Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Linksys BEFVP41 VPN problems

Status
Not open for further replies.

ScottCudmore

Technical User
Jan 24, 2002
3
US
Hi,
I just purchased the new Linksys VPN router. I want to be able to connect to my home network from a remote Windows 2000 machine. There are no stpes or docs on how do do this. Only Linksys to Linksys VPN. When I connect from a Windows VPN conenction, all I get is an error on the Linksys.

Does anyone have any ideas?

Scott

 
I've read this entire thread and have to say there is a lot of experience out there. I know this has been discussed, and I know the response will be "buy another BEFVP41 router" but I'd like to try without it if possible. I have one VPN router on a home network running XP, XP Pro, and Win98 on 5 computers. I'd like to connect to a friend in another state (no network - just a standalone), and my laptop when traveling (both running 98SE). I've installed Sentinel v1.3.2 on the laptop and was able to create a tunnel (VPN Log showed - 002-07-28 15:54:12 IKE[3] Set up ESP tunnel with 66.19.81.221 Success !). From there, everything is downhill. I can't ping either way. It times out. I have v1.40.3 on the VPN Router.

I know that my ISP blocks port 80 (Roadrunner). Is it possible this problem is with them? I'm figuring as long as I have created a tunnel then it shouldn't be.

Any other suggestions?

Thanks.
 
I've read this entire thread also, and have the same problem as IATROS56: I'm unable to connect a win2k workstation to this device. Here's my environment/scenario: I need to connect a Win2k PC (behind a NAT device that has a 10.0.0.x LAN, and dynamic IP WAN) to a BEFVP41 device sitting on a static IP (192.168.1.x on the LAN side). I have followed the "Appendix C" directions provided by Linksys, have tried other tips that I've seen in this thread (and elsewhere). Everything appears to be set up correctly, but when I ping a server on the 192.168.1.x network from the Win2k box (with a "-t"), I get repeated "Negotiating IP Security." The one part of this puzzle that I'm still not entirely sure about is this: When configuring the IPSec policy on the Win2k machine, do I refer to my 10.0.0.x address, or do I refer to my NAT device's statically-assigned WAN IP address?

On the router end, I have it configured for "Any" on both the "Remote Secure Group" and "Remote Security Gateway" settings (could somebody please differentiate between these?).

I do not care about name resolution or browsing. I only need to be able to talk IP from the workstation to a server behind this device (wouldn't want to eat up what little bandwidth I have with netBIOS broadcasts).

Any help would be appreciated!

Jim
 
Hi spectral,

On the router end, I have it configured for "Any" on both the "Remote Secure Group" and "Remote Security Gateway -> this is correct for a remote PC residing in dynamic IP in unspecified network. In your case you could specify Remote Secure Group as 10.10.0.x/255.255.255.0, not necessary though.

Forget about Secpol, use SSH Sentinel instead. You can download the software at with full instructions for Linksys BEFVP41. This works even behind your NAT-device, am using similar setup just now.
 
Hello All,
I also have just purchased two linksys BEFVP41s. One at the office and one at home. I can ping both ends and access the internet thru both un its.
From the vpn log it appears that the units are talking and start to negotiate a tunnel but then I get the following lines in the log 3 times.

01:15:13 IKE[1] **Check your ISAKMP Pre-share Key setting !
01:15:13 IKE[1] Tx >> Notify : INVALID-PAYLOAD-TYPE

I have been doing some looking but can not determine exactly what this message is telling me.
The pre-share key on both ends is exactly the same. I have made it shorter and longer with no differnece in results.
Anyone have any ideas?

Thanks,
Allen


 
Hello All,

Just purchased a BEFVPN41 and cannot get it to dhcp on the WAN side. I have an SMC Barricade that I've been using and it has no problems getting an address, GW, etc...

I'm on a Sprint Broadband Wireless connection with a Hybrid network (cable) modem.

Any ideas?

