Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

ScottCudmore (TechnicalUser) (OP)
24 Jan 02 18:59
Hi,
I just purchased the new Linksys VPN router. I want to be able to connect to my home network from a remote Windows 2000 machine. There are no stpes or docs on how do do this. Only Linksys to Linksys VPN.  When I connect from a Windows VPN conenction, all I get is an error on the Linksys.  

Does anyone have any ideas?

Scott

elmo1 (Programmer)
12 Feb 02 21:52
Same for me......I think you need xp pro to access it...
Guest (Visitor)
26 Feb 02 22:12
I am having the same problem. I ready to return the F$%#*&G thing.
MattWray (TechnicalUser)
26 Feb 02 22:17
Doubtful that you need XP, 2k should be fine. What kind of address scheme do you have ie static or dynamic? If you have dynamic you may need help from your ISP, or I could be Way off..

Matt Wray
CCNA, MCP
mwray77518@yahoo.com

Guest (Visitor)
26 Feb 02 22:36
My ip is dynamic from swbell, I'm curious as to what type of addressing scheme I should used, and what would be the best way for me to set up a host to gateway connection...
MattWray (TechnicalUser)
26 Feb 02 22:39
If you have a static IP you can remotely connect via VPN or RAS. I have not setup RAS but I did just setup a VPN for our network. Very easy once you know how to do it!

Matt Wray
CCNA, MCP
mwray77518@yahoo.com

shemfoo (MIS)
27 Feb 02 6:03
once you have the VPN router configured according to the Linksys manual, you should be able to set the Win2k client up according to the documentation provided by Linksys, or search Microsoft's website. If you still can't find it, I can send my documentation to you.
Bear in mind if you have a dynamic address, you will need to know the IP that you have assigned and make changes to the client accordingly.
MattWray (TechnicalUser)
27 Feb 02 10:22
That also depends on how the ISP is issuing IPs. They may have some sort of NAT running, in which case you will probably have to get some sort of support from them.

Matt Wray
CCNA, MCP
mwray77518@yahoo.com

alopera (MIS)
1 Mar 02 15:24
I currently connected two VPN routers and I am still testing.  I'm trying to get through our company network and connect with my home PC.  I have been able to connect and I was able to map the C drive on my home pc.  I was wondering if that is all I will be able to do? Because I was not able to see my computer on the network neighborhood? Am I doing something wrong..  I called Linksys and they stated that they could not help me because I was already connected and that my problems were just networking between a windows 98 machine and and windows 2000.  Any help would be great.
MattWray (TechnicalUser)
1 Mar 02 19:39
I don't think you can browse with net neighborhood. Try using the comand line. \\computername\share.

Matt Wray
CCNA, MCP
mwray77518@yahoo.com

spaceman (TechnicalUser)
15 Mar 02 16:16
Ok Folks :)  Lets start again.  Using the BEFVP41, how does one setup the client side (Win2k or WinXP).  Can the Windows VPN client just authenticate with the remote Linksys VPN? Or does it have to forward the packets to a single destination.  The menu's appear to allow connection a client to a remote subnet or subnet to subnet.  

Has anyone found detailed instructions ?
MattWray (TechnicalUser)
15 Mar 02 17:17
I don't know a lot about that Linksys, but you should be able to make sure it allows traffic thru on port 1723. With Win2k VPN connection:
Network and Dial-up Connections-> Make new-> connect to private network-> follow the wizard thru the rest of the steps.
Let us know how it goes!

Matt Wray
CCNA, MCP
mwray77518@yahoo.com

spaceman (TechnicalUser)
15 Mar 02 18:59
Matt,

I did this with no luck already.  Typically, the better VPN servers play nice with the Win2k/WinXP built in client. It's too bad that Linksys didn't include basic instructions to get a mobile user access to their networked computers and printers behind the VPN/Router.

Spaceman
madnessxx (MIS)
15 Mar 02 19:29
NO the linksys BEFVP41 IS the vpn endpoint.  And you wont use the create VPN connection wizard to connect to it (that is PPTP and L2PT.  That won't obviously work since at NO time durring the linksys side of the setup are you asked for a username and password.  

I am going to be playing around with the IPSec MMC and try to make this work.  At least these wizards are talking about the same things as the linksys config page (preshare keys etc... VS username and password)

I have configured two of these boxes to talk to each other but the documentation does mention its ability to work with MS/Cisco and other IPSEC devices.
MattWray (TechnicalUser)
16 Mar 02 6:30
Does it HAVE to be the endpoint? Why not have the VPN pass-thru and use your server for connecting, this is not supported by that Linksys?

Matt Wray
CCNA, MCP
mwray77518@yahoo.com

madnessxx (MIS)
16 Mar 02 10:49
Yes, other wise you would have paid double for exactly the same feature set of the BEFSR41.  That is the whole point of the BEFVP41 to be the endpoint of up to 70 tunnels.  

Im not trying to flame here just point out that alot of you are missing the point.  This is the exact info linksys gave me when I called techsupport
1) how to it up so you can checkmark the l2tp,pptp box and MS VPN out.
2) 3rd party VPN solutions are not supported.  It stated in the manual that it can do IPSec w/ Win2k, but they dont have docs on it.


 
DougTheDawg (TechnicalUser)
16 Mar 02 23:18
I have been able to make a little more progress setting up the security policy, but I had to follow the microsoft instructions

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q252735

the big difference is specifying an ipsubnet, instead of the using the MyIPAddress option when setting up the filters in secpol.msc.  This is different than the linksys how to page.

This change allows me to start a tracert from my outside Win2K box to an ip address inside the vpn box.  However, the trace route only goes through about 3 of the steps, and then starts to time out, and never gets to the external address on the VPN side.

Does anybody have any ideas on other debug tactics to figure out why the tracert stops.
tfccom (MIS)
17 Mar 02 10:05
Hi Everyone,

Just thought I would add my two cents and ask a question, too.

For ISP's using dynamic IP addresses for clients or DHCP, just use a service like deerfield.com's dns2go service. Just set up the dns2go client of ONE MACHINE on the network, and you will now have a fully usable DNS name to log into your VPN with (yourlan.dns2go.com)!

I posted a question asking if indeed the darn VP41 is a headend router, and I guess it is, but how can it be without a username or password; does the public key function as a username/password??? My remote Win 2K pro user tries to connect, but it just says "No response, redial in xx seconds)...HOW DO YOU SET THIS THING UPPPPPP?!?!?!?!?!?!?

Thanks,
Trevor Farren,
Lexicomm Communications Canada
DougTheDawg (TechnicalUser)
17 Mar 02 11:48
Hello

Just for clarification I'am trying to connect from an external Win2K box, to the VPN box, not BEFVP41 to BEFVP41.

In my dealings with Linksys tech support, they say that you do not make a "network connection" using the dialer. Everything is handled through the IPSec and security policy configuration, and it is always on.  I do not know enough about these two things to know if that is really all that is required.

It seems to me that regardless of whether you have a VPN box on Network B, you should be able to configure the security policy on a machine on Network A, which specifies how to get to an internal ip address on Network B, and then do a tracert "internal ip on Net A", and that should get you all the way to the external ip address of Net A.

Maybe it all has to be working properly before this kind of test will work.

Maybe this box really does not work as advertised, I think that Linksys needs to address this issue soon, there documentation does not seem to be complete.
DougTheDawg (TechnicalUser)
17 Mar 02 13:22
My latest conversation with the tech support line says that the "create network connection" option should work fine.

I still get a no answere when I attempt to connect. I am going to attempt to forward ports 1723 and 47 from my DSL modem to the VPN router and see if this helps.

Has anyone else gone down this path already?
MattWray (TechnicalUser)
17 Mar 02 15:36
You do not need to forward port 47. That number is a protocol- IP protocol 47 GRE. Forward port 1723 only. Make sure if you have some sort of firewall you configure it to allow the VPN thru..

Matt Wray
CCNA, MCP
mwray77518@yahoo.com

AdminBoy (MIS)
17 Mar 02 20:34
You all are missing the mark slightly on this post.  It is not a VPN solution such as L2TP or PPTP. That is why there are no usernames or passwords. On 2K or Xp you will have to create a new IPSec policy by following the instructions in the manual or online. The problem comes in for those who are not running 2K or Xp.. you need to get a third party IPSEC client such as SSH's client.  This is the only way you will be able to get it to work in a pre 2K machine... the method about adding PPTP adapter and all that junk is not even close to being right.. different world when you go that way.  I am not sure if this post has helped or not but I just wanted to give you a heads up.

Thanks
tfccom (MIS)
18 Mar 02 11:57
Alright Let's Summarize...

(Thanks For the Clarification AdminBoy!)

-The BEFVP41 IS a true headend VPN Soluition, Right?

-It DOES NOT use the standard Windows 2000 "Add connection Wizard"

-It Does provide authentication on the Router end of things

-It DOES need a IPSec policy to connect to Windows 2000 Pro

SO.....

How do you do this policy ---->

Start>Programs>Administrative Tools>Local Security Policy> then ??????????

I think we're all learning Alot; I know I am!!!!!

Trevor Farren
DougTheDawg (TechnicalUser)
18 Mar 02 21:21
Trevor

Further summary:

The link below is the linksys description of how to set up the policy.

http://www.linksys.com/support/support.asp?spid=86

We should all then be able to ping a computer on the inside of the vpn router.  

However, I get a lines like

Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.

Ping statistics for 192.168.1.103:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  0ms, Average =  0ms

There is still no connection.

So..... is it a problem with the IPSec settings or a setting on the VPN router ???????

I'am running out of ideas.

Newthings (MIS)
20 Mar 02 19:55
Hi everyone

I have two questions
1) Once the VPN is established using 2 Linksys VPN, can the PCs browse the internet at the same time ?

2) Is a pair of Linksys a viable VPN solution ?

3)  Is Linksys VPN a sufficient firewall solution ?


Guest (Visitor)
21 Mar 02 12:00
Question:  I am running a extremely small business (3 people in 2 separate offices) on 4 computers.  2 desktops running xp Pro, 1 laptop running Win2k Pro, and 1 laptop running NT server.  Would setting up the BEFVP41 on one of the xp Pro desktops, be my best bet to link the other 3 computers through a VPN?
pyx18 (IS/IT--Management)
21 Mar 02 16:31
I am also getting the same results..

Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.

Ping statistics for 192.168.1.101:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  0ms, Average =  0ms

Question:  Is the vpn screen on the router suppose to show connected or disconnected?

Has anyone got this thing to work? I have only been successful with tunneling to another vpn router....

Ideas anyone???
madnessxx (MIS)
21 Mar 02 17:10
Still have not had the time to look at this windows -> linksys vpn but I was working with linksys on a problem where the DCHP address wasn't renewing after so many hours(yeah I know what does this have to do with VPN ... getting there)  Linksys told me that my problem was that I didnt have the MAC cloneing option going on and that's how the cable company does the accounting for the IP's...  knowing that he was full of BS (I wouldn't have rcv'd an IP in the first place) I tried this out.  I was able to go out to the internet but the VPN (linksys to linksys) started to fail once I turned on the MAC Cloning.  Reset the values to 00-00...ect and the VPN started to work.  

So if have MAC cloning turned on you might want to try to disable that for testing (if you can)
 
Guest (Visitor)
21 Mar 02 21:08
You have to configure Secpol.msc
The VPN router only uses IPSEC
pyx18 (IS/IT--Management)
22 Mar 02 13:25
Ok just got this baby figured out, I used a set of different directions but it still works the same just throw out the part about certificates...

http://www.zyxel.com/support/supportnote/zywall10/app/zw_w2k.htm

Newthings (MIS)
22 Mar 02 18:43
TO Pyx18
Thanks for revewing about zyel VPN. What kind of certificates you talk about?

I study the Zyel site and learn that it seems Zyel VPN can work with other's VPN boxes, unlike Linksys.


DougTheDawg (TechnicalUser)
23 Mar 02 0:37
To pyx18

I looked at, and tried the directions zyxel web site.  They do not seem to be any different than the directions on the Linksys site.  

Is there some specific thing that you noticed was different?

I still get the same "Negotiating IP Security" message when I ping a machine inside the VPN box.

Any debug tips would be helpful.

Thanks

Sam88 (IS/IT--Management)
28 Mar 02 20:27
I want to connect two BEFVP41 together but still they do not make a connection. One network has win 98 machines behind it and the other have running XP. Has anyone been able to do this successfuly. Can someone please tell me what I need to do. I have not installed any software on win 98 machines. And for the XP I am followed the online manual.
Any help is greatly appreciated.
tfccom (MIS)
28 Mar 02 21:21
Here's an interesting side note to the whole scenario...this long weekend, when everyone is off the LAN and WAN, I'm going to be testing the Linksys VPN with a NetScreen, Lucent/Avaya, and a slew of other IPSec, actual full VPN clients, all licenced for other VPN boxes I'm working with....I can post the results if anyone is interested....

Trevor Farren,
t.farren@tfc-com.com
Sam88 (IS/IT--Management)
29 Mar 02 12:19
Has anyone at least been able to make connection between two linksys VPN routers? I have tried any and everything but still can not make a tunnel.
Guest (Visitor)
29 Mar 02 17:34
Linksys does have a step by step setup on their Knowledge Base. Just type in BEFVP41 as the keyword... Give me 60 bucks, and i will charge on a step by step setup.  Its very easy once u set it up over and over.... I do it for a living here in chicago
Guest (Visitor)
29 Mar 02 17:35
I can make these connect all the time... they are as solid as a rock!!

