NT VPN and Linksys BEFSR41W...HELP

[power2spare]

Greetings!

I am trying to setup an NT4 VPN with the Linksys BEFSR41W. I can connect to the NT4 server via VPN over the LAN. But when I try to connect from the WAN it tells me the VPN server doesn’t exist.

I have the following configuration:

DSL modem

Linksys BEFSR41W with the following configuration:
Block WAN Request: Enabled
Multicast Pass Through: Enabled
IPSec Pass Through: Enabled
PPTP Pass Through: Enabled
Under <Forwarding> I have port 1723 enabled for the NT servers IP address (UDP and TCP).

OS= NT4 SP6a

Do I have to DISABLE <Block all WAN Requests> in the Linksys BIOS under Filters? If so, what security does this compromise if any?

Any other thoughts?

 

[doncesar]

Did you solve the issue ? I have the same problem.

Thanks

 

[r0bert]

I am also having a problem.
From the Linksys help people, I keep getting one of two responses: What is your configuration? Please send me your configuration. or Thankyou for contacting... etc. with an attachment or two duplicating the Appendix C in the user's guide, and either a PDF document showing how to configure two BEFVP41s to be endpoints of a VPN Tunnel, or how to configure a WIN2K Client with STATIC IP address to access the BEFVP41.

Please understand. I am not angry at anyone, I am very new to this VPN business.

There is really a lot of conflicting information that really doesn't make sense to me, and I'm sure to anyone else.

I'm having trouble keeping my goal in mind, since to troubleshoot this thing, I have to go off on so many tangents.

I'm probably at the stage now where I need a workbook approach to clear out the junk.

This is what I want to do: I have a Win XP Pro laptop, with everything necessary to create a LAN or Dial-up connection.
I have a Linksys VPN Router.
I have a Workgroup (not Domain) Win NT 4.0 SPK 6a File Server.
I have a DSL connection, with Ethernet connection to the WAN port of the VPN Router.
One port of the VPN Router goes to a 3Com Switch (16port) and the other goes to the NT File Server.

At this time, the VPN Router is set as a Gateway, (IS THIS A PROBLEM??>?)
DHCP is enabled for 50 users, and it is working flawlessly. Everyone on the LAN has connectivity to the File Server and each other's shares.


I have configured the VPN Router for minimum security.
(I'm trying to establish my first tunnel, and I want to make it as easy as possible - firewalls and security can cause a lot of problems at this stage. Yes, full firewall and security after learning curve and before full production. Thanks for being concerned though...)
Tunnel one is enabled.
Local Secure Group is Subnet, and set at 0,0 (IP and MASK)
Remote Secure Group is ANY
Remote Secure Gateway is ANY
Encryption and Authentication are Disabled.
Key Mgt is Auto.
PFS is NOT checked
Pre-Shared key is 1234
key lifetime is 36000
Advanced settings are:
Phase 1 and Phase 2, no change.
NetBIOS broadcast - checked
Anti-replay - checked
the rest is NOT checked.
Filters:
Only changes are,
SPI disabled
Block WAN disabled
the rest are default values.

Several people at the Linksys help desk said that ports need to be forwarded - One said no, the VPN Router handles all ports, as well as some posts this forum.

So, no ports forwarded.
DHCP is enabled, my DNS Server address entered as well.

To the client side:

Testing from Dial-in, I created a Dial-up connection to my local ISP - (Qwest) - which assigned me an IP address with a Mask of 255.255.255.255 - the last quad of the IP address is different each time I dial in. (IS THIS A PROBLEM???)

I have created a VPN connection (which will invoke my dialer to the internet if not connected) which is SUPPOSED to access the VPN Router (at the IP Address of the VPN Router). I am trying for minimum security here, so I want for minimum on all the passwords and configuration tabs.

I set my Network tab to Automatic for type of VPN.
Security tab is set for no encryption or authentication, preshared key is 1234.

Testing:
So, for testing, I establish the connection to the internet.

The first problem I have is the userid and password for the VPN Connection.

I did not set up a userid nor did I set up a password. So I am not sure what to put in here. I used my LAN userid and password, but I don't see how that could enter into the authentication process before we have a connection via a tunnel.

I try to connect, and eventually get an 800 error on the client. I look at the VPN Log, and see some attempted traffic from my client IP address, those on ports 1701 and 1723, so I feel it a valid assumption that I am attempting to start the handshake dialog with the VPN Router, but it is not responding.

I can see a change if I set my Client VPN Networking tab to either PPTP or L2TP, and try the connection again. Then I get contact attempts on only the 1701 and 1723 ports. 1701 being L2TP and 1723 PPTP. And I get a 678 error on my client.

So, it has to be something to do with AUTHENTICATION, since connectivity has been verified. (I wouldn't log the transaction on the VPN Log if I hadn't knocked on the correct door, so to speak).

Reading further in this (and other) forum, I discovered the information in Appendix C of the Linksys User Guide was significant.

I need to create a Security Policy that would apparently do the hand shake with the Linksys VPN Server to establish the Tunnel.
For all practical purposes, the VPN Tunnel would be between my Clinet XP and the VPN Router. To put it another way, the Client XP would be one tunnel endpoint, and the VPN Router would be the other.

So far, so good.

I create an IP Security Policy using the secpol.msc snapin,
with minimal security, using the 1234 key for Authentication.

Everything is ready to go, the Policy Server is up and running, the Policy I created has a little green mark, indicating it is active.

And...
Nothing happens.

I know I'm going to look really rediculous but what do I do now? Do I want to establish a Dial-in connection? Will my Client XP then try to create the tunnel with the VPN Router?

I seem to be missing a critical piece of the puzzle here.

Especially since postings to this forum have stated NO, you DON'T WANT TO CREATE A VPN CONNECTION. YOU CONNECT VIA A SECPOL.

I'm stuck, what triggers the process now?
Any and all help greatly appreciated.

r0bert
Whitewater Wireless, Inc.
Rochester, Minnesota

 

[markku]

Hi r0bert,

Some quickies:

VPN Router is set as a Gateway for the LAN computers -> this is absolutely necessary

Local Secure Group is Subnet, and set at 0,0 (IP and MASK)-< this is wrong, should reflect your actual local subnet

Linksys help desk said that ports need to be forwarded -> no port forwarding necessary

I can see a change if I set my Client VPN Networking tab to either PPTP or L2TP -> wrong, BEFVP41 uses IPSEC only. Remove.

You should do following steps:

Upgrade the firmware to the latest version of BEFVP41
Use dial-up networking only for contacting your ISP
Try SSH Sentinel iso SecPol
Follow the instructions in

http://www.ssh.com

site to the point

It will work!