Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Linksys BEFVP41 VPN problems

Status
Not open for further replies.

ScottCudmore

Technical User
Jan 24, 2002
3
US
Hi,
I just purchased the new Linksys VPN router. I want to be able to connect to my home network from a remote Windows 2000 machine. There are no stpes or docs on how do do this. Only Linksys to Linksys VPN. When I connect from a Windows VPN conenction, all I get is an error on the Linksys.

Does anyone have any ideas?

Scott

 
Hi tcompe9139

Glad to hear that all is well. Just wondering what steps you took to resolve all your problems?
 


to nik_420

Our local ISP responded with this e-mail:

The 10.3.xxx.xxx is a privite ip and thus cannot be tracerouted because
anyone can use it. The 66.16x.xxx.xxx is probably the address you want
to use to get to the VPN router. We don't not block any vpn traffic.
We have serveral users who have successfully established a VPN
connection with our network. I would recommend contacting the VPN
provider to work out your connection issue since there are too many
factors that we cannot help you with.

 
wmckenney: When you get the TTL expired in transit (caused by a routing loop) what does the trace look like? before the 120 some loops?

When I tracefrom NetA to NetB it shows up as only one hop.


Also why a 25bit mask? Surely you dont need the 65thousand extra networks? Not that it is a problem just K.I.S.S. rule allways should apply :)


Name Resolution: An easier solution you could try is to point Network A to Network B's Wins it is a bit more traffic but if Network A is a remote office or only 2-3 computers you would save the need for a local Wins server. Allways test your connection vai the run command and put the UNC for the computer you wish to connect to. Network Neighborhood is a Pile even on a LAN.


 
To nik_420 (Visitor)
What do you mean to force the nic to 10 half duplex??

To madnessxx (MIS)
Thanks for your help, I did as you said, I have connected two VPN routers, and I can even ping the computers on the remote side, but I can not access or see the computers on the other side.
I have enabled the netbios hidden thing.
Any idea anyone what else I need to do??
 
madnessxx: the tracrt looks like:



Tracing route to 10.3.141.240 over a maximum of 30 hops



1 58 ms 33 ms 44 ms 216.3.2.190

2 40 ms 33 ms 37 ms border-core01.athens.frognet.net [204.192.96.1]

3 42 ms 44 ms 57 ms core03-fa0.athens.frognet.net [204.192.96.8]

4 48 ms 57 ms 34 ms border-core01.athens.frognet.net [204.192.96.1]

5 34 ms 40 ms 56 ms core03-fa0.athens.frognet.net [204.192.96.8]

6 45 ms 48 ms 51 ms border-core01.athens.frognet.net [204.192.96.1]

7 34 ms 47 ms 35 ms core03-fa0.athens.frognet.net [204.192.96.8]

8 35 ms 42 ms 41 ms border-core01.athens.frognet.net [204.192.96.1]

9 58 ms 38 ms 37 ms core03-fa0.athens.frognet.net [204.192.96.8]

10 47 ms 35 ms 57 ms border-core01.athens.frognet.net [204.192.96.1]

11 40 ms 44 ms 36 ms core03-fa0.athens.frognet.net [204.192.96.8]

12 53 ms 51 ms 49 ms border-core01.athens.frognet.net [204.192.96.1]

13 36 ms 41 ms 52 ms core03-fa0.athens.frognet.net [204.192.96.8]

14 51 ms 34 ms 47 ms border-core01.athens.frognet.net [204.192.96.1]

15 53 ms 60 ms 55 ms core03-fa0.athens.frognet.net [204.192.96.8]

16 35 ms 37 ms 37 ms border-core01.athens.frognet.net [204.192.96.1]

17 44 ms 52 ms 36 ms core03-fa0.athens.frognet.net [204.192.96.8]

18 42 ms 35 ms 36 ms border-core01.athens.frognet.net [204.192.96.1]

19 43 ms 71 ms 37 ms core03-fa0.athens.frognet.net [204.192.96.8]