Sam88 (IS/IT--Management)
30 Mar 02 20:30
Ok, I could connect two BEFVP41 together but how can I see the network on the other side assuming I have all win 98. Do I need to install any software or they should show up on network neighborhood??
thanks
tcompe9139 (Programmer)
31 Mar 02 18:50
I two have successfully connected two BEFVP41 routers over a WAN. I am able to see both domains in Network Neighborhood. Both networks are Win2k Wks configured exactly the same. The only difference is the domain name.

Question:
Why can I not browse the remote network? I am unable to Ping/Map to either side even thought the VPN routers show connected.

Any Help would be greatly appreciated.

tcomp
curious2 (TechnicalUser)
31 Mar 02 19:15
Some Linksys BEFVP41's don't have netbios broadcasts enabled.  There is a little known web interface on the linksys befvp41 router that has not been publicly announced by Linksys at this time.  The reason Linksys does not yet acknowledge this feature is because they claim that all features do not work yet.  Hence the reason they keep us in the dark.  

To get to it, you'll have to type the following URL into your web browser to get to the advanced IPSec page.  Like I said, it is not a widely known configuration page.  

The address is 192.168.1.1/IPSecAdvance.htm

If the IPSec Advanced Configuration page does not come up, close out all your browsers and try it again.  When you finally get to the page, you will see a box near the bottom of the page named Netbios broadcast passthrough or something to that effect.  Select this box and hit OK or apply.  You should now be able to pass netbios broadcasts through to the other network and vice versa.  

Test it out and let me know how it goes.  
tcompe9139 (Programmer)
31 Mar 02 19:27
I was able to change the NetBIOS setting under the IPSecAdvance.htm page on both ends. Unfortunately, I am still unable to browse/Ping/Map to the remote network...

This wouldnt have nothing to do with trust relationships between the two domains would it???

Thanks
Tcompe
curious2 (TechnicalUser)
31 Mar 02 19:58
I just ran into the browse/ping/map issue recently.  I had just set up a lab at home with 2 BEFVP41s and 1 W2K server behind each one to simulate a network VPN connection going across a WAN connection.  

Initially, after setting up the VPN tunnel successfully with netbios broadcasts enabled, I was able to ping and browse and map to shares.  

I then stress tested the VPN connection by transferring large amounts of data (650MB to 1.6GB) from network a to network b.  After the transfer was complete, I let the computers and routers sit for a while.  I had the VPN connection set to 0 for the lifetime of the connection so the connection still should have been active.  

About half an hour later, I tried getting to some of the shares on the other computer through the VPN.  Lo and behold, I could not ping or get any shares.  To try and resolve, I went to the VPN interface page and found that the tunnel was still intact.  

So, I tried disconnecting the link and then reconnecting the link.  The disconnect, reconnect worked no probs, but I still was not able to ping or access any shares.  I went to one of the VP41 routers and rebooted it.   Guess what?  After that it worked.  However, the darn problem still persisted after a little while.  Rebooting the suspect VP41 seems to clear the problem  temporarily.  

To test further, I used ping to see where the ping would stop in relation to the computer I was using.  From one of the computers, I would ping the default gateway, the wan ip address of the closest vp41, then the wan ip address of the remote vp41, and then the ip address of one of the computers on the remote network.  

I found that when I was having this problem, I was able to successfully ping all points except the remote network (this is from both sides mind you).  Pinging the defaultgateway, wan ip of local vp41, wan ip of remote vp41 work great.  Just not able to hit the remote network for some reason.

Further testing has revealed to me that one of the NIC cards that I am using seems to be the culprite.  One of the NICs that I am using is based on the Realtek 8139 chipset and this is the one that seems to be causing all my problems.  Using the other NIC (on board NICj- motherboard) works great.  I don't have any problems at all.  I will be doing further testing later on over the next few days.  

So far, that's all the info I have.  You might want to try running your ping commands and see how far it goes.  

To summarize, I suspect that the Realtek NIC (8139) is probably incompatible.  I have tried using the latest drivers from the Realtek website.  

Rebooting one or both of the VP41s might help.  

Test to see how far the pings will go from network a to b - try pinging default gateway, wan ip address of local vp41, wan ip address of remote vp41, and a computer on the remote network.  

Another thing, what are the IP address schemes you are using?  The IP address schemes you use have to be different.  ie 192.168.1.0 for net a
               192.168.2.0 for net b

Make sure that these are reflected in the VPN config page.  

Hope that this helps...
TimothyCox (IS/IT--Management)
1 Apr 02 8:03
Hey all,
Just an FYI.
I am running 2 BEFVP41's on cablemodems linking 2 remote networks. I am having no problems, (I actually run 2 2000 servers in the same domain via this tunnel, It's flawless)
I am running a newer rev of the firmware (1.40.2, It actually allows the use of FQDN's now!) Works great. I also pass pptp thru it to the 2000 servers, That works fine.

I wish it had a real telnet interface, I hate sloppy GUI's, But I am used to Cisco, Can only afford Linksys personally.

If you need the new rev (You think) Email their tech support.

Guest (Visitor)
1 Apr 02 10:23
If you have both ends of the router with the same ip scheme(ex. 192.168.1.X), you will run into file sharing problems...

To fix it, just change one side to 192.168.0.X and the other side keep it at 192.168.1.X.  

Sam88 (IS/IT--Management)
1 Apr 02 12:12
Ok, as my previouse post I connected two linksys VPN routers together and the connection has been established (on both sides). But I do not know what I need to do next to be able to see the computers on the other side. We have XP Pro machines on the one side and win 98 on the other side. For the LAN ip  I used 192.198.1.X on both sides, otherwise I cannot make the connection.
But even so, for you guys that have made the connection what else did you guys do. Do you guys see the remote network on network neighborhood and are able to browse it??
What else do I need to do??
Any help is greatly appreciated.
madnessxx (MIS)
1 Apr 02 13:13
TimothyCox: Where did you get this 1.40.2 firmware?
http://www.linksys.com/download/firmware.asp?fwid=158 shows the latest as 1.39.64

I hit their FTPsite and found a file befvp41.zip in their beta directory but the zip has a password. /pub/network has the befvp41-fw13964.zip  

Also are there any other "hidden" admin pages?

Sam88: the LAN networks HAVE to be diffrent.  That is just IP.  Your workstation will send out an ARP looking for a MAC address for a host on it's network and will recieve no responce. Unless the linksys will function as some sort of an ethernet vpn bridge.
When packets are diffrent network than the source the IP packet will be sent to the default gateway (linksys VPN router) and the router will know that it needs to encrypt the data and send it out to its peer router.

You should be able to ping if you can't preform an echo then I wouldn't expect any file xfer.  If you can I would setup a XP/NT or 2000 box in replace of the 98 for testing.  And see if you can access the remote computer by using \\192.168.2.2 (from 192.168.1.2)
lumpen (Programmer)
1 Apr 02 13:46
Is anyone having success using the BEF for the server side of things and just the win2k/xp vpn software for the client side? Just got the router and after reading all the posts here am wondering if i should even crack the box...

thx
rcole7245 (TechnicalUser)
1 Apr 02 13:48
I have spent over 60 hours with Linksys Tech Support trying to get two of these routers to work. At one point they provided me with the 1.40.2 firmware but that did not help. The second level support guy suggested I was better off with 1.39.01 put me back to that.
We see the same symptoms that others report - I get a connection between the routers and the icons for the network group appears in Neighborhood Network, but you can not ping a machine on either side and you can not see the machines within the network group. Since last week, I have been in the hands of Engineering. During the course of all the time spent talking to their support I have heard every BS answer imaginable and they have replaced the boxes three times. I finally go ahold of one person who seemed to care and spent over a week working with me to try and resolve the problem before he gave up.
I have one box connected between the cable modem and a switch connected to or office LAN. Address is 192.168.1.1 with machines on the LAN addressed at 192.168.1.2 through 100. DHCP handled by our Novell file server.
The other box is addressed as 191.168.01.1 and has been attached between a Bell South DSL modem and single Win XP workstation as well as between a cable modem (same provider as the office) and my 3 machine peer to peer network at home running Win 98 and Win ME. Same results everywhere - I can see the netware group icons but can not ping or access machines within the network group. I am beginning to believe the boxes simply do not work. Any advice would be appreciated. Bobcole@servicecpa.com
tcompe9139 (Programmer)
1 Apr 02 15:32
rcole7245: ( And Others )
I to have had the same problem as you and spent many hours with LinkSys Tech support to no avail. Since then I have successfully resolved the issues by changing Network b to the following address 192.168.2.0 with Network A as 192.168.1.0. Both VPN routers firmware is 1.39.01

I am currently running Windows 2000 workstations on both ends as well as WIN2K Servers. Both Networks are configured as independent domains and both are utilizing DHCP.

My VPN configuration is as follow:
***********************************************************
This Tunnel: Enabled
Tunnel Name: Network B

Local Secure group:  Subnet  IP: 192.168.2.0
                            MASK: 255.255.255.0

Remote Secure Group: Subnet  IP: 192.168.1.0
                            MASK: 255.255.255.0

Remote Security Gateway: IP Addr.:  IP: xxx.xxx.xxx.xxx (Wan IP address of the Network A)

Encryption:    3DES
Authentication:  SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = xxxxxxxxxxxxx

Lifetime = 0
************************************************************
The other router is configured as follow:
This Tunnel: Enabled
Tunnnel Name: Network A

Local Secure group:  Subnet  IP: 192.168.1.0
                            MASK: 255.255.255.0

Remote Secure Group: Subnet  IP: 192.168.2.0
                            MASK: 255.255.255.0

Remote Security Gateway: IP Addr.:  IP: xxx.xxx.xxx.xxx (Wan IP address of the Network B)

Encryption:    3DES
Authentication:  SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = xxxxxxxxxxxxx

Lifetime = 0
***********************************************************


My current issue is the same as "curious2 (Visitor)" which is I am able to access resources on both ends but after transferring data or just doing a simple print job the tunnel is no longer. Just as Curious2 indicated the Tunnel will show connected but I am unable to Ping/Map or Browse the remote network. if I reboot the routers and make the connection again all is well.

If anyone has any insight as to what may be causing this it would be greatly appreciated....

One other note, Curious2 indicated that he may have felt this was a problem with the NIC card (Realtek 8139). Unfortunately, I am seeing the same problem with integrated NIC card as well.

Thanks
tcompe
madnessxx (MIS)
1 Apr 02 17:00
I had no problem with my 2 VPN box config.  The two things I notice that are diffrent between mine and yours are:
1) I didnt set the lifetime=0 I did increase it X10 to 36000 vs 3600.
2) I don't have a Static IP on the one end so I have it setup on Network A to accept connections from a network range VS an IP.  So network B can start the connection because B's Wan address is dynamic.  

You may have static IP's but that might be something to play with to see if it works.  This way you can see and verify that the keyexchange is happening correctly and your tunnle is allways being created from one direction.  Also what does your VPN log say when the tunnle doesnt send data thru anymore?
curious2 (TechnicalUser)
1 Apr 02 19:37
To tcompe9139:

I downloaded the 1.40.2 firmware from the following site where a user was kind enough to post.  He says that he was forwarded the firmware from Linksys tech support.  The *.zip file contains firmware for 1.39.64, 1.40.1, and 1.40.2.  I have flashed my VP41s to the 1.40.2 and am testing.  Mind you, this is an unsupported unofficial release, so if anyone is going to be using this, use at your own risk.  Once you get to the site, the user name posting this is mlgm.  The posting is somewhere near the middle of the page.

http://www.dslreports.com/forum/remark,2881005~root=equip,16~mode=flat

So far, at least to me, stability seems to be a lot better than the 1.39.64 release.  I did make a couple of changes in the configuration though to see if this would help with keeping the data passing through the tunnels more consistently.

The changes I have made are as follows:

In the VPN web interface config page, I tried changing Key Lifetime (just like madnessxx) from 0 to another number greater than 3600 seconds.  The number I tried was 99999999999999999.  For some strange reason, when I would hit apply, the number would change to 1410065407.  Did this on both of my VP41s, so I just left it at that.

The other change I did was to go to the 192.168.1.1/IPSecAdvance.htm page and made sure that the Keep-Alive box was selected.  Supposedly, according to the Help file, this Keep-Alive function is supposed to re-connect a tunnel after it has been disconnected.  Yeah, I know that the tunnel in your scenario is intact and the data won't flow from Net A to Net B, but I wanted to see if this would help.  

Anyways, will keep testing to see how this turns out.   






TimothyCox (IS/IT--Management)
1 Apr 02 22:02
Probably the biggest problem I am seeing with everyone's config who is having trouble is (as noted by NIK_420) your addressing scheme.
2 identical subnets cannot route between one another, Rule 1 of IP and routing.
I use a 10.1.1.0/24 (255.255.255.0) on one end and 10.1.2.0/24 on the other (It suits my needs).

For name resolution, Either 2 WINS servers (1 on each end of the pipe) that replicate with each other or 2 2000 servers replicating via active directory/dynamic dns.

I chose the latter, But then again, I am MSDN and get lots of stuff for free :)

Your only other choice is really UGLY, That would be to manually maintain LMHOST files on all the PC's inbetween UGH. UGH. UGH.

The router will not pass browser broadcasts from clients, Hey, It's a router, That's really all it is! (packet "A" to interface "B") You need to supply another method of name resolution. You have no choice, It's just a stupid device.

If you have NTSERVER lying around, WINS is wicked easy to configure to replicate right across the VPN Pipe, DNS and 2000 require a bit more finesse.

I hope all my blabbering has been somewhat useful to you all.

Bye.


And yes, I did say "wicked" oh, how I miss the 80's......
curious2 (TechnicalUser)
1 Apr 02 22:26
(Timothy Cox)

"The router will not pass browser broadcasts from clients, Hey, It's a router, That's really all it is! (packet "A" to interface "B") You need to supply another method of name resolution. You have no choice, It's just a stupid device."