Gordon
 
Hi all

I have a problem with two BEFVP41s. I have a fixed IP at one end, dynamic at the other (connecting via a FQDN from dyndns.org) and all works fine. The fixed WAN IP end has a LAN address range of 192.168.253.x and the other end has a LAN range of 192.168.0.x

So, I am able to make a tunnel just fine but the problem is seeing remote computers - I can ping only two addresses at the 192.168.0.x site, one being the router itself and one other PC (Win2K server). The other way round, I can ping all of the addresses at 192.168.253.x

The 192.168.0.x network has at least one other internet connection, a separate DSL line into a Nortel router.

I've heard of similar problems before but haven't found a resolution yet. Any ideas?

Thanks so much.

Mike
 
Hi Mike,

The gateway of the computers in 192.168.0.x network should point to BEFVP41, otherwise the ping-packets have no way back to your tunnel -> your remote network
 
Markku,

When I read your answer, a light bulb went on over my head. I've been trying to ping a Unix box on my network, and had been tearing my hair out...I just kept getting "Request timed out". Now I know! The Unix box (HP-UX actually) isn't configured with my the Linksys's address as gateway!

I'm off to reconfigure the gateway address of the HP box!

Thanks to everyone who has shared their knowledge.

The biggest "gotcha" I've seen here so far is the advice that you only have to connect from one end. I had been starting both (hey, what did I know?).
 
Hi Markku

Thanks very much for your reply - that explains the situation perfectly, it's been driving me crazy for weeks!

However - what I really want to achieve is as follows. The 192.168.0.x network has a second DSL connection, with some kind of VPN router on it at 192.168.0.1 creating, I assume (it's not mine), a tunnel to a remote server somewhere else providing information to about 20 users in the office who use a software application to access it.

I want to give that same connectivity to remote VPN uses, so someone can VPN into the BEFVP41 (192.168.0.253) and get a connection back out on 192.168.0.1

Is this possible at all or should I consider another approach?

Thanks again for your previous reply hopefully a reply to this.

Regards

Mike
 
OK, following the advice of the folks on this forum, I have everything I need connected. Many thanks!

The pages of the router are as follows, both identical except as noted above:

--------------------------
Setup:

Host Name: myname
Domain Name: myisp.com
Firmware Version: 1.40.3, Apr 24 2002
Time Zone: Central Time(USA & Canada
LAN IP Address: 192.168.1.1 (Different on other end)
MAC Address: (**-**-**-**-**-**)
WAN Connection Type: DHCP

--------------------------
VPN:

This Tunnel: Enable
Tunnel Name: Network A
Local Secure Group -
[Subnet] IP Addr: 192.168.1.0
Mask: 255.255.255.0

Remote Secure Group-
[Subnet] IP Addr: 192.168.1.0
Mask: 255.255.255.0

Remote Security Gateway-
[FQDNA] Fully-Qualified Domain Name: from-dyndns.org


Encryption: [3DES]
Authentication: [MD5]

Key Management: [Auto. (IKE)]
PFS (Perfect Forward Secrecy) [checked]
Pre-shared Key: **************
Key Lifetime: 3600 Sec.

--------------------------
Password:

Nothing changed from default other than the password.


--------------------------
Status:

Host Name: myname
Firmware Version: 1.40.3, Apr 24 2002
Current Time: Sep. 18 2002 Wed. 16:35:01

Login: Disable

LAN: (MAC Address: **-**-**-**-**-**)
IP Address: 192.168.2.1
Subnet Mask: 255.255.255.0
DHCP server: Disabled

WAN: (MAC Address: **-**-**-**-**-**)
IP Address: ***.***.***.***
Subnet Mask: 255.255.254.0
Default Gateway: ***.***.***.***
DNS: ***.***.***.***
***.***.***.***
***.***.***.***
DHCP Remaining Time: 17:04:23

--------------------------
DHCP:

Disabled

--------------------------
Log:

Nothing changed from default

--------------------------
Filters:

Nothing changed from default. All values at 0.

