Linksys BEFVP41 VPN Tunnel to Cisco 3000, Setup Questions

[adowen]

I have a Linksys BEFVP41 router with a cable internet connection. My workplace has in place a Cisco Concentrator 3000 series VPN setup & working. I have (in the past) used the Cisco client over a dial-up connection to gain access to the corporate network. Can anyone provide me specific information on where I can get the Cisco 3000 settings so that I can setup my Linksys router for a tunnel (without using the Cisco client)?

TIA,

AO

 

[kschroeder]

Did you get an answer? I have the same set up and haven't had any success setting it up.

 

[adowen]

kschroeder,

At this time, I have no "answer" to report of. We have found that the IOS Version that our Cisco Concentrator is using needs to be updated for the VPN connection to be successful. We hope to have that done in the coming days. Until that happens though, all testing will be mute.

aowen

 

[EddieVenus]

You can only get those settings form your LAN/WAN guy at work. The person who knows the settings. Unless you have access to the concentrator and get telnet/ssh into it. BUt you can guess at alot of the settings, since the Linksys is pretty simple in comparison setting wise. You need to know what the IP address that it allows to come in, what IP address it has on its inside interface, and what its IP address is. You can play around with these settings all day though, unless the 3000 is set up to do a device to device vpn, as opposed to clint to host, the tunnel will never go. But don't fret, you can use your client through the Linksys in the meantime. What you need to do is tell the LAN/WAN person that this is what you are doing, and ask them to set it up for you. After all there may be a security risk that they do not want to take involved here, or they may not have the abilty to set this up without disrupting the current state of balance that is so hard to come by in the world of VPNs and such. Good luck.

 

[masondon]

Does anyone have a document for this setup? I'm about to implement a BEFVP41 in an office with 5 users and connect it to our existing Cisco VPN 3000. Any help will be greatly appreciated.

 

[JOAMON]

Speaking from the lan/wan guy side I personally would not allow a router to router VPN connection for a home user. This would not only allow one machine at the home site but all machines on that network access through the VPN. With everything on the home end being dynamic it would be near impossible to filter out unwanted addresses as they are constantly changing. This allows to many open holes like if a home user has an unsecure wireless access point...anyone that can access that device would then be able to access HQ through the VPN.

 

[CaMiX]

If anyone's configured this two devices to connect to each other via point to point please post a simple walk through on what is actually need in order to see these two devices up. Adowen, if you got this working please give us a walk through.

 

[Tommyb0y]

CaMiX (IS/IT--Management)


First off you have a few stipulations to building a VPN between a 3000 and a Linksys box. There is no static NATs which may or may not be a problem for you.

First you can go through your VPN Wizard in the 3000 box and enter the remote peer(Linksys) and keep paging through you will have to enter the transform set(encryption, hash, ect) the local encryption domain (IPs on your end that will initiate a connection with the other end) and remote encry domain (IPs that will initiate from the linksys side) You have to make sure they match exaclty, otherwise the 3000 will keep trying to reach an address in the ACL and if it can not find it it will assume the tunnel is down and tear down all the other SAs. Also on the 3000 box you have to turn off IKE keep alive in order to keep the tunnel from going down (since Linksys does not support this option)

For the linksys it will depend on the firmware but it is very similar, set up the appropriate rules in the lan-to-lan options and test. The 3000 will be much more helpful in troubleshooting the connection, Linksys loggs are very vauge.

Hope this helps someone.

Tom Werner
VPN/Network Engineer

 

[Tommyb0y]

JOAMON (IS/IT--Management) 18 Apr 05 13:56
Speaking from the lan/wan guy side I personally would not allow a router to router VPN connection for a home user. This would not only allow one machine at the home site but all machines on that network access through the VPN. With everything on the home end being dynamic it would be near impossible to filter out unwanted addresses as they are constantly changing. This allows to many open holes like if a home user has an unsecure wireless access point...anyone that can access that device would then be able to access HQ through the VPN.


This is where you would setup a static NAT on your end, while the IP is dynamic it will not change during a session, if you have the user setup a static IP on thier network, and NAT by source address you should be fine, no other users on the same network could access it unless they were going through their computer, in which cause you will have the same problems with a Client VPN or Citrix, ect.