Not trying to flame or anything, but, Sorry, but I have to disagree with that part of your post here.  The router IS capable and CAN pass Netbios Broadcasts.  You just have to activate NetBios broadcasts in the Advanced VPN config page.  Since you are running with firmware version 1.40.2, all you have to do is get to the web interface, go to the VPN tab, and at the bottom of this page you will see in itsy bitsy tiny blue letters:  more... (just to the right of the View Log radio button).  

Click on that section and it will take you to the Advanced VPN config page.  Near the bottom, you will see a box marked Netbios Broadcast.  Check it off, click Apply, and it WILL pass netbios broadcasts.  I'm telling you, it does work.

Although I do agree with you that if you are going to be running 2 separate networks, you probably should use WINS servers.  


tfccom (MIS)
1 Apr 02 22:54
Did we ever come to any kind of conclusion as to the resolution of the "Negotiating IP Security" problem ???...
I keep getting the following after I activate the Win2K local IPSec  Policy, then do a ping to my 2KServer box on  the other side... all of this after following Linksys' directions EXACTLY:

Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Ping statistics for 192.168.1.103:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  0ms, Average =  0ms

I will be posting results with third party IPSec clients shortly, but I'd really lve to connect with the stock Win2K pro IPSec client.

Any Thoughts???

Trevor Farren,
t.farren@tfc-com.com
curious2 (TechnicalUser)
1 Apr 02 23:52
You know, I did this same thing with a W2K Pro to VP41.

Ran a ping 192.168.1.x command, and I also got

Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security

However, when I ran the command:
ping -t 192.168.1.x, I got

Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
Reply from 192.168.1.x: bytes=32 time<10ms TTL=150
etc...

ping -t switch just pings forever until you tell it to stop.  

This tells me that the W2K Machine needs time to negotiate the IPSec connection.  

If the W2K machine is set up correctly and the Linksys tunnel is configured correctly and enabled, you should be able to establish the connection.

Try using the ping -t switch and see what happens.


TimothyCox (IS/IT--Management)
2 Apr 02 5:58
Curious2 just taught me something. I guess not needing NetBios, I never even looked for it. I used to use a PPTP tunnel to link these particular locations and was accustomed to using WINS or ADDNS Name resolution.

It will still be more reliable and faster resolving than trusting NetBios will propogate.

I'll shut up now.
Guest (Visitor)
2 Apr 02 9:44
Linksys comes with Netbios Broadcasting, but that may clog the ipsec tunnel, and it's not so safe... I would defenetly use a wins server, or if it's a small network, setup lmhost files....

To all of you that are having disconnection problems, try this it worked for me.... Force your nic's on both ends down to 10 half duplex, disable netbios broadcast on both ends( We only want ip traffic going through)... Have the DES and MD5 as your security, with the max rekey lifetime of 1410065407.... with either firmware 1.39.66 or 1.40.2... post whats the outcome.  
wmckenney (TechnicalUser)
2 Apr 02 10:09
I also am having problems. Have BEFVP41 on both ends. Tunnel shows as connected but when I ping remote Lan I get "reply from: (IP address within ISP network): TTL expired in transit" Tracert shows packet passing back and forth within ISP's network. When doing ping from other end get same result but reply is from that end's ISP network.

Here is how I currently have configured:
Firmware version at both ends 1.39.66


WIN98 >HUB>BEFVP41>Fujitsu (FC966 RA14)  DSL Modem>internet>Cell Pipe DSL Modem(Cell-20A-GX-CB)>BEFVP41>HUB>WIN98

Tunnel shows as connected but can’t ping or see remote group in network neighborhood.

Configuration:

Local secure group 10.3.142.0
Subnet mask 255.255.255.128

Remote secure group 10.3.141.0
Subnet mask 255.255.255.128

3DES (have tried DES and disabled as well with no change)
SHA  (have tried MD5 and disabled as well with no change)

Auto (IKE)

PFS checked (have tried unchecked as well with no change)

Key lifetime 36000 (have tried 3600 default value as well with no change)


Advanced settings for IPSec Tunnel

Phase 1:
Main Mode
Proposal 1:
DES
SHA
768 bit
36000

Pase2:
Proposal:
3DES
SHA
PFS:ON
GROUP:768-bit
Key lifetime: 36000

NetBIOS broadcast (checked)(have tried both ways with no change)
Anti-replay (unchecked) (have tried both ways with no change)
Keep-Alvie(checked) (have tried both ways with no change)
If IKE failed (unchecked)


Linksys has yet been unable to resolve but have set up test tunnel with linksys and get same results...tunnel connects but no IP traffic gets through.
Guest (Visitor)
2 Apr 02 10:47
Reply to: wmckenney (TechnicalUser)

It defenetly seems to be your isp.... 9 out of 10 times, when traffic is not going through, especially with the symptoms that your having... It points to your isp, they block and setup filters for security reasons(viruses, hackers etc.....)
tcompe9139 (Programmer)
2 Apr 02 11:07
Just wanted to say thanks for everyones help...
All is working well...

Thanks
Again
tcompe
curious2 (TechnicalUser)
2 Apr 02 11:53
Hi tcompe9139

Glad to hear that all is well.  Just wondering what steps you took to resolve all your problems?  
wmckenney (TechnicalUser)
2 Apr 02 13:25


to nik_420

Our local ISP responded with this e-mail:

The 10.3.xxx.xxx is a privite ip and thus cannot be tracerouted because
anyone can use it.  The 66.16x.xxx.xxx is probably the address you want
to use to get to the VPN router.  We don't not block any vpn traffic.  
We have serveral users who have successfully established a VPN
connection with our network.  I would recommend contacting the VPN
provider to work out your connection issue since there are too many
factors that we cannot help you with.

madnessxx (MIS)
2 Apr 02 14:50
wmckenney: When you get the TTL expired in transit (caused by a routing loop) what does the trace look like? before the 120 some loops?  

When I tracefrom NetA to NetB it shows up as only one hop.


Also why a 25bit mask? Surely you dont need the 65thousand extra networks? Not that it is a problem just K.I.S.S. rule allways should apply :)


Name Resolution:  An easier solution you could try is to point Network A to Network B's Wins it is a bit more traffic but if Network A is a remote office or only 2-3 computers you would save the need for a local Wins server.  Allways test your connection vai the run command and put the UNC for the computer you wish to connect to.  Network Neighborhood is a Pile even on a LAN.


Sam88 (IS/IT--Management)
2 Apr 02 15:08
To nik_420 (Visitor)
What do you mean to force the nic to 10 half duplex??

To madnessxx (MIS)
Thanks for your help, I did as you said, I have connected two VPN routers, and I can even ping the computers on the remote side, but I can not access or see the computers on the other side.
I have enabled the netbios hidden thing.
Any idea anyone what else I need to do??
wmckenney (TechnicalUser)
2 Apr 02 15:20
madnessxx: the tracrt looks like:



Tracing route to 10.3.141.240 over a maximum of 30 hops



  1    58 ms    33 ms    44 ms  216.3.2.190

  2    40 ms    33 ms    37 ms  border-core01.athens.frognet.net [204.192.96.1]

  3    42 ms    44 ms    57 ms  core03-fa0.athens.frognet.net [204.192.96.8]

  4    48 ms    57 ms    34 ms  border-core01.athens.frognet.net [204.192.96.1]

  5    34 ms    40 ms    56 ms  core03-fa0.athens.frognet.net [204.192.96.8]

  6    45 ms    48 ms    51 ms  border-core01.athens.frognet.net [204.192.96.1]

  7    34 ms    47 ms    35 ms  core03-fa0.athens.frognet.net [204.192.96.8]

  8    35 ms    42 ms    41 ms  border-core01.athens.frognet.net [204.192.96.1]

  9    58 ms    38 ms    37 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 10    47 ms    35 ms    57 ms  border-core01.athens.frognet.net [204.192.96.1]

 11    40 ms    44 ms    36 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 12    53 ms    51 ms    49 ms  border-core01.athens.frognet.net [204.192.96.1]

 13    36 ms    41 ms    52 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 14    51 ms    34 ms    47 ms  border-core01.athens.frognet.net [204.192.96.1]

 15    53 ms    60 ms    55 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 16    35 ms    37 ms    37 ms  border-core01.athens.frognet.net [204.192.96.1]

 17    44 ms    52 ms    36 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 18    42 ms    35 ms    36 ms  border-core01.athens.frognet.net [204.192.96.1]

 19    43 ms    71 ms    37 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 20    54 ms    37 ms    36 ms  border-core01.athens.frognet.net [204.192.96.1]

 21    51 ms    69 ms    53 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 22   153 ms    65 ms    36 ms  border-core01.athens.frognet.net [204.192.96.1]

 23    41 ms    55 ms    53 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 24    36 ms    35 ms    36 ms  border-core01.athens.frognet.net [204.192.96.1]

 25    37 ms    42 ms    41 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 26   296 ms   290 ms   255 ms  border-core01.athens.frognet.net [204.192.96.1]

 27    39 ms    37 ms    37 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 28    36 ms    37 ms    54 ms  border-core01.athens.frognet.net [204.192.96.1]

 29    38 ms    42 ms    44 ms  core03-fa0.athens.frognet.net [204.192.96.8]

 30    38 ms    52 ms    37 ms  border-core01.athens.frognet.net [204.192.96.1]



Trace complete.

As for the subnet mask of 255.255.255.128...that was set up buy an IT person for a specific reason in the past. Unless it is thought to be a problem I would prefer not to change.


The "run\\IP address of remote WIN98 computer"  results in "no network provider accepted the given path"

Guest (Visitor)
2 Apr 02 16:28
To: sam88

10Mbs half duplex is the speed of your network card. You can change the speed as follows:

win9x: right-mouse click Network neighborhood -> double-click the network card -> advanced tab -> Look under properties, look for key words such as  "media" "speed" "connection type"  highlight that, look under value and you will see 10mb half.

win2k / winxp: right mouse click My Network Places -> right mouse click Local Area Network -> Properties -> click configure -> advanced -> Look under properties, look for key words such as "media" "speed" "connection type"  highlight that, look under value and you will see 10mb half.
tcompe9139 (Programmer)
2 Apr 02 19:20
curious2 (Visitor): And anyone else interested

Not sure how my current configuration will help anyone but I will give the details as a reference.

I have two networks that I have been trying to connect for some time now. Allot of my problems were Management didnt/wouldnt let me spend very much money for a static connections. (What A surprise for those of you in the IT industry )

Anyway...One location (Will call this Network A) has a Fractional T1.
The second location (Out of state Network B) internet access is provided by a local cable co. (Cable Modem)

My Current configuration (That is currently working very well thanks to this board) is as follow:

Network A

All workstations are Win2k SP2
All Servers are WIN2K SP2 with 1 as a DC
Services include DHCP and DNS
1 Linksys VPN Router Firmware version 1.40.02
Tunnel Name: Network A
Local Secure group:  Subnet  IP: 192.168.1.0
                            MASK: 255.255.255.0

Remote Secure Group: Subnet  IP: 192.168.2.0
                            MASK: 255.255.255.0

Remote Security Gateway: IP Addr.:  IP: xxx.xxx.xxx.xxx (Wan IP address of the Network B. The address is Dynamic but so far has never changed)

Encryption:    3DES
Authentication:  SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = xxxxxxxxxxxxx

Lifetime = 1410065407


Network B

All workstations are Win2k SP2
All Servers are WIN2K SP2 with 1 as a DC
Services include DHCP and DNS
1 Linksys VPN Router Firmware version 1.40.02
Tunnel Name: Network B
Local Secure group:  Subnet  IP: 192.168.2.0
                            MASK: 255.255.255.0

Remote Secure Group: Subnet  IP: 192.168.1.0
                            MASK: 255.255.255.0

Remote Security Gateway: IP Addr.:  IP: xxx.xxx.xxx.xxx (Wan IP address of the Network A. Static)

Encryption:    3DES
Authentication:  SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = xxxxxxxxxxxxx

Lifetime = 1410065407

Both IPSecAdvance.htm pages are configured as follow:
NetBIOS = Checked
Anti-RePlay = Checked (Not sure what this is....)
Keep Alive = Checked


So there you have it.... Both domains are showing up in the Network Neighborhood and I have been able to successfully run an application from a app server located in Network B from Network A as well as Print and Map across the tunnel.  The Tunnels are staying up and seem to be working flawlessly...

Again many thanks to those that helped!!!!

If there is anything I do to help anyone else please feel free ask.

tcompe
Sam88 (IS/IT--Management)
3 Apr 02 0:17
Another success story.
Thanks to all for their contribution.

Thanks to all for their contribution.
I to mine to work too and here are my settings. I would be happy to answer any further questions.

I have 5 and 6 pcs all running win 98 behind each routers.

My settings are as follows, very similar to tcomp9139 (thanks, you solved my last puzzle, and that was the lifetime)
the firmware is 1.39.64

Tunnel name: local
Remote Secure Group: Subnet  IP: 192.168.2.0
                            MASK: 255.255.255.0

Remote Security Gateway: IP Address: Any

(the other network does not have static IP)

Encryption:    3DES
Authentication:  SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = testing
Lifetime = 1410065407


tunnel name:  remote

 Local Secure group:  Subnet  IP: 192.168.2.0
                            MASK: 255.255.255.0

Remote Secure Group: Subnet  IP: 192.168.1.0
                            MASK: 255.255.255.0

Remote Security Gateway: IP Addr.:  IP: xxx.xxx.xxx.xxx
this is static IP of the remote

Encryption:    3DES
Authentication:  SHA

Key Management Auto (IKE)
PFS is checked

Pre-Shared Key = testing

Lifetime = 1410065407

 IPSecAdvance.htm pages are configured as follow:
NetBIOS = not checked (on one router it is checked)
Anti-RePlay = Checked


Now I have few quesions: the only way I could access the remote computers was by run--> \\private ip if the remote pc
I can not see any one of the pcs on the network neighborhood.
Second, it is really slow, more slow than I expected. Is this normal??