20 54 ms 37 ms 36 ms border-core01.athens.frognet.net [204.192.96.1]

21 51 ms 69 ms 53 ms core03-fa0.athens.frognet.net [204.192.96.8]

22 153 ms 65 ms 36 ms border-core01.athens.frognet.net [204.192.96.1]

23 41 ms 55 ms 53 ms core03-fa0.athens.frognet.net [204.192.96.8]

24 36 ms 35 ms 36 ms border-core01.athens.frognet.net [204.192.96.1]

25 37 ms 42 ms 41 ms core03-fa0.athens.frognet.net [204.192.96.8]

26 296 ms 290 ms 255 ms border-core01.athens.frognet.net [204.192.96.1]

27 39 ms 37 ms 37 ms core03-fa0.athens.frognet.net [204.192.96.8]

28 36 ms 37 ms 54 ms border-core01.athens.frognet.net [204.192.96.1]

29 38 ms 42 ms 44 ms core03-fa0.athens.frognet.net [204.192.96.8]

30 38 ms 52 ms 37 ms border-core01.athens.frognet.net [204.192.96.1]



Trace complete.

As for the subnet mask of 255.255.255.128...that was set up buy an IT person for a specific reason in the past. Unless it is thought to be a problem I would prefer not to change.


The "run\\IP address of remote WIN98 computer" results in "no network provider accepted the given path"

 
To: sam88

10Mbs half duplex is the speed of your network card. You can change the speed as follows:

win9x: right-mouse click Network neighborhood -> double-click the network card -> advanced tab -> Look under properties, look for key words such as "media" "speed" "connection type" highlight that, look under value and you will see 10mb half.

win2k / winxp: right mouse click My Network Places -> right mouse click Local Area Network -> Properties -> click configure -> advanced -> Look under properties, look for key words such as "media" "speed" "connection type" highlight that, look under value and you will see 10mb half.
 
curious2 (Visitor): And anyone else interested

Not sure how my current configuration will help anyone but I will give the details as a reference.

I have two networks that I have been trying to connect for some time now. Allot of my problems were Management didnt/wouldnt let me spend very much money for a static connections. (What A surprise for those of you in the IT industry :))

Anyway...One location (Will call this Network A) has a Fractional T1.
The second location (Out of state Network B) internet access is provided by a local cable co. (Cable Modem)

My Current configuration (That is currently working very well thanks to this board) is as follow:

Network A

All workstations are Win2k SP2
All Servers are WIN2K SP2 with 1 as a DC
Services include DHCP and DNS
1 Linksys VPN Router Firmware version 1.40.02
Tunnel Name: Network A
Local Secure group: Subnet IP: 192.168.1.0
MASK: 255.255.255.0

Remote Secure Group: Subnet IP: 192.168.2.0
MASK: 255.255.255.0

Remote Security Gateway: IP Addr.: IP: xxx.xxx.xxx.xxx (Wan IP address of the Network B. The address is Dynamic but so far has never changed)

Encryption: 3DES
Authentication: SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = xxxxxxxxxxxxx

Lifetime = 1410065407


Network B

All workstations are Win2k SP2
All Servers are WIN2K SP2 with 1 as a DC
Services include DHCP and DNS
1 Linksys VPN Router Firmware version 1.40.02
Tunnel Name: Network B
Local Secure group: Subnet IP: 192.168.2.0
MASK: 255.255.255.0

Remote Secure Group: Subnet IP: 192.168.1.0
MASK: 255.255.255.0

Remote Security Gateway: IP Addr.: IP: xxx.xxx.xxx.xxx (Wan IP address of the Network A. Static)

Encryption: 3DES
Authentication: SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = xxxxxxxxxxxxx

Lifetime = 1410065407

Both IPSecAdvance.htm pages are configured as follow:
NetBIOS = Checked
Anti-RePlay = Checked (Not sure what this is....)
Keep Alive = Checked


So there you have it.... Both domains are showing up in the Network Neighborhood and I have been able to successfully run an application from a app server located in Network B from Network A as well as Print and Map across the tunnel. The Tunnels are staying up and seem to be working flawlessly...

