Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Linksys BEFVP41 VPN problems

Status
Not open for further replies.

ScottCudmore

Technical User
Jan 24, 2002
3
US
Hi,
I just purchased the new Linksys VPN router. I want to be able to connect to my home network from a remote Windows 2000 machine. There are no stpes or docs on how do do this. Only Linksys to Linksys VPN. When I connect from a Windows VPN conenction, all I get is an error on the Linksys.

Does anyone have any ideas?

Scott

 
Hi Wayne,

See my answer in thread:

BEFVP41 - ping and telnet problem

There are no limits of accessing resources through VPN-tunnel, this is one of the lovely aspects of VPN.

Markku





 
wardaddy -

you "may" run into problems keeping the same ip. I know that as soon as my ISP sees any traffic originating outside of my network destined for my network, i get a new DHCP address assigned. I am not sure if this is for security sake or if it is them making sure that we are not running webservers and mailservers. I have tried to ping the outside of my network and within moments I get a new DHCP address assigned. So that maybe something to keep an eye on.
 
Hi Markku,

Could you tell me where you post "BEFVP41 - ping and telnet problem"?

Many thanks,


Wayne

 
Hi Markku,

Found your post...

The Ping command starts to work after I asked my colleague to change the gateway on one of our DG/UX servers. It's so beautiful... The remaining problem for my colleagues is to explore the possibility to enable 2 gateways on the other DG/UX servers, because there's already one for the frame relay on most of them.

Thank you very much,


Wayne
 
Hi everyone,

I have a couple of new questions now...

1. Can BEFVP41 function as "gateway" and "router" as the same time? My guess is that BEFVP41 works only in either the "gateway mode" or the "router mode". When it's working under the gateway mode, the entries I add at the "static routing" do not update the routing table...

2. When a remote computer accesses the local resource through the VPN channel (made by 2 BEFVP41), can a "local IP" be allocated to the remote computer? As we were using Windows 2000 VPN server before, all the remote computers obtain "local IP address" (the 2nd IP) when they log onto the VPN. I'm wondering if it's possible to assign local IPs to the remote computers in the scenario of BEFVP41 VPN channel?

Thanks in advance,


Wayne
 
Has Anyone got this Linksys box to work with a remote client using Dial up networking to log in ?

If so, How ??

Thanks in advance.
 
we have 2 linksys vpn routers connected. we are using (2) win 2k and (1) windows 98se along with a novell server.
the test setup is 1 win2k as a remote and the rest on the other side. we can ping all machines and map drives from all machines except the novell (4.11) server. The novell we can ping but not map drives. we have downloaded and install the linksys firmware update and installed lmhost on all the win 2k machines. we are using static ip. any help

email larcan@adelphia.net
thanks
joe d
 
I'm back.

Worked the first time (Linksys to Linksys).

Settings were basic. Same on both sides...

Local: "subnet" 192.168.0.0
Remote: "subnet" 192.168.1.0
(flipped it for the other Linksys)
mask was 255.255.255.0 for both
IP Addr. (I have statics on both sides)
Des (faster)
SHA (faster)
Auto (IKE)
PFS (stands for Perfect Forward Secrecy)
Key Lifetime: 3600

clicked more...
Phase 1: Main/DES/SHA/768/28800
chose 28800 to make Phase 1 last "all day" (8 hours)
Phase 2: 768/3600

Anti-replay (not relay, as some have suggested)
Has to do with an attacker re-using one of the
encryption keys
Keep-alive

After "Apply" I *did* click "Connect", but only on one side (as it should be). All worked at this point.

Block WAN was enabled (the default) and had no effect on my VPN.

Other notes:

Verizon? Verizon is a melding of several smaller (though still large) networks. Very possible that one part of the country is blocking when another part of the country is not. They haven't merged completely, yet.

Blocking port 80? Yes, several ISP's block port 80... *inbound*! They don't want people from the outside requesting web pages from your machine. That does *not* block port 80 outbound, thus allowing you to request web pages from the Internet.