I would be happy to answer any questions.
Next I am going to make tunnel at third location where the pcs are XP and the forth locaion with win 2000 pcs.
I will keep you all updated.
spinge (TechnicalUser)
3 Apr 02 0:41
Hello All,

First, I want to say thank you - I thought I was the only one who was having trouble, and that it was something I was doing wrong.  I do hope someone from Linksys is following this thread, and will incorporate some of this VERY useful information in the online or printed documentation for the unit.

Anyway....

My questions are:

1)  How do I upgrade the firmware of the VPN.  (From all I have read, it seems this is the way to go)  I have downloaded it from the link on dslreports.com, and unzipped it.  I read earlier in this thread to use TFTP instead of the web based utility - how do I do that?

2)  My network is simply a peer to peer network at each end, with all but a few machines running win2k sp2, but with a twist.  In the main branch, we have an IBM running AIX as the server for our inventory management system.  To access it in the main branch, we simply set up a telnet session to 192.168.1.1 (the IP of the server, I have moved the VPN to 192.168.1.10).  Is there anything special I will need to do at the main or remote location to allow this to happen?

Thanks to all for the help

Spinge
tcompe9139 (Programmer)
3 Apr 02 8:32
spinge (TechnicalUser):
1)  How do I upgrade the firmware of the VPN.  (From all I have read, it seems this is the way to go)  I have downloaded it from the link on dslreports.com, and unzipped it.  I read earlier in this thread to use TFTP instead of the web based utility - how do I do that?


Answer:

TFTP.exe can be used to update the firmware to your VPN router.  Before launching TFTP.EXE make sure the "BEFVP41_v1.40.2_code.bin" (Or what ever firmware you are updating to) file is located in the same path as the TFTP.EXE.

1. Launch the TFTP.EXE
2. You will see 3 boxes you must fill out
    A. Server
    B. Password
    C. File
3. In the feild next to the SERVER type in the address of your VPN router. NOT THE PUBLIC ADDRESS but the LAN address Example 192.168.1.1

4. In the feild next to the PASSWORD type in the password that gives you access to the routers GUI

5. In the feild next to the FILE type in the path to the BEFVP41_v1.40.2_code.bin file.  Example D:\Temp\BEFVP41_v1.40.2_code.bin

Click upgrade....

It will take a few minutes for it to start (Or at least it does on mine). Once completed your firmware should be updated.


Thats it..

Hope this helps

tcompe
madnessxx (MIS)
3 Apr 02 13:52
wmckennedy:
Current config  Remote secure group 10.3.141.0
                      Subnet mask 255.255.255.128

Tracing route to 10.3.141.240 over a maximum of 30 hops

10.3.141.240 does not belong to 10.3.141.0/23 net it belongs to 10.3.141.128/23 network.  Your router doesnt have a route that network so it and passes it down to its default gateway IE. your internet connection.

So if all your IP's are in the range of 10.3.141(2).128-256 you should be telling the linksys box that your Configuration is:

Local secure group 10.3.142.128
Subnet mask 255.255.255.128

Remote secure group 10.3.141.128
Subnet mask 255.255.255.128

PS. Smack who ever did that IP scheme...  a /23 on a 10-net is <<edited out so not to flame>>  :)

98 wont let you do a run -> \\IP number (BTW it is 2002, Hint) if you had two NT or 2kboxes on each side doing that \\ipnumber would hel pinpoint if the problem you are having is with the connection or if it is just a NetBIOS problem.
nagolcj (MIS)
3 Apr 02 14:19
I'm having the "tunnel dropping/reconnecting/can't ping between subnets" blues too.

Slightly different setup here, my BEFVP41 connects to a FreeS/WAN v1.95 gateway. Tried upgrading the firmware to 1.40.1 and 1.40.2 but was unable to connect so I backed off to 1.39.64 again.

In a nutshell, it seems like upgrading the firmware has solved this problem (NFW am I going to back ALL my NICs to 10-half) for most of you...or has it?

Something I've noticed here (with 1.39.64) that once the IP flow has stopped, if I click on "DISCONNECT" and then "APPLY" and finally "CONNECT" the flow starts again -- at least for a while. Longest it's stayed up properly is 4 hours...
wmckenney (TechnicalUser)
4 Apr 02 8:08
madnessxx: THANKYOU!!
spinge (TechnicalUser)
4 Apr 02 15:58
tcompe9139

Thanks for the help.  It upgraded just like you said it would (at least the upgrade part did.)

I do have a question or two about the firmware upgrade itself.  I noticed that the look of it is a little bit rougher (not as refined) as 1.39.64 - did anybody else get this same look?  I also found that on the setup page, although it gives the option in the dropdown box to set it up for PPPoE, as well as others, that when I select it, it always goes back to DHCP. (I have a DSL at one end currently, and will eventually have DSL at both ends).

Also, when I revert back to 1.39.64 (I tried both 1.40.01 and 1.40.02) that the IPSecAdvance page is not available.  Instead, I get a RED screen and a 404.  Might this be my browser??

again, thanks to all

Spinge
rcole7245 (TechnicalUser)
5 Apr 02 10:56
I think I have finally just given up. Linksys Engineering has not responded back to me in over a week, a letter to the CEO of the company got no reply. I have tried every setting posted here and never get beyond the point where the boxes say they are connected. I can see icons for each group in Neighborhood Network but that is all. I can not ping computers on the other side of the connection or access them in any way. Last resort was to copy the identical settings posted by tcompe9139 including the firmware, but that did not make any difference. I am guessing that there is something not working in the address translation but that's just a guess. If I could find someone local to Columbus GA that could make this work, I'd pay for their time. Guaranteed that Linksys will not see another nickel of business from me or my shop. bobcole@servicecpa.com.
vpnsymech (Programmer)
5 Apr 02 11:57
Question: Win2k to BEFVP41.

Has anyone successfully connected a Win2k computer to the BEFVP41 router using IPSec policy?

I tried setting up the IPSec policy as stated in http://www.linksys.com/support/support.asp?spid=86 

I have not been successful.  

This posting forum has been excellent. I have been reading this posting diligently.  I am getting close, but I am not there yet.
nagolcj (MIS)
5 Apr 02 16:23
well well well...wonders will never cease

I finally got the router to connect properly. What did it? I'm not really sure to be honest with you. After upgrading/downgrading the firmware I made sure to reset the router to the factory defaults by pressing and holding the reset button for 30 seconds and then unplugging the router for 5 seconds. I messed around with my ipsec.conf (I connect to a Linux FreeS/WAN gateway) until I hit a combination that worked.

For the benefit of anyone else who gets stuck the way I was, here are my various config files :

BEFVP41 (firmware is 1.39.64) :

Tunnel name: office
Local Secure Group: Subnet IP: 192.168.0.0
                                    MASK: 255.255.255.0
Remote Secure Group: Subnet  IP: 192.168.110.0
                                         MASK: 255.255.255.0
Remote Security Gateway: IP Address: 999.999.999.999 (obviously not my real IP)
Encryption:    3DES
Authentication:  MD5
Key Management: Auto (IKE)
PFS is checked
Pre-Shared Key = "my PSK key"
Lifetime = 3600

In the IPSecAdvance.htm screen I changed the Phase I and Phase 2 proposals to match the above (after all, I know for a fact exactly what format it's set up for on the other end -- why would I need optional methods?). I unchecked the NETBIOS Broadcast packets (I have a WINS server set up at the other end), the anti-replay (anti-relay?) and the "IKE fails more than x times".

My home network (cable modem connection) is setup as a roadwarrior in my FreeS/WAN v1.95 configuration. Here are the contents of the /etc/freeswan/ipsec.conf file on the FreeS/WAN gateway:

# basic configuration
config setup
    interfaces="ipsec0=eth0"
    klipsdebug=none
    plutodebug=none
    plutoload=%search
    plutostart=%search
    uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
    keyingtries=1
    authby=secret

# office VPN connection
conn home-office
    type=tunnel
    left=nnn.nnn.nnn.178
    leftsubnet=192.168.110.0/24
    leftnexthop=nnn.nnn.nnn.177
    right=%any
    rightsubnet=192.168.0.0/24
    keyexchange=ike
    ikelifetime=240m
    keylife=60m
    pfs=yes
    compress=no
    authby=secret
    auto=add

I stopped/started IPSEC, fired up the connection from the BEFVP41 and tried a ping from my home network to the office :

Pinging 192.168.110.3 with 32 bytes of data:

Reply from 192.168.110.3: bytes=32 time=68ms TTL=127
Reply from 192.168.110.3: bytes=32 time=85ms TTL=127
Reply from 192.168.110.3: bytes=32 time=67ms TTL=127
Reply from 192.168.110.3: bytes=32 time=82ms TTL=127

Ping statistics for 192.168.110.3:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 67ms, Maximum =  85ms, Average =  75ms

I connected with Remote Anything (like PCAnywhere but 10000% better) and latched into my bosses desktop. Perfect. Fired up the web cam from my desktop & connected to the bosses thru the tunnel. Got dizzy watching myself watch myself. EVERYTHING works.

After an hour elapsed (my 3600s lifetime in my BEFVP41 config) the SA expired, the tunnel dropped, a new one negotiated, and the BEFVP41 reported success. Yeah, sure. ..I'd seen this before. Except this time it actually worked. I could ping across the networks, browse the network neighbourhoods, map drives...everything. I've brought the tunnel up/down a couple of dozen times already & it's working perfectly.

Anyways....good luck to those of you trying to get this thing working. All it takes is some patience and common sense.

Jim
Guest (Visitor)
5 Apr 02 16:55
to rcole:

Have you tested the routers, with a X-over cable or in a different environment.... Also try doing a hard reset on both units... I had a problem where it said connected but couldn't ping... I did a hard reset (45 secs).. problem was fixed.  These linksys units are pretty solid, from the ones I've setup.... I have seen the environment play a big role....
Guest (Visitor)
8 Apr 02 0:39
Does anybody have anything such at a switch or a hub attached to the WAN connector? I'd like to know if this works. Also, can this device establish a VPN tunnel with a computer connected to the LAN side?

I'm hoping that I could use it to secure a Wireless section of my LAN, i.e. connect the wan port to another switch/cable router. Then I'd connect a Wireless AP to the switch and establish VPN tunnels to the computers connected to that AP. This way, the wireless computers would be outside the VPN Router's firewall, and their data transmissions would be encrypted for an extra layer of security...

What do you think?
tfccom (MIS)
8 Apr 02 23:16
Hey Everyone,
I have really enjoyed this whole process, but my ordeal isn't over yet... I set up my connections from the Win2Kpro workstation to the router the way that the Linksys site says, and I try to ping the connection as follows:

ping -t 10.0.0.99

Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
Negotiating IP security
etc...

And it gives the pings answers at about 350 per minute...THAT IS NOT NORMAL!!!!!!!!

What Now?

Thanks,
Trevor Farren
BlindJustice (IS/IT--Management)
9 Apr 02 19:55
Scott,

Linksys uses IPSEC. You must configure your router and win2k for ipsec. Enter your Win2k Local Security settings. Go to Ip Security policy, right click and create new policy remember to under that policy to create two filters one from your pc to your router and from your router to your pc. If you are using dynamic ip's you must connect to your isp find out your ip address and adjust your filter with that address. Then start your vpn connection.

Later,

Blind Justice
certman (TechnicalUser)
10 Apr 02 0:48
I see a manyusers confused when trying to set up secpol on their 2k box and they have the BEFVP41,and they think the router is now configured as a stand alone server.

What you are doing with your 2K box with secpol is setting that PC up as the SERVER and then the BEFVP41 can CONNECT to it as a CLIENT ONLY.

Now you could set up IPSEC policies on a 2k behind the Linky,but then why did you buy this router as opposed to a regular 4 port link.

In truth-this product was designed with a situation of connection between 2 BEFVP41's, to take out the hassle of configuring IPSEC policies on a server-and then setting up the clients.

You will not be able to connect to a befvp41 unless it is from another befvp41,or their is a 2k server with ipsec installed behind it.
CurtTech (IS/IT--Management)
10 Apr 02 4:50
Need some help please...
Maybe someone can help me out with a similiar situation. Suppose I have two BEFVP41 Routers>

- Server Side
- Client Side

Now I have no problems establishing a IPSEC VPN Tunnel if I use the 192.168.1.x on one router and 192.168.2.1 on the other router. However, what I need this to do is get to the 10.1.x.x , sub: 255.255.0.0 on the Server Side.

Here is what I want this to do:
-----------------------------------------------------------
- which is my client that needs a persistant connection. There are two workstations that are setup behind router on 192.168.1.0 network that must have access to the 10.1.x.x - 255.255.0.0 on Router A. To simplify this, this is the way I must set-up client side.

192.168.1.1 - Gateway - Set to DHCP
192.168.1.2 - Workstation A
192.168.1.3 - Workstation B

Now BOTH of the Workstations must have access to the 10.1.x.x network behind the .

----------------------------------------------------------
Server Side

I need this one set up on the 10.1.x.x which I don't understand how to do this.

I have machine that has two nics (called VPNSERVER):

10.1.x.x 255.255.0.0 - NIC A
DHCP - NIC B (this is currently what I have)

I have no problem getting a 192.168.2.x - 255.255.0.0 network to get assigned to NIC B but how do I get the clients from 192.168.1.x network to be able to ping the 10.1.x.x network on the Server side.

