Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Linksys BEFVP41 VPN problems

Status
Not open for further replies.

ScottCudmore

Technical User
Jan 24, 2002
3
US
Hi,
I just purchased the new Linksys VPN router. I want to be able to connect to my home network from a remote Windows 2000 machine. There are no stpes or docs on how do do this. Only Linksys to Linksys VPN. When I connect from a Windows VPN conenction, all I get is an error on the Linksys.

Does anyone have any ideas?

Scott

 
Johnny2can:

Thanks for the information. Do us a favor - you said you were setting up the BEFVP41's tonight - post back and let us know how it worked and what your settings ended up being. Thanks!!


TimRaines:

I agree with the crusade - Just remember the words of Steve Wozniack - "Never trust a computer (or any piece of IT hardware for that matter) that you can't pick up and throw out a window!!"

Rich
 
Well I got another BEFVP41 to connect from remote office to main office. Still not there yet though. I followed the superb drawing by RGN and made sure both BEFVP41's are using the same firmware 1.40.2, setup the Key area identical on both ends, made sure both advanced IPSEC pages are identical and still no connection let alone browsing the network neighborhood. I am not sure about the remote security gateway settings. If I set it to (any) would that be the proper setting for dynamic IP's on both ends, even though I have had cable modem service for 1.5 years at home and I am still using the same IP address as when I started using cable for internet. Do I need to worry about DNS settings? Is the remote security gateway the IP address that is displayed on the status page for the BEFVP41 under Default Gateway? Also a user further up this page asked and didn't get answered if you have to click on (Connect) on both ends, that would seem rather silly but is it so?
 
I gave up trying to read every post to this thread, but if you are still struggling to connect a client PC to a remote LAN through a BEFVP41 VPN tunnel, Linksys' instructions at


*DO* work. They are 16 pages long, and fraught with pitfalls, but I have now set up three (bidirectional) client<->LAN VPN tunnels successfully using them. I can ping, access shared folders, and more, in both directions.

These directions only apply to Win2K and WinXP clients. Earlier Win OSes require a 3rd party IPSec module. And forget the Windoz VPN dialers -- they won't get you anywhere.

Now here is MY question: I cannot seem to establish a pcAnywhere Remote->Host connection over the tunnel. The Remote just stalls. Can anyone give a hint about what's going wrong? Has anyone made it work? (Please do not tell me that I have to open the pcAnywhere ports on the router -- that should not be necessary with a VPN tunnel and would defeat the purpose of this application.)

Thanks in advance....
 
jmacmann,

I am using PC-DUO remote access over BEFVP 41/BEFVP 41-tunnel successfully. Do you connect with the internal ( not external ) IP of the pcAnywhere server, e.g. 182.168.1.x to the remote network. If the server pings, it should work.
 
Low and behold my problem was that by default the BEFVP41 has a block WAN request filter enabled. Linksys support caught that one, every now and then you end up connecting with someone knowledgeable in Linksys support. Guess I got lucky.
 
Just a side note is this WAN filter suppose to be basic knowledge? Also I was told by Linksys support that the BEFVP41 works with DSL, Cable & T1 connections but not a fractured T1. Is there another solution because one of the remote sites of the 2 is a fractured T1. Oh boy here we go again.
 
Appollo:

It strikes me as odd that it is necessary to un-block WAN requests to get the VPN to work - mine works with the block enabled (or at least says it is connected). I thought the theory of the VPN was to establish a private tunnel without opening your network up to &quot;outsiders&quot;

As for not being able to run on a fractal T1 - I also question that. If the CSU/DSU on the end of the fractal gives you a 10 Mbs ethernet connection, it should hook right to the BEFVP41 just like a cable modem or DSL modem
 
i, too, have two befvp41s connected. one at my office that has a static ip on verizon dsl bronze package.. entry level business dsl service and one at home on dynamic ip also through verizon dsl bronze home package. at home i have a 'connected', but when i open up incoming access log it shows incoming ip is my static office ip address and the port says &quot;500&quot;. johnny2can said that sometimes you get a connection with port 500 but no connectivity. verizon swears they don't block anything, in fact that's what sold me on them. are they full of it or is there a way to redirect 500 to 50? any other solution to be able to browse or map the office server drive. office server has just win 98.. do i need to have win2k server on there? my home computer has win2k pro. thanks for your help!
 
heliosphere:

I am not sure where you are located (which Verizon you have), but I know for a fact that in the Baltimore area they block port 80. I am not sure of any of the other ports (I have not checked) but I do know that I can connect, and assign shares, across the VPN with a pair of BEFVP41's. I guess what I am saying is that although they may not be blocking the ports you need, I would really question the &quot;we don't block anything&quot; statement.

Rich
 
What!? Verizon blocks port 80?

I highly doubt it. Port 80 is used for http. I can't imagine that they're blocking access to web sites. I gotta think some of their customers (some....heheh) would be upset about that.
 
im on the verizon dsl network in portland oregon. johnny2can was actually speaking of port &quot;50&quot;... not &quot;80&quot; i believe. im getting incoming from port &quot;500&quot; from my static ip. does anyone know of a way to redirect or do i need to change isp. thanks
 
finally... two hours on the phone with verizon.. kicked me up to top level tech support.. i got a guy to admit they block &quot;some&quot; ports on their home dsl... imagine that... he couldn't tell me which ones. he also said that i couldn't maintain a constant vpn connection because they change the ip address ever 5 or 10 minutes on my home dynamic dsl ip address. anyone have any suggestions on a good isp that doesn't block ports for home dsl? they suggested that i upgrade to a business dsl connection for my home. these guys!
 
