Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Linksys BEFVP41 VPN problems

Status
Not open for further replies.

ScottCudmore

Technical User
Jan 24, 2002
3
US
Hi,
I just purchased the new Linksys VPN router. I want to be able to connect to my home network from a remote Windows 2000 machine. There are no stpes or docs on how do do this. Only Linksys to Linksys VPN. When I connect from a Windows VPN conenction, all I get is an error on the Linksys.

Does anyone have any ideas?

Scott

 
Scott,

Linksys uses IPSEC. You must configure your router and win2k for ipsec. Enter your Win2k Local Security settings. Go to Ip Security policy, right click and create new policy remember to under that policy to create two filters one from your pc to your router and from your router to your pc. If you are using dynamic ip's you must connect to your isp find out your ip address and adjust your filter with that address. Then start your vpn connection.

Later,

Blind Justice
 
I see a manyusers confused when trying to set up secpol on their 2k box and they have the BEFVP41,and they think the router is now configured as a stand alone server.

What you are doing with your 2K box with secpol is setting that PC up as the SERVER and then the BEFVP41 can CONNECT to it as a CLIENT ONLY.

Now you could set up IPSEC policies on a 2k behind the Linky,but then why did you buy this router as opposed to a regular 4 port link.

In truth-this product was designed with a situation of connection between 2 BEFVP41's, to take out the hassle of configuring IPSEC policies on a server-and then setting up the clients.

You will not be able to connect to a befvp41 unless it is from another befvp41,or their is a 2k server with ipsec installed behind it.
 
Need some help please...
Maybe someone can help me out with a similiar situation. Suppose I have two BEFVP41 Routers>

- Server Side
- Client Side

Now I have no problems establishing a IPSEC VPN Tunnel if I use the 192.168.1.x on one router and 192.168.2.1 on the other router. However, what I need this to do is get to the 10.1.x.x , sub: 255.255.0.0 on the Server Side.

Here is what I want this to do:
-----------------------------------------------------------
- which is my client that needs a persistant connection. There are two workstations that are setup behind router on 192.168.1.0 network that must have access to the 10.1.x.x - 255.255.0.0 on Router A. To simplify this, this is the way I must set-up client side.

192.168.1.1 - Gateway - Set to DHCP
192.168.1.2 - Workstation A
192.168.1.3 - Workstation B

Now BOTH of the Workstations must have access to the 10.1.x.x network behind the .

----------------------------------------------------------
Server Side

I need this one set up on the 10.1.x.x which I don't understand how to do this.

I have machine that has two nics (called VPNSERVER):

10.1.x.x 255.255.0.0 - NIC A
DHCP - NIC B (this is currently what I have)

I have no problem getting a 192.168.2.x - 255.255.0.0 network to get assigned to NIC B but how do I get the clients from 192.168.1.x network to be able to ping the 10.1.x.x network on the Server side.

Is the BEFVP41 able to do this? I would sure hope so. I see a static route tab in the advanced GUI Web Admin App but I have tried several attempts to do this but I am confused on how to set this up.

If someone could help me out, I would appreciate it.

Thanks
Curt
 
Just wondering, am I understanding this correctly? I have the BEFVP41 set up at the office with tunnel configured for remote user. A remote user using xp or 2000 sets up his end to connect to the tunnel. Now, does someone need to manually go into the BEFVP41 setup page on the web and click connect to establish this connection?? Or will the remote user be able to automatically connect on his end?
 
to nik_420

You mentioned above problems with the environment and the x-over cable. I am assuming you mean connect the x-over between the two wan ports of two BEFVP41's, and skip the whole internet. This would sure make things a little easier, as opposed to hauling my cookies all over the place to try and solve problems.

When you mention environment, I am guessing you are speaking of things like flour. lights and big electric motors, and things such as this.

Am I correct on these two points?

Thanks
Spinge
 
to spinge:

Your right, X-over between the WAN ports. The ip of router "A" is the gateway of router "b" and vice-versa. Making them point at each other.

Many times when setting these up, you have cisco routers in front of the linksys that don't allow traffic to go through unless you create a rule... Or you have other type of firewalls that create weird situations.... That is why testing out the routers with x-over cable will let you know if it's the routers or the environment.. For example if you look at RCOLE's problem, It completely looks like their is something environmental that is filtering data to go through.
 
To CurtTech,

I think the only way you are going to get this to work is to install a layer 3 device (some type of router) between the linksys BEFVP41 and your 10.1.0.0 network. And no, it cannot be another linksys.

Reason I say this is that these linksys devices are only capable of class C type operations on the lan side. What you are trying to do (using your subnet mask) is assign a class b type address to the lan side. If you look on your Setup Page for the BEFVP41, you will notice that the settings for the lan IP address subnet masks are as follows:

255.255.255.0
255.255.255.128
255.255.255.192
255.255.255.224
255.255.255.240
255.255.255.248
255.255.255.252

There is no provision for a subnet mask of 255.255.0.0. If you really want this to work, you will have to get another type of layer 3 device (router) that can support a class b address scheme. Something that you may want to try is configuring a Multi-home router on a WinNT machine or try configuring a routing and remote access server for WinNT/W2K server.