Is the BEFVP41 able to do this? I would sure hope so. I see a static route tab in the advanced GUI Web Admin App but I have tried several attempts to do this but I am confused on how to set this up.

If someone could help me out, I would appreciate it.

Thanks
Curt
Guest (Visitor)
10 Apr 02 8:56
Just wondering, am I understanding this correctly?  I have the BEFVP41 set up at the office with tunnel configured for remote user.  A remote user using xp or 2000 sets up his end to connect to the tunnel.  Now, does someone need to manually go into the BEFVP41 setup page on the web and click connect to establish this connection??  Or will the remote user be able to automatically connect on his end?
spinge (TechnicalUser)
10 Apr 02 10:19
to nik_420

You mentioned above problems with the environment and the x-over cable.  I am assuming you mean connect the x-over between the two wan ports of two BEFVP41's, and skip the whole internet.  This would sure make things a little easier, as opposed to  hauling my cookies all over the place to try and solve problems.

When you mention environment, I am guessing you are speaking of things like flour. lights and big electric motors, and things such as this.

Am I correct on these two points?

Thanks
Spinge
Guest (Visitor)
10 Apr 02 10:54
to spinge:

Your right, X-over between the WAN ports.  The ip of router "A" is the gateway of router "b" and vice-versa.  Making them point at each other.

Many times when setting these up, you have cisco routers in front of the linksys that don't allow traffic to go through unless you create a rule... Or you have other type of firewalls that create weird situations.... That is why testing out the routers with x-over cable will let you know if it's the routers or the environment.. For example if you look at RCOLE's problem, It completely looks like their is something environmental that is filtering data to go through.
curious2 (TechnicalUser)
10 Apr 02 13:48
To CurtTech,

I think the only way you are going to get this to work is to install a layer 3 device (some type of router) between the linksys BEFVP41 and your 10.1.0.0 network.  And no, it cannot be another linksys.  

Reason I say this is that these linksys devices are only capable of class C type operations on the lan side.  What you are trying to do (using your subnet mask) is assign a class b type address to the lan side.  If you look on your Setup Page for the BEFVP41, you will notice that the settings for the lan IP address subnet masks are as follows:

255.255.255.0
255.255.255.128
255.255.255.192
255.255.255.224
255.255.255.240
255.255.255.248
255.255.255.252

There is no provision for a subnet mask of 255.255.0.0.  If you really want this to work, you will have to get another type of layer 3 device (router) that can support a class b address scheme.  Something that you may want to try is configuring a Multi-home router on a WinNT machine or try configuring a routing and remote access server for WinNT/W2K server.

Once you have your other layer three device installed/configured, then set up your static routes.  As it is now, setting up static routers won't work due to the limitations of the linksys.  
Guest (Visitor)
12 Apr 02 12:06
Does anybody have any experience setting up A BEFVP41 to a 3Com OfficeConnect DMZ (With VPN module). I have spent several days now trying to get the two routers to talk to each other and create a tunnel so that I can join our UK Office to our US Office. Is there such a thing as a step by step guide or am i just being extremely hopefull :) Any help would be most greatly appreciated.
markku (ISP)
12 Apr 02 23:32
Have tried BEFVP 41 with SonicWALL ( same as 3 COM ). The tunnel works with FW 6.x, not with 5.x. 3COM is on the level 5.x, so I doubt it never work.

Markku
Stache (Programmer)
12 Apr 02 23:45
Linksys has official released firmware 1.40.2 on April 11.
Version History follows...

I have not tried it yet.

http://www.linksys.com/download/firmware.asp?fwid=158

BEFVP41 Firmware History
========================

v1.40.2  2002-03-10
1. Fixed a U/I bug in v1.40.1 that "IPSec Advanced Setting" screen failed to apply.

v1.40.1  2002-03-01
1. Fixed a U/I bug in v1.39.66 and v1.40, that causes IP Range setting for Local Seure Group can not be applied.
2. Fixed a U/I bug in v1.39.65c and later, that causes the Domain Name setting on Setup screen can not be displayed
3. Fixed a bug in v1.39.65c and later, that causes the Manual Keying did not work.
4. The factory default TimeZone value is changed from GMT-12(Kwajalein) to GMT-8(USA Pacific Time)
5. In Manual Keying option, the maximum phrase length of Encryption Key is changed from 23 to 24 characters.
6. In Manual Keying option, the maximum phrase length of Authentication Key is changed from 19 to 20 characters.
7. Do not display connection status if Manual Keying is applied

v1.40  2002-02-19
1. The default Phase 1 Key Lifetime is changed from 1 to 8 hours. (the Phase 2 Key Lifetime is still 1 hour.)
2. Fixed a PPPoE configuration bug in v1.39.65c and v1.39.66, that causes incorrect PPPoE password when Apply PPPoE configuration twice.

v1.39.66  2002-02-01
1. Supports FQDN(Fully Quilfied Domain Name) option for Remote Security Gateway setting
2. Improves IKE handling process.
3. Changes the default settings of both Anti-replay and Keep-Alive from Enable to Disable

v1.39.65c  2002-01-10
1. Re-layout the Setup, DHCP and Upgrade-Firmware screens.
2. Supports IPSec Aggressive Mode.
3. Adds an IPSec Advanced configuration screen that provides
following advanced settings:
  (1) Phase 1 proposal
  (2) Phase 2 proposal
  (3) NetBIOS broadcast
  (4) Anti-replay
  (5) Keep-Alive
  (6) Block unauthorized request  
 Note. On VPN setting page, clicks phrase "more..." will link to this Advanced page.
4. Solves an Anti-replay handling problem that causes IPSec
tunnel disconnected under heavy loading test
5. Provides PPTP Client functionality
6. Provides NTP(Network Time Protocol) client functionality
7. Adds "Client Lease Time", "DNS" and "WINS" settings on DHCP screen.
8. Besides LAN network, the Local Secure Group can be set as any other network. This also allows user to set Local Sercure Group as Class A,B or C network.
thomasdp (TechnicalUser)
13 Apr 02 10:23
Hello

I have 1 Linksys router at work and a Windows xp pro box at home.Setup tunnel as per linksyd instructions.I can connect fine from Linksys side to windows xp at home but cannot establish a connection from home to linksys side.

ScottH1 (MIS)
13 Apr 02 17:59
Has anyone tried/had any luck connecting Linksys to a Microsoft ISA Server.  I have tried a lot of things and can get the tunnel to connect and stay up.  Problem is it does not pass any data betweent eh two networks on either side.  ANy ideas/help would be greatly appreciated.

Scott
Guest (Visitor)
15 Apr 02 8:12
Has anyone had any luck with 3rd party vpn client software to connect to the BEFVP41?  If so, can you list it here?
ScottH1 (MIS)
15 Apr 02 8:42
OK
Here are the specifics of what I tried all weekend to get running.  Any aid you could give would be greatly appreciated.

Home Network:
192.168.11.0/24 subnet.
BEFVP41 on a cable modem.
XP and 2000 clients behind Linksys.

Office Network:
192.168.10.0/24 subnet
Microsoft ISA server connected to Cable modem with static IP's.
whole slew of clients/servers behind isa server.

I went through the steps outlined in the whitepaper on the linksys site in order to onnect win2k and befvp41.  From the BEFVP i can successfully connect an IPSEC session (according to the BEFVP.).  I can not however pass data between the two subnets.  

Checking the routing tables on the BEFVP show that no new routes for the remote network are added to its routing tables after connection.  I thought of trying to enter static routes, but there is not an IP or interface to specify in order to have the traffic pass through the VPN.

I can connect through the BEFVP with an XP client to establish a VPN to the ISA server fine.  After doing that I can ping and connect to the machine in my office network, so I know that the ISA server will pass the traffic if the connectin is correct.

Thanks in advance for any ideas,
Scott
nagolcj (MIS)
16 Apr 02 17:44
ScottH1:

what firmware release are you using? I can't get the latest (v1.4.2) to work with my setup (BEFVP41 to Linux FreeS/WAN) but rolling back to 1.3.64 works perfectly.

With 1.4.2 it connects okay but it appears that there isn't a route through to the office network. Pings, browsing, etc. don't work no matter what I try.

After flashing the firmware at least a dozen times, here's my current foolproof way of making my tunnels work:

1. press & hold the reset key for 45 seconds (resets back to the factory defaults)
2. unplug the router for 5 seconds & plug it back in
3. flash with 1.3.64 firmware with TFTP.exe
4. press & hold the reset key for another 45 seconds (just in case)
5. unplug the router for 5 seconds & plug it back in

6. log into the router via the web interface & do the usual setup procedures
7. Check your ISA server for the configuration it needs (ie MD5 or SHA Authentication, DES or 3DES encryption, IKE Key Management, PFS, etc.).
8. Although it common sense dictates that the router would try the variables you specify in the VPN screen, when I check my logs it appears that it tries the alternative proposals first. I log into the http://192.168.1.1/IPSecAdvance.htm page and set the 2 proposals to the following (yours will likely be different):

Main Mode

3DES
MD5
1024-bit
3600 seconds

3DES
MD5
ON
1024-bit
3600 seconds

That does the trick for me, I hope it helps you out.

Jim
Guest (Visitor)
16 Apr 02 21:12
I'm having some of the same problems that some of the other people here are having, and I think I've stumbled onto the solution.

Here's what I have: A main office with an NT Domain with Win98 workstations and a cable modem connection to the internet (DSL was full), and 2 branch offices each with a Win98 workgroup and an ADSL connection to the internet.

I set up a Linksys BEFVP41 at each location according to the instructions in the box, and it didn't work. I could connect, but I couldn't communicate. I tried a number of things, including some of the suggestions I found here, but nothing helped. Then I thought, the reason I wouldn't be able to ping one device from another would be because there wasn't a route between them. So I enabled Dynamic Routing (RIP1 Tx & Rx) on all three routers, and created static routes between the local secure groups and the remote gateway. It worked!

It seems that the BEFVP41 creates an IPSec tunnel between 2 LANs, but it doesn't create a route that uses it! I don't know if the dynamic route or the static route solved the problem, but my LANs are talking to each other, so I'm not messing with it.
Guest (Visitor)
17 Apr 02 12:05
Hello...

Im having a problem with routing between the networks.  What I have is:

Main Location

Windows 2000 Server - 2 network cards
I network Card With Public IP Address
10.0.0.7 255.255.255.0 Internal

Server 2
10.0.0.6 255.255.255.0

---

Location 1
Linksys Router
10.0.1.1 255.255.255.0
Client 1
10.0.1.11 255.255.255.0 DG 10.0.1.1
Client 2
10.0.1.12 255.255.255.0 DG 10.0.1.1

At the main location...
Win2000 can ping Client 1 and 2 and map drive to either.
Server 2 cannot ping Client 1 or 2

At the Lcation 1...
Client 1 and client 2 can ping and map a drive to Win2000 (10.0.0.7),
But not to server 2 (10.0.0.6)

Is there a way to make this happen, besides replacing the 2000 machine with another linksys router?  I was hoping that there was a way to enable the 2000 machine to route into the 10.0.0.0 network.

Thanks in advance for any help
spinge (TechnicalUser)
17 Apr 02 13:11

I too have tried many times, with a pair of the BEFVP41's.  They will just about always connect (I have a DSL at work, and a cable modem at home), except when I am having trouble with my broadband providers (another story).  I have tried using all of the possible firmware releases, but to no avail.

Here is my problem:

When I sit on my local LAN at the office, I can ping anything in the network (8 PC's, 2 Print Servers, an HP with a jetdirect, an IBM/AIX telnet server, and my PC at home) but when I sit at home, I can only ping 4 of the 8 computers, and nothing else (all reports connection timed out)  The fact that I can ping throught the VPN to home from work, and to some of the computers back the other way leads me to believe that the tunnel is functioning OK (although I did apply TCav's idea of applying dynamic routing and creating a static route - when looking at the routing table, there was previously not an entry to the other LAN)  Otherwise, I am pretty stumped.  Of the machines at work that do reply, they are running 4 different OS's (w2k-sp2, 98se, me, and xp)  I have the NetBios box checked on both VPN's, as well as anti-replay and keep alive.

Any ideas anybody might have would be really helpful

Thanks
ShovelhEd (IS/IT--Management)
17 Apr 02 13:41
Hello!

I have read through these posts and have seen some problems similar to mine.  I had no luck at all yesterday connecting to a Zywall 100 at our parent companies office.  TOday by changing the "local secure group" setting to exclude my befvp41 lan IP the connection worked!

The issue I am now having is that I can ping a pc see it when I use search for computer, but I cannot see it's contents by double clicking on it.  I am using windows 2000 I have the proper username and pass for the remote computer.  Could the fact we are in diffrent domains cause trouble?

Anybody have an idea?
CurtTech (IS/IT--Management)
17 Apr 02 18:13
TCAV

Can you please give us your config's that work for you.  I am esp. interested in what static routes you set up to communicate between networks.

Thank you

RGN (TechnicalUser)
17 Apr 02 21:06
To all:

I haven't had a chance to read the ENTIRE thread yet but it does seem that the Linksys VPN router is having some sucess and some failures.  I have a ticket open with Linksys, but I thought I'd get input into whether what I am try to do should (already has been proven to?) work.

I put together a diagram

( see http://pages.sbcglobal.net/rgniehuser/Sample_VPN_1.PDF)

I'm trying to connect Office 1 (192.168.1.x) which is BUSINESS DLS with FIXED IP address from IPS #1.  It has a combination of Windows XP (Home) and Windows ME running a workgroup named WORKGROUP.

I'm trying to keep it simple by only establishing Tunnel 1 first.  It would conect the 192.168.2.x network (a Residential DLS connection--with dynamic WAN IP address) provided by IPS #2.  The user(s) on this network are XP (Home)  I plan to put them in a Workgroup named WORKGROUP.