50? That is *IP protocol 50* (aka Encapsulating Security Payload (ESP) which is the encryption), not TCP (IP protocol 6) or UDP (IP protocol 17) port 50. It's a completely different animal from IKE, which is transported over UDP port 500. Therefore, you cannot redirect IP protocol 50 to UDP port 500, or vice versa.

Congrats, jmacmann, on getting those clients up and running! I'm gonna try that using FQDN and DDNS... sounds intriguing!

Good luck, all.
 
Oh, and as someone mentioned earlier, forget about using the Dial-up Networking VPN.

- M$ DUN uses PPTP or L2TP
- Linksys uses IPSec

If you want to hook up M$ directly to the Linksys, you need to use the IPSec that they built into >Win2k, not the DUN VPN.

-J
 
Hi Wayne,

>1. the entries I add at the "static routing" do not >update the routing table...

If the router is in gateway mode static routing works, you just have to hit <refresh> in your browser after applying the changes. Otherwise you won't see the changes.

>2. When a remote computer accesses the local resource >through the VPN channel (made by 2 BEFVP41), can a &quot;local >IP&quot; be allocated to the remote computer?

Not necessary. The Linkys are only routing IP-packets from LAN to LAN with different IP-schenarios. No other fiddling with machines or SW necessary, just connect \\remoteIP\sharename. Telnet <remoteLANIP> works without any other tweakings.

VPN network acts like large LAN. It makes things simple, not complicated. Just remove any SW-based VPN you might have and enjoy.

Markku
 
I wonder if somebody here can share with my some experience of using SSH Sentinel 1.3 as the VPN host to connect BEFVP41 router.

*******************************************************
My setting on BEFVP41

Local Security Group: IP: 128.1.1.0
Mask: 255.255.255.0
Remote Security Group: Any
Remote Security Gateway: Any
Encryption: 3DES
Authentication: MD5
Key Management: Auto IKE
PFS: Enabled
Pre-shared Key: abc123def
Key Lifetime: 3600 sec
************************************************************
My Setting at SSH Sentinel computer:

I use &quot;Administrator Email&quot; as &quot;Primary identity&quot;, and provide my email address. Then I created a &quot;self-signed certificate&quot;.

I genereated a preshared key (named RoadWarrior) the same as what I have at the BEFVP41 router (abc123def). Something I don't understand is that SSH only allows users to create the key using SHA-1. However, people can select to use &quot;SHA&quot; and &quot;MD5&quot; when setting up VPN tunnel with the BEFVP41 router.

VPN Rule:

Remote endpoint:
Security Gateway: xxx.xxx.xxx.xxx (WAN IP of BEFVP41)
Remote network: 128.1.1.0/24
IPSec and IKE Proposal:
Authentication Key: RoadWarrior
Proposal Template: Legacy
Proposal Parameters (setting):
IKE Proposal:
Encryption algorithm: 3DES
Integrity function: MD5
IKE mode: main mode
IkE group: MODP 1024 (group 2)
IpSec proposal:
Encryption algorithm: 3DES
Integrity function: HMAC-MD5
IPSec mode: tunnel (unchangeable)
IPSec group: MODP 1024 (group 2)
************************************************************

After I finished the above configuration, I try to connect from the SSH Sentinel computer. However, I nevel pass through even the first stage of IKE proposal.

The error message lets me check both the authetication key and make use the remote gateway is available. But they don't seem like my case. Because I can find the incoming traffic from my BEFVP41 router, which is through Port 500.

When I checked the audit log in SSH, I couldn't find any response from the remote side.

DEBUG: 0.0.0.0:500 (Initiator) <-> xxx.xxx.xxx.xxx:500 { 108b9675 63000003 - acb720fa 21e3ac2b [-1] / 0x00000000 } IP; Retransmitting packet, retries = 3

Can anyone kindly let me what I have done wrong?

Thanks in advance,

SSHFun

 
Hello Markku,

Thank you very much for your suggestion.

The reason that I want to have &quot;internal&quot; IP is I want to simplify the remote computers's access to the LAN. If they have internal IPs (like Win2K VPN solution), I can save efforts on setting up routing entries for them.

Thank you once again and have a nice weekend,


Wayne

 
Just some addition to my previous post about SSH Senitel VPN client...