Again many thanks to those that helped!!!!

If there is anything I do to help anyone else please feel free ask.

tcompe
 
Another success story.
Thanks to all for their contribution.

Thanks to all for their contribution.
I to mine to work too and here are my settings. I would be happy to answer any further questions.

I have 5 and 6 pcs all running win 98 behind each routers.

My settings are as follows, very similar to tcomp9139 (thanks, you solved my last puzzle, and that was the lifetime)
the firmware is 1.39.64

Tunnel name: local
Remote Secure Group: Subnet IP: 192.168.2.0
MASK: 255.255.255.0

Remote Security Gateway: IP Address: Any

(the other network does not have static IP)

Encryption: 3DES
Authentication: SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = testing
Lifetime = 1410065407


tunnel name: remote

Local Secure group: Subnet IP: 192.168.2.0
MASK: 255.255.255.0

Remote Secure Group: Subnet IP: 192.168.1.0
MASK: 255.255.255.0

Remote Security Gateway: IP Addr.: IP: xxx.xxx.xxx.xxx
this is static IP of the remote

Encryption: 3DES
Authentication: SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = testing

Lifetime = 1410065407

IPSecAdvance.htm pages are configured as follow:
NetBIOS = not checked (on one router it is checked)
Anti-RePlay = Checked


Now I have few quesions: the only way I could access the remote computers was by run--> \\private ip if the remote pc
I can not see any one of the pcs on the network neighborhood.
Second, it is really slow, more slow than I expected. Is this normal??

I would be happy to answer any questions.
Next I am going to make tunnel at third location where the pcs are XP and the forth locaion with win 2000 pcs.
I will keep you all updated.
 
Hello All,

First, I want to say thank you - I thought I was the only one who was having trouble, and that it was something I was doing wrong. I do hope someone from Linksys is following this thread, and will incorporate some of this VERY useful information in the online or printed documentation for the unit.

Anyway....

My questions are:

1) How do I upgrade the firmware of the VPN. (From all I have read, it seems this is the way to go) I have downloaded it from the link on dslreports.com, and unzipped it. I read earlier in this thread to use TFTP instead of the web based utility - how do I do that?

2) My network is simply a peer to peer network at each end, with all but a few machines running win2k sp2, but with a twist. In the main branch, we have an IBM running AIX as the server for our inventory management system. To access it in the main branch, we simply set up a telnet session to 192.168.1.1 (the IP of the server, I have moved the VPN to 192.168.1.10). Is there anything special I will need to do at the main or remote location to allow this to happen?

Thanks to all for the help

Spinge
 
spinge (TechnicalUser):
1) How do I upgrade the firmware of the VPN. (From all I have read, it seems this is the way to go) I have downloaded it from the link on dslreports.com, and unzipped it. I read earlier in this thread to use TFTP instead of the web based utility - how do I do that?


Answer:

TFTP.exe can be used to update the firmware to your VPN router. Before launching TFTP.EXE make sure the "BEFVP41_v1.40.2_code.bin" (Or what ever firmware you are updating to) file is located in the same path as the TFTP.EXE.

1. Launch the TFTP.EXE
2. You will see 3 boxes you must fill out
A. Server
B. Password
C. File
3. In the feild next to the SERVER type in the address of your VPN router. NOT THE PUBLIC ADDRESS but the LAN address Example 192.168.1.1

4. In the feild next to the PASSWORD type in the password that gives you access to the routers GUI

5. In the feild next to the FILE type in the path to the BEFVP41_v1.40.2_code.bin file. Example D:\Temp\BEFVP41_v1.40.2_code.bin

Click upgrade....

It will take a few minutes for it to start (Or at least it does on mine). Once completed your firmware should be updated.


Thats it..