Then when (IF?) I get this working I plan to add the third site.

I have yet to get the tunnel to establish.  Any Ideas?

I assume once I do get them working that:

from the 192.168.2.x network I will be able to PING the 192.168.1.x network and that from the 192.168.1.x network I will be able to PING the 192.168.2.x network. Is that right?

Also will I need to do anything special to see all machines as part of the network neighborhood (turn on netbios, etc.)

Any help would be appreciated.

Thanks
markku (ISP)
18 Apr 02 0:10
RGN

Your setup should work perfectly.

It is directly from the book, no mistakes.

I have similar setup, 1 office ( fixed IP )and 3 remote offices ( 1 fixed, 2 alternate IP:s ) and it is working exactly according to your scheme )

Better stick in star-shaped architecture, because routing between remote offices is too much for Linky . I can see all machines ( between remote offices ) in network neighbourhood, but they are not really reachable.

Still fighting to connect to SonicWALL. Have succeeded in estabilishing the contact, no problem and the packets flow occasionally but it is not reliable, will try the solution of ShovelhEd today.

Am also interested in the dynamic routing solution, if more details are available.

This box certainly is not SonicWALL, but would love to see it working as client for large SW-box.
spinge (TechnicalUser)
18 Apr 02 1:06
RGN:

Just remember to set up the remote VPN's with the IP of the main VPN as the remote security gateway(fixed), and set up the main to accept any IP (since with a dynamic IP, you never know what it will be).  Keep in mind that if the settings on each end of the tunnel do not match (including local and remote secure groups) they will not connect.

As a side note, now having FQND as an option as the remote security gateway (in firmware 1.4.2) it is possible to connect two dynamic IP VPN's automatically.  You will need to get a dynamic DNS service from somebody such as TZO (I DON'T work for them) on one end of your tunnel.  Set that end of the tunnel to accept any remote secure gateway, and use your new domain name on the other end.

Hope this helps - that is as far along as I am - now if I could only ping all of my machines.
Yasmania (MIS)
18 Apr 02 11:20
I have a Linksys BEFVP41 that I am trying to setup in a remote office to connect to a Win2K server running RRAS. The W2K server is behind a Linksys BEFSR41 cable/dsl firewall/router. I have no idea what I'm doing (I was volunteered for this mission). Do I need to buy a second Linksys box or can someone tell me how to initiate a tunnel connection from the one I have to the server. My head feels like it's gonna explode and I'm no closer to an answer. Any help you guys can give me would be greatly appreciated.

Yas
nagolcj (MIS)
18 Apr 02 13:12
spinge:

you don't have a firewall (ie zonealarm) running on the machines that won't answer your pings, do you? I ran into that problem with one of my remote workstations & it drove me nuts until I realized that as a different subnet it wasn't considered one of the trusted networks in zonealarm.
spinge (TechnicalUser)
18 Apr 02 13:23
nagolcj:

Great thought, but unfortunately I don't have any software like that running yet, but thanks!
ShovelhEd (IS/IT--Management)
18 Apr 02 15:38
Yasmania,

What you have will work but will take some doing.  You are in the right place to get answers.  If you want to spend the time to learn and are willing then read away.
An easier way is to get a second befvp41...you will have no problems then at all and won't have to fiddle around with your Win2K server.
Prof3205 (Instructor)
19 Apr 02 0:53
I've been intently reading this thread and I'm pretty sure that I've got the wrong product, but maybe somebody can tell me for sure.

What I'm trying to do is setup the LinkSys box as the VPN/Router in the office and have remote users using Win2K Pro (who will be using combinations of dial-up, DSL and Cable with dynamic IP's) access the network in the office.  I have been able to get the box to work (sort of) as long as I enter, manually, the IP address given by the ISP into the IPSec policy.  If this has to be done every time then it's an unacceptable solution, since typical users could figure out how to do it.  Obviously a different Win2K client might work and I've been hunting for those solutions as well.

Please help!!!   And thanks in advance.
ShovelhEd (IS/IT--Management)
19 Apr 02 11:01
Prof3205,

The newest version of the befvp41 firmware has support for Domain names.  I would reccommend you update your firmware.

Next thing to do would be to have your users register or you register at a name forwarding service like www.dyndns.org ; This service will map any IP you have to a free domain name that they provide.  For example a cable ip like 24.112.xxx.xxx would be mapped to "Prof3205.dyndns.org".  At the dyndns site you can find links to programs that automagically update your IP with the dyndns servers each time a user boots up or his IP changes.

If you have a question post away.  Hope that helps!!

ShovelhEd
RGN (TechnicalUser)
23 Apr 02 9:08
Well I got the configuration of my previous post

( see http://pages.sbcglobal.net/rgniehuser/Sample_VPN_1.PDF)

working (with the help of Linksys) for tunnel #1 in the diagram.

I'll post the configurations (for the Linksys') soon.

But I still have two problems.

a) I can't see the other machine's in the Network Neighborhood (even with netbios box checked on the Linksys)  I work around this by using fixed (not DHCP) addreses on the 192.168.1.x network (bottim left in the diagram)  That way, when I need to get to something from a machine on the I use the UNC of //192.168.1.20/sharename instead of //hpserver/sharename.  It works, but I'd like to be able to see the names.

and

b) it is SLOW!!  Are there any ideas to speed it up?  Opening a Quickbooks file (from Home location--top of diagram) it takes about 1.5 to 2 minutes.  Once opened, I'm able to run it okay.  Then, of course closing the file back takes time too.
  Would going to DES encryption instead of 3DES improve performance (I'm thinking the Linksys would not have to work as hard)?  Other Ideas?

Any help would be appreciated...

Thanks,

...RGN


ShovelhEd (IS/IT--Management)
23 Apr 02 12:19
RGN,

Congrats on your successes.  I still am unable to "browse" a computer on the network, though I am able to see then if I search by \\192.168.xxx.xxx\sharename.  I can even map the drive.  But I get an error that the device is already connected to z:\ etc.  I am getting tired of trying to get this working.  It's enough to cause madness!
markku (ISP)
23 Apr 02 12:23
Hi,

Your configuration is perfect. You should see the network neighbourhood assuming:
- your workgroup name matches
- you have necessary user/password for remote 2000/NT/XP-server
- Netbios is enabled both ends of the tunnel.

Not very useful feature anyway, NETBIOS can clog your tunnel with unnessary traffic. Real men use direct IPs...

I tried the 3DES-speed with 512k ADSL to the server in remote network ( 4 Mb/s ) by ftp. Speed was 540 k / 517k bypassing the tunnel/through 3DES-tunnel. Better than old SonicWALLs. I do not know Quickbooks but I know applications which have to be used with Terminal Server locally in order not to exhaust 100 Mb LAN. How about "normal browsing" and copying files?

Guest (Visitor)
24 Apr 02 15:34
RGN,

The VPN speed issue concerned me as soon as I got it going.  Then I remembered that it is only as fast as the fastest upload speed of my connections.  Is your DSL limited to 128K up?  
Guest (Visitor)
25 Apr 02 21:11
HOPE THIS HELPS SOMEONE! I wish I saw this when I gave up on linksys support and was looking for some info on my own..

My goal was to setup 2 routers that would talk to each other.  This would get rid of any client crap and all that crazy IPSEC stuff in the back of the Linksys VPN book. I wanted to browse my office lan from home.

I ventured off to my local computer shop bough 2 VPN routers.  I setup one at the office and one at my house.  I created my tunnel on each router and hit the connect button (easy enough).. now.. here is where the fun started.. I could not see anything at the office.. so here is what I had to go throught to get it running...

Issue #1

UPGRADE THE FIRMWARE!!!  You should have 1.4x something on the router.. if you don't.. upgrade it! check by going to the VPN tab and on the bottom right you should see a "more..." link. If you have this link, you should be ok.

Issue #2

Make sure that your network addresses are different on both ends.  my office ip pool is 10.0.1.x and the ip pool at my home is 10.0.0.x. Apparently the routers will not work correctly if the ip pools are the same.

Issue #3

If you upgraded the firmware, click on the VPN tab and select the "More.. " option and enable the "Netbios Broadcast" option on both routers. This will allow you to browse the network and find machines on the office wan

Issue #4

Disable any fireware programs. In my case I had to uninstall Zonealarm, even though I had it disabled. My wan did not work until there was no trace of Zone alarm. If you are using XP make sure you also diable the ICF (XP's built in firewall)

After pulling out most of my hair I finally got my wan setup.. I can browse the network.. print on the printers at work.. Now I can get all kinds of work done at home.. now if anyone knows how I can bill my boss for all this extra work, please let me know..

All in All, the routers are a great deal for the cash.. a bit slow.. but I need to read all the other threads and see if anyone has a fix..

Good luck to everyone who has had the problems I did.. If you were thinking of calling tech support at linksys.. give up now.. and look for other people who had setup the routers correctly...

Regards
Appollo (TechnicalUser)
28 Apr 02 3:57
I am a computer consultant with what I consider a vast knowledge of PC's and local area networks. However I have never attempted to setup a VPN before now. I found this Tek-Tip thread about the BEFVP41 quite enlighting and it also answered a number of questions I had but also posed a couple new questions.
 
My client has a home office with a Win 2K Server SP2 server with 8 workstations all with Win 2K SP2 Professsional connected to a 3Com 16 Port hub which is connected to the BEFVP41 which is connected to a cable modem with a dynamic IP address. I am attempting to connect 2 remote locations to the home office's server and printer with a Win 2K Pro SP2 workstation in each remote site connected to a Linksys BEFSR41 which is connected to a fractional T1 line. I have been struggling with setting up the IPSEC policy on the home office server. When I enable the policy the 8 workstations no longer see the server but can still browse the internet. I then called Linksys (oh boy!!!) with out much success because they do not support their router connected to their vpn router, just vpn router to vpn router.
 
Now having read the threads I realize about setting the (in this case 3) network IP address schemes to different numbers and all that, where I am confused is when I read a post further up the page from a user called Certman who said that if you have 2 BEFVP41's you don't even need to mess with IPSEC on the Win 2K boxes.  Is this true?
 
Also is the method I am/was trying using a mix of router to vpn router more trouble than it's worth? Should I just invest in a couple more BEFVP41's?
markku (ISP)
28 Apr 02 12:35
Hi Appollo,

Just buy some more BEFVP:s and forget about the WIN2000 VPNs. The tunnels will route your separate LANs via IPSEC together.

Just follow the excellent drawing of RGN couple messages back and it will work.
thomasdp (TechnicalUser)
28 Apr 02 16:33
I just bought another BEFVP41 for home so now have one at each location.All problems solved.Connecting was a snap.
TimRaines (IS/IT--Management)
29 Apr 02 11:45
Yes.....that would solve everything.  Unless, of course, you're trying to set this whole thing up for someone on the road.

I've got the router set up at my office (10 pcs with a Win2k domain).  I screwed around with the Windows IPSec policy to create the tunnel, but my ISP gives me a dynamic IP when I'm on the road, so I knew I'd be constantly editing that policy.

I bought a client called SafeNet SoftRemoteLT which is, I guess, "smarter" than Windows and "attaches" itself to whatever my IP address is to create the tunnel.

Everything's fine.....sort of.  The tunnel appears to be created, as I can ping any machine on the network.  But if I try to actually use any of the machines' shares.....well...

Calling Linksys is actually quite scary.  Every time I've talked to anyone there, I'm MORE confused.

When I *am* able look at the shares (by specifying my WINS server in my orignal connection's configuration), using those shares is so slow as to be useless.

I'm sure there's some tiny thing I've overlooked, but I'm completely lost as to what it might be.
Guest (Visitor)
1 May 02 8:56
Hello, all,

First time here... some good info, some confusion.  Maybe I can help?

I've been dealing with VPNs in some form for 4 years now, and here's some of what I know.

Windows network BROWSING: is terrible.  In order to browse a remote network, your client needs to contact a browsemaster on the remote network (enabling NetBIOS broadcast *may* allow you to use a local browsemaster).  Problem: browsemaster may change everytime someone reboots.  Solution: WINS (or DDNS), though not 100% reliable, cuz still need to connect to browsemaster; WINS just makes it easier to find that guy.  If you can distribute a list of names for the important computers (file server, print server, email server), then just connect with drive mapping or by directly connecting to the server, and completely avoid browsing (Windows browsing does *NOT* directly correlate with name resolution), then you are much better off.  Still recommend WINS or DDNS (or at the very least, put entries in *everyone's* 'hosts' file (only need 'lmhosts' if you have an NT Domain)).

NetBIOS (aka SMB): very slow and not overly reliable over WAN/VPN.  Would suggest Web/FTP/RemoteControl/TermServ solution if must have speed or working with large quantities of data.  Since we are dealing with sub-T1 speeds, "large" can be as small as 10-20 MB.

Win2k (and I assume XP) IPSec client: is terrible.  I've installed several IPSec products, and none of them are 1/10th as difficult or confusing to configure as M$'s.  I know it can be done, I've seen it done, I've never done it (I have tried), my hat's off to anyone who's done it.  My suggestion is to go with site-to-site (BEFVP41-t0-BEFVP41) VPN if you can.  The BEFVP41 is not really designed for client-to-site VPN and will cause headaches if you try to stick that round peg into the square hole.  Go with M$'s PPTP (included with Win2k server for "free" and relatively easy to set up, but known vulnerabilities), or get a dedicated product designed for client-to-site (Cisco, Check Point, Nortel, etc.) (more secure, but also more costly).

