cannot make the connection.
But even so, for you guys that have made the connection what else did you guys do. Do you guys see the remote network on network neighborhood and are able to browse it??
What else do I need to do??
Any help is greatly appreciated.
 
TimothyCox: Where did you get this 1.40.2 firmware?
shows the latest as 1.39.64

I hit their FTPsite and found a file befvp41.zip in their beta directory but the zip has a password. /pub/network has the befvp41-fw13964.zip

Also are there any other "hidden" admin pages?

Sam88: the LAN networks HAVE to be diffrent. That is just IP. Your workstation will send out an ARP looking for a MAC address for a host on it's network and will recieve no responce. Unless the linksys will function as some sort of an ethernet vpn bridge.
When packets are diffrent network than the source the IP packet will be sent to the default gateway (linksys VPN router) and the router will know that it needs to encrypt the data and send it out to its peer router.

You should be able to ping if you can't preform an echo then I wouldn't expect any file xfer. If you can I would setup a XP/NT or 2000 box in replace of the 98 for testing. And see if you can access the remote computer by using \\192.168.2.2 (from 192.168.1.2)
 
Is anyone having success using the BEF for the server side of things and just the win2k/xp vpn software for the client side? Just got the router and after reading all the posts here am wondering if i should even crack the box...

thx
 
I have spent over 60 hours with Linksys Tech Support trying to get two of these routers to work. At one point they provided me with the 1.40.2 firmware but that did not help. The second level support guy suggested I was better off with 1.39.01 put me back to that.
We see the same symptoms that others report - I get a connection between the routers and the icons for the network group appears in Neighborhood Network, but you can not ping a machine on either side and you can not see the machines within the network group. Since last week, I have been in the hands of Engineering. During the course of all the time spent talking to their support I have heard every BS answer imaginable and they have replaced the boxes three times. I finally go ahold of one person who seemed to care and spent over a week working with me to try and resolve the problem before he gave up.
I have one box connected between the cable modem and a switch connected to or office LAN. Address is 192.168.1.1 with machines on the LAN addressed at 192.168.1.2 through 100. DHCP handled by our Novell file server.
The other box is addressed as 191.168.01.1 and has been attached between a Bell South DSL modem and single Win XP workstation as well as between a cable modem (same provider as the office) and my 3 machine peer to peer network at home running Win 98 and Win ME. Same results everywhere - I can see the netware group icons but can not ping or access machines within the network group. I am beginning to believe the boxes simply do not work. Any advice would be appreciated. Bobcole@servicecpa.com
 
rcole7245: ( And Others )
I to have had the same problem as you and spent many hours with LinkSys Tech support to no avail. Since then I have successfully resolved the issues by changing Network b to the following address 192.168.2.0 with Network A as 192.168.1.0. Both VPN routers firmware is 1.39.01

I am currently running Windows 2000 workstations on both ends as well as WIN2K Servers. Both Networks are configured as independent domains and both are utilizing DHCP.

My VPN configuration is as follow:
***********************************************************
This Tunnel: Enabled
Tunnel Name: Network B

Local Secure group: Subnet IP: 192.168.2.0
MASK: 255.255.255.0

Remote Secure Group: Subnet IP: 192.168.1.0
MASK: 255.255.255.0

Remote Security Gateway: IP Addr.: IP: xxx.xxx.xxx.xxx (Wan IP address of the Network A)

Encryption: 3DES
Authentication: SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = xxxxxxxxxxxxx

Lifetime = 0
************************************************************
The other router is configured as follow:
This Tunnel: Enabled
Tunnnel Name: Network A

Local Secure group: Subnet IP: 192.168.1.0
MASK: 255.255.255.0

Remote Secure Group: Subnet IP: 192.168.2.0
MASK: 255.255.255.0

Remote Security Gateway: IP Addr.: IP: xxx.xxx.xxx.xxx (Wan IP address of the Network B)

Encryption: 3DES
Authentication: SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = xxxxxxxxxxxxx

Lifetime = 0
***********************************************************


My current issue is the same as "curious2 (Visitor)" which is I am able to access resources on both ends but after transferring data or just doing a simple print job the tunnel is no longer. Just as Curious2 indicated the Tunnel will show connected but I am unable to Ping/Map or Browse the remote network. if I reboot the routers and make the connection again all is well.