Hope this helps

tcompe
 
wmckennedy:
Current config Remote secure group 10.3.141.0
Subnet mask 255.255.255.128

Tracing route to 10.3.141.240 over a maximum of 30 hops

10.3.141.240 does not belong to 10.3.141.0/23 net it belongs to 10.3.141.128/23 network. Your router doesnt have a route that network so it and passes it down to its default gateway IE. your internet connection.

So if all your IP's are in the range of 10.3.141(2).128-256 you should be telling the linksys box that your Configuration is:

Local secure group 10.3.142.128
Subnet mask 255.255.255.128

Remote secure group 10.3.141.128
Subnet mask 255.255.255.128

PS. Smack who ever did that IP scheme... a /23 on a 10-net is <<edited out so not to flame>> :)

98 wont let you do a run -> \\IP number (BTW it is 2002, Hint) if you had two NT or 2kboxes on each side doing that \\ipnumber would hel pinpoint if the problem you are having is with the connection or if it is just a NetBIOS problem.
 
I'm having the &quot;tunnel dropping/reconnecting/can't ping between subnets&quot; blues too.

Slightly different setup here, my BEFVP41 connects to a FreeS/WAN v1.95 gateway. Tried upgrading the firmware to 1.40.1 and 1.40.2 but was unable to connect so I backed off to 1.39.64 again.

In a nutshell, it seems like upgrading the firmware has solved this problem (NFW am I going to back ALL my NICs to 10-half) for most of you...or has it?

Something I've noticed here (with 1.39.64) that once the IP flow has stopped, if I click on &quot;DISCONNECT&quot; and then &quot;APPLY&quot; and finally &quot;CONNECT&quot; the flow starts again -- at least for a while. Longest it's stayed up properly is 4 hours...
 
tcompe9139

Thanks for the help. It upgraded just like you said it would (at least the upgrade part did.)

I do have a question or two about the firmware upgrade itself. I noticed that the look of it is a little bit rougher (not as refined) as 1.39.64 - did anybody else get this same look? I also found that on the setup page, although it gives the option in the dropdown box to set it up for PPPoE, as well as others, that when I select it, it always goes back to DHCP. (I have a DSL at one end currently, and will eventually have DSL at both ends).

Also, when I revert back to 1.39.64 (I tried both 1.40.01 and 1.40.02) that the IPSecAdvance page is not available. Instead, I get a RED screen and a 404. Might this be my browser??

again, thanks to all

Spinge
 
I think I have finally just given up. Linksys Engineering has not responded back to me in over a week, a letter to the CEO of the company got no reply. I have tried every setting posted here and never get beyond the point where the boxes say they are connected. I can see icons for each group in Neighborhood Network but that is all. I can not ping computers on the other side of the connection or access them in any way. Last resort was to copy the identical settings posted by tcompe9139 including the firmware, but that did not make any difference. I am guessing that there is something not working in the address translation but that's just a guess. If I could find someone local to Columbus GA that could make this work, I'd pay for their time. Guaranteed that Linksys will not see another nickel of business from me or my shop. bobcole@servicecpa.com. %-(
 
Question: Win2k to BEFVP41.

Has anyone successfully connected a Win2k computer to the BEFVP41 router using IPSec policy?

I tried setting up the IPSec policy as stated in
I have not been successful.

This posting forum has been excellent. I have been reading this posting diligently. I am getting close, but I am not there yet.
 
well well well...wonders will never cease :eek:)

I finally got the router to connect properly. What did it? I'm not really sure to be honest with you. After upgrading/downgrading the firmware I made sure to reset the router to the factory defaults by pressing and holding the reset button for 30 seconds and then unplugging the router for 5 seconds. I messed around with my ipsec.conf (I connect to a Linux FreeS/WAN gateway) until I hit a combination that worked.