Get "connected" (according to router) but have no connectivity: Possible that ISP is allowing UDP 500 (IKE authentication for IPSec Tunnel), so router thinks it successfully connected (my theory, have not verified with Linksys), but ISP does not allow IP Protocol 50 (actual IPSec Tunnel).  Some ISPs claim it's a "Business Service" and so won't allow it on their "residential" packages.  Of course the "business" packages that *will* allow IP 50 do cost more...

Nice that the Linksys allows dynamic IPs for their VPNs in any fashion.  That actually breaks the RFC's for IPSec, as I understand them, but sure makes the VPN routers more useful.

Final note: please don't bash Linksys too hard.  They have the most features out of anyone for their price range ($300+ for another vendor for the same functionality, and it limits you to 8 IPs on your LAN), and I'm shocked that their products are as reliable as they are for the price!  I used to be a Linksys basher (back when every mini-hub had at least one bad port), but they've been reasonably solid the past 2 or 3 years (no, I don't work for them).  For the prices I pay, I am not overly surprised that their tech support is not stellar.

I will be setting up my BEFVP41's tonight.  Based on what I've read here, I expect smooth sailing.  Wish me luck.

And remember... browsing bad!

Hope this helps someone.
TimRaines (IS/IT--Management)
1 May 02 10:13
Thanks for the info, Johnny.

You mention that trying to get the router to do client to router VPN is a square peg in a round hole.  And THAT is my only problem with Linksys.  If it doesn't work that way, then don't put a bunch of marketing / promo copy on your site that says it DOES.

At THIS point, I'd have been happy to spend $1,000 on a solution that would have worked easier.  Now, though, it's almost become a crusade......a crusade to prove that I'm smarter than the tiny $150 box sitting in the next room.   :)
spinge (TechnicalUser)
1 May 02 11:14
Johnny2can:

Thanks for the information.  Do us a favor - you said you were setting up the BEFVP41's tonight - post back and let us know how it worked and what your settings ended up being.  Thanks!!


TimRaines:

I agree with the crusade - Just remember the words of Steve Wozniack - "Never trust a computer (or any piece of IT hardware for that matter) that you can't pick up and throw out a window!!"

Rich
Appollo (TechnicalUser)
1 May 02 18:30
Well I got another BEFVP41 to connect from remote office to main office. Still not there yet though. I followed the superb drawing by RGN and made sure both BEFVP41's are using the same firmware 1.40.2, setup the Key area identical on both ends, made sure both advanced IPSEC pages are identical and still no connection let alone browsing the network neighborhood. I am not sure about the remote security gateway settings. If I set it to (any) would that be the proper setting for dynamic IP's on both ends, even though I have had cable modem service for 1.5 years at home and I am still using the same IP address as when I started using cable for internet. Do I need to worry about DNS settings? Is the remote security gateway the IP address that is displayed on the status page for the BEFVP41 under Default Gateway? Also a user further up this page asked and didn't get answered if you have to click on (Connect) on both ends, that would seem rather silly but is it so?
Guest (Visitor)
1 May 02 21:18
I gave up trying to read every post to this thread, but if you are still struggling to connect a client PC to a remote LAN through a BEFVP41 VPN tunnel, Linksys' instructions at

http://www.linksys.com/support/support.asp?spid=86

*DO* work. They are 16 pages long, and fraught with pitfalls, but I have now set up three (bidirectional) client<->LAN VPN tunnels successfully using them. I can ping, access shared folders, and more, in both directions.

These directions only apply to Win2K and WinXP clients. Earlier Win OSes require a 3rd party IPSec module. And forget the Windoz VPN dialers -- they won't get you anywhere.

Now here is MY question: I cannot seem to establish a pcAnywhere Remote->Host connection over the tunnel. The Remote just stalls. Can anyone give a hint about what's going wrong? Has anyone made it work? (Please do not tell me that I have to open the pcAnywhere ports on the router -- that should not be necessary with a VPN tunnel and would defeat the purpose of this application.)

Thanks in advance....
markku (ISP)
1 May 02 23:45
jmacmann,

I am using PC-DUO remote access over BEFVP 41/BEFVP 41-tunnel successfully. Do you connect with the internal ( not external ) IP of the pcAnywhere server, e.g. 182.168.1.x to the remote network. If the server pings, it should work.
Appollo (TechnicalUser)
2 May 02 0:01
Low and behold my problem was that by default the BEFVP41 has a block WAN request filter enabled. Linksys support caught that one, every now and then you end up connecting with someone knowledgeable in Linksys support. Guess I got lucky.
Appollo (TechnicalUser)
2 May 02 0:07
Just a side note is this WAN filter suppose to be basic knowledge? Also I was told by Linksys support that the BEFVP41 works with DSL, Cable & T1 connections but not a fractured T1. Is there another solution because one of the remote sites of the 2 is a fractured T1. Oh boy here we go again.
spinge (TechnicalUser)
2 May 02 23:34
Appollo:

It strikes me as odd that it is necessary to un-block WAN requests to get the VPN to work - mine works with the block enabled (or at least says it is connected).  I thought the theory of the VPN was to establish a private tunnel without opening your network up to "outsiders"

As for not being able to run on a fractal T1 - I also question that.  If the CSU/DSU on the end of the fractal gives you a 10 Mbs ethernet connection, it should hook right to the BEFVP41 just like a cable modem or DSL modem
Guest (Visitor)
5 May 02 22:43
i, too, have two befvp41s connected.  one at my office that has a static ip on verizon dsl bronze package.. entry level business dsl service and one at home on dynamic ip also through verizon dsl bronze home package.  at home i have a 'connected', but when i open up incoming access log it shows incoming ip is my static office ip address and the port says "500".  johnny2can said that sometimes you get a connection with port 500 but no connectivity.  verizon swears they don't block anything, in fact that's what sold me on them.  are they full of it or is there a way to redirect 500 to 50?  any other solution to be able to browse or map the office server drive.  office server has just win 98.. do i need to have win2k server on there?  my home computer has win2k pro.  thanks for your help!
spinge (TechnicalUser)
6 May 02 0:20
heliosphere:

I am not sure where you are located (which Verizon you have), but I know for a fact that in the Baltimore area they block port 80.  I am not sure of any of the other ports (I have not checked) but I do know that I can connect, and assign shares, across the VPN with a pair of BEFVP41's.  I guess what I am saying is that although they may not be blocking the ports you need, I would really question the "we don't block anything" statement.

Rich
TimRaines (IS/IT--Management)
6 May 02 10:14
What!?  Verizon blocks port 80?

I highly doubt it.  Port 80 is used for http.  I can't imagine that they're blocking access to web sites.  I gotta think some of their customers (some....heheh) would be upset about that.
Guest (Visitor)
6 May 02 11:39
im on the verizon dsl network in portland oregon.  johnny2can was actually speaking of port "50"... not "80" i believe.  im getting incoming from port "500" from my static ip.  does anyone know of a way to redirect or do i need to change isp.  thanks
Guest (Visitor)
6 May 02 13:04
finally... two hours on the phone with verizon.. kicked me up to top level tech support.. i got a guy to admit they block "some" ports on their home dsl... imagine that... he couldn't tell me which ones.  he also said that i couldn't maintain a constant vpn connection because they change the ip address ever 5 or 10 minutes on my home dynamic dsl ip address.   anyone have any suggestions on a good isp that doesn't block ports for home dsl?  they suggested that i upgrade to a business dsl connection for my home.  these guys!
Guest (Visitor)
6 May 02 13:51
Thanks everybody who post their experience here...

I have a question about the subnet mask in my procedure of setting up the VPN channel.  For the VPN router, I can only use subnet masks with the first 3 octets as 255.  However, this is different from what we're using to set up our LAN.  Our LAN computers are all under the subnet of 255.255.0.0.  I got 2 VPN routers connected as the following:

VPN router 1: LAN IP: 128.1.2.201
Mask: 255.255.255.0

Tunnel Name: Test 1

Local Secure group:  Subnet  IP: 128.1.2.0
                            MASK: 255.255.255.0

Remote Secure Group: Subnet  IP: 128.1.1.0
                            MASK: 255.255.255.0

Remote Security Gateway: IP Addr.:  IP: xxx.xxx.xxx.xxx
=======================================================
VPN router 2: 128.1.1.201
Mask: 255.255.255.0

Tunnnel Name: Test 2

Local Secure group:  Subnet  IP: 128.1.1.0
                            MASK: 255.255.255.0

Remote Secure Group: Subnet  IP: 128.1.2.0
                            MASK: 255.255.255.0

Remote Security Gateway: IP Addr.:  IP: xxx.xxx.xxx.xxx
=======================================================

After I got them connected, I can ping and browse TESTING computers at each side.  Unfortunately, most of our regular computers with their subnet mask as 255.255.0.0 cannot be reached at all.  Can everybody suggest me what I should do to make computers with subnet mask 255.255.0.0 visible through the VPN channel?

Any help is highly appreciated.


Really confused...
spinge (TechnicalUser)
6 May 02 15:49
TimRaines (Visitor):

What I mean by blocking port 80 is that you can't run a web server on your end.  You can still access web pages, you simply can't post any from your own computer unless you have it mapped to a different port.

Rich
Guest (Visitor)
6 May 02 16:08
thanks rich

i see what you are saying.  i just dumped verizon and ordered up another that uses the same verizon backbone but will give me a static ip at home and, before i even said it, they dont block ports.  hopefully be up and running by friday.  the guy at the new place said they have had several new customers just for this reason only.. the customer got a couple of new befvp41s and they dont work on dynamic ip blocked ports.

thanks for your help in pointing me in what i hope will be a direction of resolution.
spinge (TechnicalUser)
6 May 02 22:17
heliosphere (Visitor):

Just for reference (It has been mentioned earlier in this thread), it is possible to connect two of the BEFVP41's when they both have a dynamic connection.  Verizon tech support in my area (Baltimore) tells me that they do not yet have static IP's available on their DSL lines - even the business packages - so I have had a chance to figure this out.  

The procedure requires the services of a DDNS (dynamic domain name server).  Essentially what happens is one of your PC's at one location runs a small program in the background and keeps an eye on the WAN IP address.  When it changes, it contacts the DDNS and they update their system.  They can normally be set to check the IP anywhere from about once a day to as short an interval as once a minute.  You end up with an address something like "www.mycompany.ddnscompany.com";

The next step is to set up the BEFVP41 at the location with the DDNS running to accept any IP address as the remote WAN IP.  On the remote (other) location, set the BEFVP41 up using FQDN (Fully Qualified Domain Name) as the remote WAN address, and enter your DDNS name.  This feature is available in the latest firmware upgrade - 1.40.02

When you fire the BEFVP41's up, they should connect (they did for me) so long as both of the boxes are set up with the same encryption, etc. - standard VPN stuff.  The units can get a little tempermental if the IP at either of the ends changes alot, but they will reconnect, normally fairly seamlessly, with only slight service interuptions.

Hope this helps

Rich
markku (ISP)
6 May 02 23:26
Hi iwonderhow,

I think you are looking at wrong product. If you have class B network, you should look at Firewall-1 product.

Linky is intended for SOHO-markets, not for corporate markets.
WarDaddy (MIS)
7 May 02 11:13
Since we are talking Liksys to linksys, I am on The Cox Cable system. I want to connect to home computers (different homes) with a vpn (small business being run from 2 homes) so they can share databases.  I have no servers running, and do not want the trouble or expense of having one running.  

If I have one of these at each house, I should be able to have them create a tunnel to each other so both homes will be sharing the same workgroup, correct?

Both houses have dynamic ip's, but I have had my same IP address for 5 months stright, without a server reboot at cox, I think I will always have it.

Do you see any problems with the logic of this set up? thank you!~
Guest (Visitor)
7 May 02 18:32
Hi markku,

Thanks for your post.  

I'll change our Windows network into Class C...  There will be enough nodes for us to use here in only 1 branch company.  Another headache is our DG/UX servers.  They are in Class C (128.1.1.0/24) now, but I can't even ping them from the other side (128.1.2.0/24) of the VPN channel.  Do you know if there is any limitation on accessing Unix resource through the VPN?

I truly appreciate your suggestion.


Wayne
Guest (Visitor)
7 May 02 18:32
Hi markku,

Thanks for your post.  

I'll change our Windows network into Class C...  There will be enough nodes for us to use here in only 1 branch company.  Another headache is our DG/UX servers.  They are in Class C (128.1.1.0/24) now, but I can't even ping them from the other side (128.1.2.0/24) of the VPN channel.  Do you know if there is any limitation on accessing Unix resource through the VPN?

I truly appreciate your suggestion.


Wayne
markku (ISP)
7 May 02 23:31
Hi Wayne,

See my answer in thread:

BEFVP41 - ping and telnet problem

There are no limits of accessing resources through VPN-tunnel, this is one of the lovely aspects of VPN.

Markku





havanajoe (IS/IT--Management)
8 May 02 8:18
wardaddy -

you "may" run into problems keeping the same ip.  I know that as soon as my ISP sees any traffic originating outside of my network destined for my network, i get a new DHCP address assigned.  I am not sure if this is for security sake or if it is them making sure that we are not running webservers and mailservers.  I have tried to ping the outside of my network and within moments I get a new DHCP address assigned.  So that maybe something to keep an eye on.
Guest (Visitor)
8 May 02 11:58
Hi Markku,

Could you tell me where you post "BEFVP41 - ping and telnet problem"?

Many thanks,


Wayne

Guest (Visitor)
8 May 02 12:50
Hi Markku,

Found your post...

The Ping command starts to work after I asked my colleague to change the gateway on one of our DG/UX servers.  It's so beautiful...  The remaining problem for my colleagues is to explore the possibility to enable 2 gateways on the other DG/UX servers, because there's already one for the frame relay on most of them.

Thank you very much,


Wayne
Guest (Visitor)
8 May 02 17:21
Hi everyone,

I have a couple of new questions now...