Once you have your other layer three device installed/configured, then set up your static routes. As it is now, setting up static routers won't work due to the limitations of the linksys.
 
Does anybody have any experience setting up A BEFVP41 to a 3Com OfficeConnect DMZ (With VPN module). I have spent several days now trying to get the two routers to talk to each other and create a tunnel so that I can join our UK Office to our US Office. Is there such a thing as a step by step guide or am i just being extremely hopefull :) Any help would be most greatly appreciated.
 
Have tried BEFVP 41 with SonicWALL ( same as 3 COM ). The tunnel works with FW 6.x, not with 5.x. 3COM is on the level 5.x, so I doubt it never work.

Markku
 
Linksys has official released firmware 1.40.2 on April 11.
Version History follows...

I have not tried it yet.


BEFVP41 Firmware History
========================

v1.40.2 2002-03-10
1. Fixed a U/I bug in v1.40.1 that "IPSec Advanced Setting" screen failed to apply.

v1.40.1 2002-03-01
1. Fixed a U/I bug in v1.39.66 and v1.40, that causes IP Range setting for Local Seure Group can not be applied.
2. Fixed a U/I bug in v1.39.65c and later, that causes the Domain Name setting on Setup screen can not be displayed
3. Fixed a bug in v1.39.65c and later, that causes the Manual Keying did not work.
4. The factory default TimeZone value is changed from GMT-12(Kwajalein) to GMT-8(USA Pacific Time)
5. In Manual Keying option, the maximum phrase length of Encryption Key is changed from 23 to 24 characters.
6. In Manual Keying option, the maximum phrase length of Authentication Key is changed from 19 to 20 characters.
7. Do not display connection status if Manual Keying is applied

v1.40 2002-02-19
1. The default Phase 1 Key Lifetime is changed from 1 to 8 hours. (the Phase 2 Key Lifetime is still 1 hour.)
2. Fixed a PPPoE configuration bug in v1.39.65c and v1.39.66, that causes incorrect PPPoE password when Apply PPPoE configuration twice.

v1.39.66 2002-02-01
1. Supports FQDN(Fully Quilfied Domain Name) option for Remote Security Gateway setting
2. Improves IKE handling process.
3. Changes the default settings of both Anti-replay and Keep-Alive from Enable to Disable

v1.39.65c 2002-01-10
1. Re-layout the Setup, DHCP and Upgrade-Firmware screens.
2. Supports IPSec Aggressive Mode.
3. Adds an IPSec Advanced configuration screen that provides
following advanced settings:
(1) Phase 1 proposal
(2) Phase 2 proposal
(3) NetBIOS broadcast
(4) Anti-replay
(5) Keep-Alive
(6) Block unauthorized request
Note. On VPN setting page, clicks phrase "more..." will link to this Advanced page.
4. Solves an Anti-replay handling problem that causes IPSec
tunnel disconnected under heavy loading test
5. Provides PPTP Client functionality
6. Provides NTP(Network Time Protocol) client functionality
7. Adds "Client Lease Time", "DNS" and "WINS" settings on DHCP screen.
8. Besides LAN network, the Local Secure Group can be set as any other network. This also allows user to set Local Sercure Group as Class A,B or C network.
 
Hello

I have 1 Linksys router at work and a Windows xp pro box at home.Setup tunnel as per linksyd instructions.I can connect fine from Linksys side to windows xp at home but cannot establish a connection from home to linksys side.

 
Has anyone tried/had any luck connecting Linksys to a Microsoft ISA Server. I have tried a lot of things and can get the tunnel to connect and stay up. Problem is it does not pass any data betweent eh two networks on either side. ANy ideas/help would be greatly appreciated.

Scott
 
Has anyone had any luck with 3rd party vpn client software to connect to the BEFVP41? If so, can you list it here?
 
OK
Here are the specifics of what I tried all weekend to get running. Any aid you could give would be greatly appreciated.

Home Network:
192.168.11.0/24 subnet.
BEFVP41 on a cable modem.
XP and 2000 clients behind Linksys.

Office Network:
192.168.10.0/24 subnet
Microsoft ISA server connected to Cable modem with static IP's.
whole slew of clients/servers behind isa server.

I went through the steps outlined in the whitepaper on the linksys site in order to onnect win2k and befvp41. From the BEFVP i can successfully connect an IPSEC session (according to the BEFVP.). I can not however pass data between the two subnets.

Checking the routing tables on the BEFVP show that no new routes for the remote network are added to its routing tables after connection. I thought of trying to enter static routes, but there is not an IP or interface to specify in order to have the traffic pass through the VPN.

I can connect through the BEFVP with an XP client to establish a VPN to the ISA server fine. After doing that I can ping and connect to the machine in my office network, so I know that the ISA server will pass the traffic if the connectin is correct.