If anyone has any insight as to what may be causing this it would be greatly appreciated....

One other note, Curious2 indicated that he may have felt this was a problem with the NIC card (Realtek 8139). Unfortunately, I am seeing the same problem with integrated NIC card as well.

Thanks
tcompe
 
I had no problem with my 2 VPN box config. The two things I notice that are diffrent between mine and yours are:
1) I didnt set the lifetime=0 I did increase it X10 to 36000 vs 3600.
2) I don't have a Static IP on the one end so I have it setup on Network A to accept connections from a network range VS an IP. So network B can start the connection because B's Wan address is dynamic.

You may have static IP's but that might be something to play with to see if it works. This way you can see and verify that the keyexchange is happening correctly and your tunnle is allways being created from one direction. Also what does your VPN log say when the tunnle doesnt send data thru anymore?
 
To tcompe9139:

I downloaded the 1.40.2 firmware from the following site where a user was kind enough to post. He says that he was forwarded the firmware from Linksys tech support. The *.zip file contains firmware for 1.39.64, 1.40.1, and 1.40.2. I have flashed my VP41s to the 1.40.2 and am testing. Mind you, this is an unsupported unofficial release, so if anyone is going to be using this, use at your own risk. Once you get to the site, the user name posting this is mlgm. The posting is somewhere near the middle of the page.


So far, at least to me, stability seems to be a lot better than the 1.39.64 release. I did make a couple of changes in the configuration though to see if this would help with keeping the data passing through the tunnels more consistently.

The changes I have made are as follows:

In the VPN web interface config page, I tried changing Key Lifetime (just like madnessxx) from 0 to another number greater than 3600 seconds. The number I tried was 99999999999999999. For some strange reason, when I would hit apply, the number would change to 1410065407. Did this on both of my VP41s, so I just left it at that.

The other change I did was to go to the 192.168.1.1/IPSecAdvance.htm page and made sure that the Keep-Alive box was selected. Supposedly, according to the Help file, this Keep-Alive function is supposed to re-connect a tunnel after it has been disconnected. Yeah, I know that the tunnel in your scenario is intact and the data won't flow from Net A to Net B, but I wanted to see if this would help.

Anyways, will keep testing to see how this turns out.
 
Probably the biggest problem I am seeing with everyone's config who is having trouble is (as noted by NIK_420) your addressing scheme.
2 identical subnets cannot route between one another, Rule 1 of IP and routing.
I use a 10.1.1.0/24 (255.255.255.0) on one end and 10.1.2.0/24 on the other (It suits my needs).

For name resolution, Either 2 WINS servers (1 on each end of the pipe) that replicate with each other or 2 2000 servers replicating via active directory/dynamic dns.

I chose the latter, But then again, I am MSDN and get lots of stuff for free :)

Your only other choice is really UGLY, That would be to manually maintain LMHOST files on all the PC's inbetween UGH. UGH. UGH.

The router will not pass browser broadcasts from clients, Hey, It's a router, That's really all it is! (packet "A" to interface "B") You need to supply another method of name resolution. You have no choice, It's just a stupid device.

If you have NTSERVER lying around, WINS is wicked easy to configure to replicate right across the VPN Pipe, DNS and 2000 require a bit more finesse.

I hope all my blabbering has been somewhat useful to you all.

Bye.


And yes, I did say "wicked" oh, how I miss the 80's......
 
(Timothy Cox)

"The router will not pass browser broadcasts from clients, Hey, It's a router, That's really all it is! (packet "A" to interface "B") You need to supply another method of name resolution. You have no choice, It's just a stupid device."

Not trying to flame or anything, but, Sorry, but I have to disagree with that part of your post here. The router IS capable and CAN pass Netbios Broadcasts. You just have to activate NetBios broadcasts in the Advanced VPN config page. Since you are running with firmware version 1.40.2, all you have to do is get to the web interface, go to the VPN tab, and at the bottom of this page you will see in itsy bitsy tiny blue letters: more... (just to the right of the View Log radio button).