SPI: Disable
Block WAN Request: Enable
Multicast Pass Through: Enable
IPSec Pass Through: Enable
PPTP Pass Through: Enable
Remote Management: Disable
Remote Upgrade: Disable
MTU: Disable Size: 0

--------------------------
Forwarding:

Nothing changed from default.

--------------------------
Dynamic Routing

Nothing changed from default.

--------------------------
Static Routing

Nothing changed from default.

--------------------------
DMZ Host

Nothing changed from default.

--------------------------
Mac Address Clone

Mac address from ethernet cards inside of their respective LAN segments.

------------------------------------------------

The main thing that messed me up was not being able ping a unix machine. It turned out that it did not have domain name server addresses in the /etc/hosts file. Also, the gateway address was wrong, as well as the netmask.

Markku's post about the not being able to respond to pings was the final piece of the puzzle. Thanks again.

 
Hi Mike,

Your problem has been covered in this thread before, yes I know this is a long thread.

One way is to use separate router ( or machine with routing capability ) in your 192.168.0.x network to perform the static routing between different VPN-subnets. This router should be gateway for all machines in your network.

In BEFVP41 you should create another parallel tunnel ( with different preshared key )for your remote subnet behind another VPN-router. The 70 VPN-tunnels in BEFVP seem to be independent of each other.

Another possibility ( easier )is to create separate tunnel between your remote VPN-boxes. Linky is compatible with many other VPN-boxes.
 
I have two befvp41 routers set up, one at home one at the office. I am able to connect them reliably, but the speed is very slow. I have a 400 kbps adsl connection at the office and a 1.5 mbps cable modem connection at home. Should it be very slow, or is there possibly something I am doing wrong? Thanks for any help.

John
 
Hi John,

Your connections are probably:

ADSL: 400k down/128k up
Cable: 1.5 Mb down /256 up

-> effective bandwidth of VPN is 128/256 = slow
 
markku:

I am not so bright sometimes. The office is a fractional T1. It should be 400k both ways, I think.

Given this, should it still be slow? If so, what can I do to speed it up.
 
Unable to ping or connect to a BEFVP41 firmware 1.40.3 using
SSH Sentinel version 1.3.2 (build 2) on an XP SP1 remote client. Both ends have highspeed ADSL connections with dynamic IPs. Both logs from router and SSH show that the tunnel is successful and connected, while I am unable to even ping the private IP address of the Router which is 192.168.100.1.

What I Have tried so far:
Tips and tricks from this thead.
SSH pdf on configuring this router.
Homenethelp.com tutorial on this router.
Linksys support (lol).
SSH email support.
Removed firewall on client side and router (SPI)
Used windows find to search IP of router.
And numerious other combinations of settings.


Still no access to vpn resources and as I write this the tunnel is connected but that is it. Any insight or help is greatly appreciated.

Thanks in Advance

Deano
 
Hi Deano,

Pls follow this document to the point, nothing else. No tweaking.


- Pls rechect that your remote computer is in different subnet than your network behind Linky and no traces of IP's of network behind Linky are hiding in your network settings in case you are using dial-up, e.g. ADSL-card.

- Pls check that your operator is not blocking #50 ( IPSec )

Should work
 
Thanks for the quick reply Marku, I have entered the setings from the updated tutorial and the compariable SSH pdf and I know them by heart. The remote computer is standalone, so there is no private IP address only the public IP.

Port 500 isakmp is open as I can make a successful tunnel.
I am unable to ping even the private IP of the router is this normal, because I am beginning to think that this router is faulty as my first router would not even open remote management from a webbrowser. Is port 50 required or just a typo as it is the Remote Mail Checking Protocol?

I have been troubleshooting this on and off for about a week
and have tried a lot of setup attempts with no success. The tunnel negotiation has been working since I first saw the settings for the updated tutorial on homenethelp.com.

Thanks

Deano



 
I wonder if anyone has run into this problem? I have the connection working, but it drops occasionally. Is there any way to have the tunnel automatically reconnect after a disconnection?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top