Thanks in advance for any ideas,
Scott
 
ScottH1:

what firmware release are you using? I can't get the latest (v1.4.2) to work with my setup (BEFVP41 to Linux FreeS/WAN) but rolling back to 1.3.64 works perfectly.

With 1.4.2 it connects okay but it appears that there isn't a route through to the office network. Pings, browsing, etc. don't work no matter what I try.

After flashing the firmware at least a dozen times, here's my current foolproof way of making my tunnels work:

1. press & hold the reset key for 45 seconds (resets back to the factory defaults)
2. unplug the router for 5 seconds & plug it back in
3. flash with 1.3.64 firmware with TFTP.exe
4. press & hold the reset key for another 45 seconds (just in case)
5. unplug the router for 5 seconds & plug it back in

6. log into the router via the web interface & do the usual setup procedures
7. Check your ISA server for the configuration it needs (ie MD5 or SHA Authentication, DES or 3DES encryption, IKE Key Management, PFS, etc.).
8. Although it common sense dictates that the router would try the variables you specify in the VPN screen, when I check my logs it appears that it tries the alternative proposals first. I log into the page and set the 2 proposals to the following (yours will likely be different):

Main Mode

3DES
MD5
1024-bit
3600 seconds

3DES
MD5
ON
1024-bit
3600 seconds

That does the trick for me, I hope it helps you out.

Jim
 
I'm having some of the same problems that some of the other people here are having, and I think I've stumbled onto the solution.

Here's what I have: A main office with an NT Domain with Win98 workstations and a cable modem connection to the internet (DSL was full), and 2 branch offices each with a Win98 workgroup and an ADSL connection to the internet.

I set up a Linksys BEFVP41 at each location according to the instructions in the box, and it didn't work. I could connect, but I couldn't communicate. I tried a number of things, including some of the suggestions I found here, but nothing helped. Then I thought, the reason I wouldn't be able to ping one device from another would be because there wasn't a route between them. So I enabled Dynamic Routing (RIP1 Tx & Rx) on all three routers, and created static routes between the local secure groups and the remote gateway. It worked!

It seems that the BEFVP41 creates an IPSec tunnel between 2 LANs, but it doesn't create a route that uses it! I don't know if the dynamic route or the static route solved the problem, but my LANs are talking to each other, so I'm not messing with it.
 
Hello...

Im having a problem with routing between the networks. What I have is:

Main Location

Windows 2000 Server - 2 network cards
I network Card With Public IP Address
10.0.0.7 255.255.255.0 Internal

Server 2
10.0.0.6 255.255.255.0

---

Location 1
Linksys Router
10.0.1.1 255.255.255.0
Client 1
10.0.1.11 255.255.255.0 DG 10.0.1.1
Client 2
10.0.1.12 255.255.255.0 DG 10.0.1.1

At the main location...
Win2000 can ping Client 1 and 2 and map drive to either.
Server 2 cannot ping Client 1 or 2

At the Lcation 1...
Client 1 and client 2 can ping and map a drive to Win2000 (10.0.0.7),
But not to server 2 (10.0.0.6)

Is there a way to make this happen, besides replacing the 2000 machine with another linksys router? I was hoping that there was a way to enable the 2000 machine to route into the 10.0.0.0 network.

Thanks in advance for any help
 

I too have tried many times, with a pair of the BEFVP41's. They will just about always connect (I have a DSL at work, and a cable modem at home), except when I am having trouble with my broadband providers (another story). I have tried using all of the possible firmware releases, but to no avail.

Here is my problem:

When I sit on my local LAN at the office, I can ping anything in the network (8 PC's, 2 Print Servers, an HP with a jetdirect, an IBM/AIX telnet server, and my PC at home) but when I sit at home, I can only ping 4 of the 8 computers, and nothing else (all reports connection timed out) The fact that I can ping throught the VPN to home from work, and to some of the computers back the other way leads me to believe that the tunnel is functioning OK (although I did apply TCav's idea of applying dynamic routing and creating a static route - when looking at the routing table, there was previously not an entry to the other LAN) Otherwise, I am pretty stumped. Of the machines at work that do reply, they are running 4 different OS's (w2k-sp2, 98se, me, and xp) I have the NetBios box checked on both VPN's, as well as anti-replay and keep alive.

Any ideas anybody might have would be really helpful

Thanks
 
Hello!

I have read through these posts and have seen some problems similar to mine. I had no luck at all yesterday connecting to a Zywall 100 at our parent companies office. TOday by changing the "local secure group" setting to exclude my befvp41 lan IP the connection worked!

The issue I am now having is that I can ping a pc see it when I use search for computer, but I cannot see it's contents by double clicking on it. I am using windows 2000 I have the proper username and pass for the remote computer. Could the fact we are in diffrent domains cause trouble?

Anybody have an idea?
 
TCAV

Can you please give us your config's that work for you. I am esp. interested in what static routes you set up to communicate between networks.

Thank you

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top