Thanks everybody who post their experience here...

I have a question about the subnet mask in my procedure of setting up the VPN channel. For the VPN router, I can only use subnet masks with the first 3 octets as 255. However, this is different from what we're using to set up our LAN. Our LAN computers are all under the subnet of 255.255.0.0. I got 2 VPN routers connected as the following:

VPN router 1: LAN IP: 128.1.2.201
Mask: 255.255.255.0

Tunnel Name: Test 1

Local Secure group: Subnet IP: 128.1.2.0
MASK: 255.255.255.0

Remote Secure Group: Subnet IP: 128.1.1.0
MASK: 255.255.255.0

Remote Security Gateway: IP Addr.: IP: xxx.xxx.xxx.xxx
=======================================================
VPN router 2: 128.1.1.201
Mask: 255.255.255.0

Tunnnel Name: Test 2

Local Secure group: Subnet IP: 128.1.1.0
MASK: 255.255.255.0

Remote Secure Group: Subnet IP: 128.1.2.0
MASK: 255.255.255.0

Remote Security Gateway: IP Addr.: IP: xxx.xxx.xxx.xxx
=======================================================

After I got them connected, I can ping and browse TESTING computers at each side. Unfortunately, most of our regular computers with their subnet mask as 255.255.0.0 cannot be reached at all. Can everybody suggest me what I should do to make computers with subnet mask 255.255.0.0 visible through the VPN channel?

Any help is highly appreciated.


Really confused...
 
TimRaines (Visitor):

What I mean by blocking port 80 is that you can't run a web server on your end. You can still access web pages, you simply can't post any from your own computer unless you have it mapped to a different port.

Rich
 
thanks rich

i see what you are saying. i just dumped verizon and ordered up another that uses the same verizon backbone but will give me a static ip at home and, before i even said it, they dont block ports. hopefully be up and running by friday. the guy at the new place said they have had several new customers just for this reason only.. the customer got a couple of new befvp41s and they dont work on dynamic ip blocked ports.

thanks for your help in pointing me in what i hope will be a direction of resolution.
 
heliosphere (Visitor):

Just for reference (It has been mentioned earlier in this thread), it is possible to connect two of the BEFVP41's when they both have a dynamic connection. Verizon tech support in my area (Baltimore) tells me that they do not yet have static IP's available on their DSL lines - even the business packages - so I have had a chance to figure this out.

The procedure requires the services of a DDNS (dynamic domain name server). Essentially what happens is one of your PC's at one location runs a small program in the background and keeps an eye on the WAN IP address. When it changes, it contacts the DDNS and they update their system. They can normally be set to check the IP anywhere from about once a day to as short an interval as once a minute. You end up with an address something like &quot;
The next step is to set up the BEFVP41 at the location with the DDNS running to accept any IP address as the remote WAN IP. On the remote (other) location, set the BEFVP41 up using FQDN (Fully Qualified Domain Name) as the remote WAN address, and enter your DDNS name. This feature is available in the latest firmware upgrade - 1.40.02

When you fire the BEFVP41's up, they should connect (they did for me) so long as both of the boxes are set up with the same encryption, etc. - standard VPN stuff. The units can get a little tempermental if the IP at either of the ends changes alot, but they will reconnect, normally fairly seamlessly, with only slight service interuptions.

Hope this helps

Rich
 
Hi iwonderhow,

I think you are looking at wrong product. If you have class B network, you should look at Firewall-1 product.

Linky is intended for SOHO-markets, not for corporate markets.
 
Since we are talking Liksys to linksys, I am on The Cox Cable system. I want to connect to home computers (different homes) with a vpn (small business being run from 2 homes) so they can share databases. I have no servers running, and do not want the trouble or expense of having one running.

If I have one of these at each house, I should be able to have them create a tunnel to each other so both homes will be sharing the same workgroup, correct?

Both houses have dynamic ip's, but I have had my same IP address for 5 months stright, without a server reboot at cox, I think I will always have it.

Do you see any problems with the logic of this set up? thank you!~
 
Hi markku,

Thanks for your post.

I'll change our Windows network into Class C... There will be enough nodes for us to use here in only 1 branch company. Another headache is our DG/UX servers. They are in Class C (128.1.1.0/24) now, but I can't even ping them from the other side (128.1.2.0/24) of the VPN channel. Do you know if there is any limitation on accessing Unix resource through the VPN?

I truly appreciate your suggestion.


Wayne
 
Hi markku,

Thanks for your post.

I'll change our Windows network into Class C... There will be enough nodes for us to use here in only 1 branch company. Another headache is our DG/UX servers. They are in Class C (128.1.1.0/24) now, but I can't even ping them from the other side (128.1.2.0/24) of the VPN channel. Do you know if there is any limitation on accessing Unix resource through the VPN?

I truly appreciate your suggestion.


Wayne
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top