For the benefit of anyone else who gets stuck the way I was, here are my various config files :

BEFVP41 (firmware is 1.39.64) :

Tunnel name: office
Local Secure Group: Subnet IP: 192.168.0.0
MASK: 255.255.255.0
Remote Secure Group: Subnet IP: 192.168.110.0
MASK: 255.255.255.0
Remote Security Gateway: IP Address: 999.999.999.999 (obviously not my real IP)
Encryption: 3DES
Authentication: MD5
Key Management: Auto (IKE)
PFS is checked
Pre-Shared Key = &quot;my PSK key&quot;
Lifetime = 3600

In the IPSecAdvance.htm screen I changed the Phase I and Phase 2 proposals to match the above (after all, I know for a fact exactly what format it's set up for on the other end -- why would I need optional methods?). I unchecked the NETBIOS Broadcast packets (I have a WINS server set up at the other end), the anti-replay (anti-relay?) and the &quot;IKE fails more than x times&quot;.

My home network (cable modem connection) is setup as a roadwarrior in my FreeS/WAN v1.95 configuration. Here are the contents of the /etc/freeswan/ipsec.conf file on the FreeS/WAN gateway:

# basic configuration
config setup
interfaces=&quot;ipsec0=eth0&quot;
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
keyingtries=1
authby=secret

# office VPN connection
conn home-office
type=tunnel
left=nnn.nnn.nnn.178
leftsubnet=192.168.110.0/24
leftnexthop=nnn.nnn.nnn.177
right=%any
rightsubnet=192.168.0.0/24
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
authby=secret
auto=add

I stopped/started IPSEC, fired up the connection from the BEFVP41 and tried a ping from my home network to the office :

Pinging 192.168.110.3 with 32 bytes of data:

Reply from 192.168.110.3: bytes=32 time=68ms TTL=127
Reply from 192.168.110.3: bytes=32 time=85ms TTL=127
Reply from 192.168.110.3: bytes=32 time=67ms TTL=127
Reply from 192.168.110.3: bytes=32 time=82ms TTL=127

Ping statistics for 192.168.110.3:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 67ms, Maximum = 85ms, Average = 75ms

I connected with Remote Anything (like PCAnywhere but 10000% better) and latched into my bosses desktop. Perfect. Fired up the web cam from my desktop & connected to the bosses thru the tunnel. Got dizzy watching myself watch myself. EVERYTHING works.

After an hour elapsed (my 3600s lifetime in my BEFVP41 config) the SA expired, the tunnel dropped, a new one negotiated, and the BEFVP41 reported success. Yeah, sure. ..I'd seen this before. Except this time it actually worked. I could ping across the networks, browse the network neighbourhoods, map drives...everything. I've brought the tunnel up/down a couple of dozen times already & it's working perfectly.

Anyways....good luck to those of you trying to get this thing working. All it takes is some patience and common sense.

Jim
 
to rcole:

Have you tested the routers, with a X-over cable or in a different environment.... Also try doing a hard reset on both units... I had a problem where it said connected but couldn't ping... I did a hard reset (45 secs).. problem was fixed. These linksys units are pretty solid, from the ones I've setup.... I have seen the environment play a big role....
 
Does anybody have anything such at a switch or a hub attached to the WAN connector? I'd like to know if this works. Also, can this device establish a VPN tunnel with a computer connected to the LAN side?

I'm hoping that I could use it to secure a Wireless section of my LAN, i.e. connect the wan port to another switch/cable router. Then I'd connect a Wireless AP to the switch and establish VPN tunnels to the computers connected to that AP. This way, the wireless computers would be outside the VPN Router's firewall, and their data transmissions would be encrypted for an extra layer of security...

What do you think?
 
Hey Everyone,
I have really enjoyed this whole process, but my ordeal isn't over yet... I set up my connections from the Win2Kpro workstation to the router the way that the Linksys site says, and I try to ping the connection as follows:

ping -t 10.0.0.99

Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
etc...

And it gives the pings answers at about 350 per minute...THAT IS NOT NORMAL!!!!!!!!

What Now?

Thanks,
Trevor Farren
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top