When I check out the SSH log file generated during the VPN connection, I find continueous negotiation is carrid out between SSH VPN client (my remote computer) and our Win2K servers (128.1.1.249 is one of our servers) that are not in the same subnet all. The log is like the following:

Phase-1 [initiator] between ipv4(udp:500,[0..3]=192.168.0.3) and ipv4(udp:500,[0..3]=128.1.1.250) failed; Timeout.
0.0.0.0:500 (Initiator) <-> 128.1.1.249:500 { 3c92c06a d10000a8 - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback

I can find the IKE negotiation between SSH client and the BEFVP41 router in the router's incoming log, but this is never shown in the SSH log file. Could it be some clue with which you can tell where I've made a mistake?

Many thanks,


SSHFun
 
Hi Wayne,

By using 2 BEFVP's it is not necessary to add any routes to the boxes. The Linkys do the routing to remote networks automatically assuming that the tunnel is alive.
 
Can anyone here make some summurization on why computers can be pinged, however are not shown in &quot;My Network Places&quot; and not available for mapping drives?

I've tried Dial-up and access through another subnet, and neither of them worked.

Thank you...
 
Visitor(old problem),

Typically this is because the machines on the other end of the tunnel have no names for your pc's. This info is passed by Netbios. If you are using Linksys BEFVP41s try enabling &quot;send netbios info over tunnel&quot; option in advanceed settings of your tunnel. YOu can also try connecting by mapping a drive:

search for pc(seach---> for computers in win98 or seach --> files and folders in xp), enter: \\xxx.xxx.xxx.xxx\(of course replacing xxx.xxx... with the ip of the computer you are searching for) This way you are searching by the IP address of the macine not it's name. If you can ping it then your machine can at least see the IP and hopefully be able to connect this way.

That might just fix things up for you. If it does edit the hostfile on all your pcs to add the pc names:

xxx.xxx.xxx.xxx computer1
xxx.xxx.xxx.xxx computer2
etc.


Good to you.
 
Old problem: On each side of the VPN's do you have more than one computer? Can the two computers on side A map drives? and the other two on side B map drives? If you only have one computer on each side of the VPN then you should check that you are logged in as someone. IN the start menu if it says logoff... then you are not logged in as someone and you need to give yourself a name inorder for the file sharing to work.
 
Hi ShovelhEd,

The most stange thing for me is that I can ping every computer in the domain, however I can never browse (in My Network Places) them or map drives using their IP addresses. This seems to be DIFFERENT from what everybody here says...

In the past couple of weeks, I've been trying to connect my laptop (Win2K Prof) at home with our company's Win2K network through the VPN tunnel. I have to say the only success so far is I've made it possible to &quot;ping&quot; each one in the network.

I can't utilize any Active Directory tool that I usually use while in the company.

I've got totally lost...
 
To Madnessxx:

I have my home computer at one end of the VPN tunnel and our company's LAN at the other end. I don't have any problem to map drives among computers in the company. But neither &quot;network browsing&quot; nor &quot;mapping drive&quot; works when I work through the VPN tunnel at home.

I check the &quot;shares&quot; in our company's LAN. All of them permit access by the &quot;everyone&quot; group.

I don't quite understand when you say I need to log on as someone. If I dial up from home, there's nothing coming up to let me &quot;log on&quot;...

Any further suggestion?

Thanks a lot.
 
Old Problem:
Depending on your OS if you pull up the start menu and if it says log off... Then you are not loged in as someone. You need a user name to be part of the &quot;everyone&quot; group and if it says log off... then you have have <null> username.

If it doesnt say logoff (username) right above the shutdown command in the start menu then select shutdown and operate the pulldown menu. Should give you an option to reset, shutdown, logoff (username or just ...), and maybe an option to go to DOS mode or something. If you have the dots then select that. You will be promted to login go ahead and give yourself and username and blank password.

Now you will have a name that will allow you to access the MS shares.

Also you say you can ping the other computers on the network your using ping <computername> not the IP correct? Win98 wont allow you to UNC to an IP so you will need to verify that will work. If your work is running a WINS server put that server in your TCP/IP setup for your NIC.
That should handle are your name resolution needs.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top