Click on that section and it will take you to the Advanced VPN config page. Near the bottom, you will see a box marked Netbios Broadcast. Check it off, click Apply, and it WILL pass netbios broadcasts. I'm telling you, it does work.

Although I do agree with you that if you are going to be running 2 separate networks, you probably should use WINS servers.


 
Did we ever come to any kind of conclusion as to the resolution of the "Negotiating IP Security" problem ???...
I keep getting the following after I activate the Win2K local IPSec Policy, then do a ping to my 2KServer box on the other side... all of this after following Linksys' directions EXACTLY:

Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Ping statistics for 192.168.1.103:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  0ms, Average =  0ms

I will be posting results with third party IPSec clients shortly, but I'd really lve to connect with the stock Win2K pro IPSec client.

Any Thoughts???

Trevor Farren,
t.farren@tfc-com.com
 
You know, I did this same thing with a W2K Pro to VP41.

Ran a ping 192.168.1.x command, and I also got

Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security

However, when I ran the command:
ping -t 192.168.1.x, I got

Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
etc...

ping -t switch just pings forever until you tell it to stop.

This tells me that the W2K Machine needs time to negotiate the IPSec connection.

If the W2K machine is set up correctly and the Linksys tunnel is configured correctly and enabled, you should be able to establish the connection.

Try using the ping -t switch and see what happens.


 
Curious2 just taught me something. I guess not needing NetBios, I never even looked for it. I used to use a PPTP tunnel to link these particular locations and was accustomed to using WINS or ADDNS Name resolution.

It will still be more reliable and faster resolving than trusting NetBios will propogate.

I'll shut up now.
 
Linksys comes with Netbios Broadcasting, but that may clog the ipsec tunnel, and it's not so safe... I would defenetly use a wins server, or if it's a small network, setup lmhost files....

To all of you that are having disconnection problems, try this it worked for me.... Force your nic's on both ends down to 10 half duplex, disable netbios broadcast on both ends( We only want ip traffic going through)... Have the DES and MD5 as your security, with the max rekey lifetime of 1410065407.... with either firmware 1.39.66 or 1.40.2... post whats the outcome.
 
I also am having problems. Have BEFVP41 on both ends. Tunnel shows as connected but when I ping remote Lan I get &quot;reply from: (IP address within ISP network): TTL expired in transit&quot; Tracert shows packet passing back and forth within ISP's network. When doing ping from other end get same result but reply is from that end's ISP network.

Here is how I currently have configured:
Firmware version at both ends 1.39.66


WIN98 >HUB>BEFVP41>Fujitsu (FC966 RA14) DSL Modem>internet>Cell Pipe DSL Modem(Cell-20A-GX-CB)>BEFVP41>HUB>WIN98

Tunnel shows as connected but can’t ping or see remote group in network neighborhood.

Configuration:

Local secure group 10.3.142.0
Subnet mask 255.255.255.128

Remote secure group 10.3.141.0
Subnet mask 255.255.255.128

3DES (have tried DES and disabled as well with no change)
SHA (have tried MD5 and disabled as well with no change)

Auto (IKE)

PFS checked (have tried unchecked as well with no change)

Key lifetime 36000 (have tried 3600 default value as well with no change)


Advanced settings for IPSec Tunnel

Phase 1:
Main Mode
Proposal 1:
DES
SHA
768 bit
36000

Pase2:
Proposal:
3DES
SHA
PFS:ON
GROUP:768-bit
Key lifetime: 36000

NetBIOS broadcast (checked)(have tried both ways with no change)
Anti-replay (unchecked) (have tried both ways with no change)
Keep-Alvie(checked) (have tried both ways with no change)
If IKE failed (unchecked)


Linksys has yet been unable to resolve but have set up test tunnel with linksys and get same results...tunnel connects but no IP traffic gets through.
 
Reply to: wmckenney (TechnicalUser)

It defenetly seems to be your isp.... 9 out of 10 times, when traffic is not going through, especially with the symptoms that your having... It points to your isp, they block and setup filters for security reasons(viruses, hackers etc.....)
 
Just wanted to say thanks for everyones help...
All is working well...

Thanks
Again
tcompe
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top