1. Can BEFVP41 function as "gateway" and "router" as the same time?  My guess is that BEFVP41 works only in either the "gateway mode" or the "router mode".  When it's working under the gateway mode, the entries I add at the "static routing" do not update the routing table...

2. When a remote computer accesses the local resource through the VPN channel (made by 2 BEFVP41), can a "local IP" be allocated to the remote computer?  As we were using Windows 2000 VPN server before, all the remote computers obtain "local IP address" (the 2nd IP) when they log onto the VPN.  I'm wondering if it's possible to assign local IPs to the remote computers in the scenario of BEFVP41 VPN channel?

Thanks in advance,


Wayne
KnoxC (TechnicalUser)
9 May 02 9:03
Has Anyone got this Linksys box to work with a remote client using Dial up networking to log in ?

If so, How ??

Thanks in advance.
Guest (Visitor)
9 May 02 14:08
we have 2 linksys vpn routers connected. we are using (2) win 2k and (1) windows 98se along with a novell server.
the test setup is 1 win2k as a remote and the rest on the other side. we can ping all machines and map drives from all machines except the novell (4.11) server. The novell we can ping but not map drives. we have downloaded and install the linksys firmware update and installed lmhost on all the win 2k machines. we are using static ip. any help

email larcan@adelphia.net
thanks
joe d
Guest (Visitor)
9 May 02 22:53
I'm back.

Worked the first time (Linksys to Linksys).

Settings were basic.  Same on both sides...

Local: "subnet" 192.168.0.0
Remote: "subnet" 192.168.1.0
   (flipped it for the other Linksys)
mask was 255.255.255.0 for both
IP Addr. (I have statics on both sides)
Des (faster)
SHA (faster)
Auto (IKE)
PFS (stands for Perfect Forward Secrecy)
Key Lifetime: 3600

clicked more...
Phase 1: Main/DES/SHA/768/28800
   chose 28800 to make Phase 1 last "all day" (8 hours)
Phase 2: 768/3600

Anti-replay (not relay, as some have suggested)
   Has to do with an attacker re-using one of the
   encryption keys
Keep-alive

After "Apply" I *did* click "Connect", but only on one side (as it should be).  All worked at this point.

Block WAN was enabled (the default) and had no effect on my VPN.

Other notes:

Verizon?  Verizon is a melding of several smaller (though still large) networks.  Very possible that one part of the country is blocking when another part of the country is not.  They haven't merged completely, yet.

Blocking port 80?  Yes, several ISP's block port 80... *inbound*!  They don't want people from the outside requesting web pages from your machine.  That does *not* block port 80 outbound, thus allowing you to request web pages from the Internet.

50?  That is *IP protocol 50* (aka Encapsulating Security Payload (ESP) which is the encryption), not TCP (IP protocol 6) or UDP (IP protocol 17) port 50.  It's a completely different animal from IKE, which is transported over UDP port 500.  Therefore, you cannot redirect IP protocol 50 to UDP port 500, or vice versa.

Congrats, jmacmann, on getting those clients up and running!  I'm gonna try that using FQDN and DDNS... sounds intriguing!

Good luck, all.
Guest (Visitor)
9 May 02 22:59
Oh, and as someone mentioned earlier, forget about using the Dial-up Networking VPN.

- M$ DUN uses PPTP or L2TP
- Linksys uses IPSec

If you want to hook up M$ directly to the Linksys, you need to use the IPSec that they built into >Win2k, not the DUN VPN.

-J
markku (ISP)
9 May 02 23:19
Hi Wayne,

>1.  the entries I add at the "static routing" do not >update the routing table...

If the router is in gateway mode static routing works, you just have to hit <refresh> in your browser after applying the changes. Otherwise you won't see the changes.

>2. When a remote computer accesses the local resource >through the VPN channel (made by 2 BEFVP41), can a "local >IP" be allocated to the remote computer?

Not necessary. The Linkys are only routing IP-packets from LAN to LAN with different IP-schenarios. No other fiddling with machines or SW necessary, just connect \\remoteIP\sharename. Telnet <remoteLANIP> works without any other tweakings.

VPN network acts like large LAN. It makes things simple, not complicated. Just remove any SW-based VPN you might have and enjoy.

Markku
Guest (Visitor)
11 May 02 13:24
I wonder if somebody here can share with my some experience of using SSH Sentinel 1.3 as the VPN host to connect BEFVP41 router.

*******************************************************
My setting on BEFVP41

Local Security Group: IP: 128.1.1.0
                      Mask: 255.255.255.0
Remote Security Group: Any
Remote Security Gateway: Any
Encryption: 3DES
Authentication: MD5
Key Management: Auto IKE
PFS: Enabled
Pre-shared Key: abc123def
Key Lifetime: 3600 sec
************************************************************
My Setting at SSH Sentinel computer:

I use "Administrator Email" as "Primary identity", and provide my email address.  Then I created a "self-signed certificate".

I genereated a preshared key (named RoadWarrior) the same as what I have at the BEFVP41 router (abc123def).  Something I don't understand is that SSH only allows users to create the key using SHA-1.  However, people can select to use "SHA" and "MD5" when setting up VPN tunnel with the BEFVP41 router.

VPN Rule:

Remote endpoint:
       Security Gateway: xxx.xxx.xxx.xxx (WAN IP of BEFVP41)
       Remote network: 128.1.1.0/24
IPSec and IKE Proposal:
     Authentication Key: RoadWarrior
     Proposal Template: Legacy
     Proposal Parameters (setting):
     IKE Proposal:
         Encryption algorithm: 3DES
         Integrity function: MD5
         IKE mode: main mode
         IkE group: MODP 1024 (group 2)
     IpSec proposal:
         Encryption algorithm: 3DES
         Integrity function: HMAC-MD5
         IPSec mode: tunnel (unchangeable)
         IPSec group: MODP 1024 (group 2)
************************************************************

After I finished the above configuration, I try to connect from the SSH Sentinel computer.  However, I nevel pass through even the first stage of IKE proposal.

The error message lets me check both the authetication key and make use the remote gateway is available.  But they don't seem like my case.  Because I can find the incoming traffic from my BEFVP41 router, which is through Port 500.

When I checked the audit log in SSH, I couldn't find any response from the remote side.  

DEBUG: 0.0.0.0:500 (Initiator) <-> xxx.xxx.xxx.xxx:500 { 108b9675 63000003 - acb720fa 21e3ac2b [-1] / 0x00000000 } IP; Retransmitting packet, retries = 3

Can anyone kindly let me what I have done wrong?

Thanks in advance,

SSHFun

Guest (Visitor)
11 May 02 13:30
Hello Markku,

Thank you very much for your suggestion.  

The reason that I want to have "internal" IP is I want to simplify the remote computers's access to the LAN.  If they have internal IPs (like Win2K VPN solution), I can save efforts on setting up routing entries for them.

Thank you once again and have a nice weekend,


Wayne

Guest (Visitor)
11 May 02 19:37
Just some addition to my previous post about SSH Senitel VPN client...

When I check out the SSH log file generated during the VPN connection, I find continueous negotiation is carrid out between SSH VPN client (my remote computer) and our Win2K servers (128.1.1.249 is one of our servers) that are not in the same subnet all.  The log is like the following:

Phase-1 [initiator] between ipv4(udp:500,[0..3]=192.168.0.3) and ipv4(udp:500,[0..3]=128.1.1.250) failed; Timeout.
0.0.0.0:500 (Initiator) <-> 128.1.1.249:500 { 3c92c06a d10000a8 - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback

I can find the IKE negotiation between SSH client and the BEFVP41 router in the router's incoming log, but this is never shown in the SSH log file.  Could it be some clue with which you can tell where I've made a mistake?

Many thanks,


SSHFun
markku (ISP)
12 May 02 23:37
Hi Wayne,

By using 2 BEFVP's it is not necessary to add any routes to the boxes. The Linkys do the routing to remote networks automatically assuming that the tunnel is alive.
Guest (Visitor)
13 May 02 19:12
Can anyone here make some summurization on why computers can be pinged, however are not shown in "My Network Places" and not available for mapping drives?

I've tried Dial-up and access through another subnet, and neither of them worked.
 
Thank you...
ShovelhEd (IS/IT--Management)
14 May 02 14:59
Visitor(old problem),

Typically this is because the machines on the other end of the tunnel have no names for your pc's.  This info is passed by Netbios.  If you are using Linksys BEFVP41s try enabling "send netbios info over tunnel" option in advanceed settings of your tunnel. YOu can also try connecting by mapping a drive:

search for pc(seach---> for computers in win98 or seach --> files and folders in xp), enter: \\xxx.xxx.xxx.xxx\(of course replacing xxx.xxx... with the ip of the computer you are searching for)  This way you are searching by the IP address of the macine not it's name.  If you can ping it then your machine can at least see the IP and hopefully be able to connect this way.

That might just fix things up for you.  If it does edit the hostfile on all your pcs to add the pc names:

xxx.xxx.xxx.xxx computer1
xxx.xxx.xxx.xxx computer2
etc.


Good to you.
madnessxx (MIS)
14 May 02 15:15
Old problem: On each side of the VPN's do you have more than one computer?  Can the two computers on side A map drives?  and the other two on side B map drives?  If you only have one computer on each side of the VPN then you should check that you are logged in as someone.  IN the start menu if it says logoff... then you are not logged in as someone and you need to give yourself a name inorder for the file sharing to work.
Guest (Visitor)
14 May 02 19:17
Hi ShovelhEd,

The most stange thing for me is that I can ping every computer in the domain, however I can never browse (in My Network Places) them or map drives using their IP addresses.  This seems to be DIFFERENT from what everybody here says...

In the past couple of weeks, I've been trying to connect my laptop (Win2K Prof) at home with our company's Win2K network through the VPN tunnel.  I have to say the only success so far is I've made it possible to "ping" each one in the network.

I can't utilize any Active Directory tool that I usually use while in the company.

I've got totally lost...
Guest (Visitor)
14 May 02 19:25
To Madnessxx:

I have my home computer at one end of the VPN tunnel and our company's LAN at the other end.  I don't have any problem to map drives among computers in the company.  But neither "network browsing" nor "mapping drive" works when I work through the VPN tunnel at home.

I check the "shares" in our company's LAN.  All of them permit access by the "everyone" group.

I don't quite understand when you say I need to log on as someone.  If I dial up from home, there's nothing coming up to let me "log on"...

Any further suggestion?

Thanks a lot.
madnessxx (MIS)
14 May 02 20:00
Old Problem:
Depending on your OS if you pull up the start menu and if it says log off... Then you are not loged in as someone.  You need a user name to be part of the "everyone" group and if it says log off... then you have have <null> username.

If it doesnt say logoff (username) right above the shutdown command in the start menu then select shutdown and operate the pulldown menu.  Should give you an option to reset, shutdown, logoff (username or just ...), and maybe an option to go to DOS mode or something.  If you have the dots then select that.  You will be promted to login go ahead and give yourself and username and blank password.

Now you will have a name that will allow you to access the MS shares.

Also you say you can ping the other computers on the network your using ping <computername> not the IP correct?  Win98 wont allow you to UNC to an IP so you will need to verify that will work.  If your work is running a WINS server put that server in your TCP/IP setup for your NIC.
That should handle are your name resolution needs.
Guest (Visitor)
15 May 02 2:03
Hi Madnessxx,

I believe I have logged on using the "cache memory" with Win2K Professional.  While I'm at home, I usually log on as I do in the company.  The only difference is I have to wait longer, because the company network is not available to me at home.

If I have logged on, my user name should be a member of Group Everyone.  But how come the error message always says "this is no logon server...".

I appreciate every suggestion you give to me.

 
Guest (Visitor)
18 May 02 21:45
I have a Lynxsys Etherfast Cable /DSL Router and am trying to get my webcam to work.  I am using Microsoft Windows messanger can not connect while router is connected.  I Can by pass router and it will work.  Any suggestions on how to configure this to work
Guest (Visitor)
18 May 02 21:45
I have a Lynxsys Etherfast Cable /DSL Router and am trying to get my webcam to work.  I am using Microsoft Windows messanger can not connect while router is connected.  I Can by pass router and it will work.  Any suggestions on how to configure this to work
gwinn7 (Programmer)
21 May 02 8:30
Ok Scott,

Back to your original post, I think may have a resolution.  I am faced with the same problem as you.   Here is what I found.

Check the Microsoft KB with the following article...

"How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication (Q240262)"

Apparently, the Linksys Router uses a non-recommended method to validate VPN clients.  Using the instructions in this article will supposedly allow you to configure a Windows client to use Linksys's method for communicating through the VPN.  

I think this is the solution and will likely post another response to let you know if this worked for me.  

Gary
gwinn7
A+, Network+


SouthsideJohnny (IS/IT--Management)
22 May 02 11:50
I am planning on setting up a Linksys VPN router for the office.  This will be to connect another location (in about 1 month).

But I want to make sure this product will allow users from home VPN into the network here through this.

From everything I have read, this will work as long as I setup a IPSec on their machines they are going to be using at home.

Is this correct?
markku (ISP)
22 May 02 13:41
Hi, SouthsideJohnny,

For the time being Linksys is good for box to box VPN. If you need painless windows-clients you have to look elsewhere, like SonicWALL or CISCO.

KnoxC (TechnicalUser)
22 May 02 14:37
Has anyone out there had any kind of successs connecting to the Linksys box from a remote PC using 3rd party software ??

If so how ? and what software did you use ??

Any help would greatly be appreciated.

Thanks,
Chris.
Navaldis (TechnicalUser)
23 May 02 11:54
Has anyone had some experience in routing to additional subnets besides the one that the BEFVP41 is connected.

I have two locations which are connected via VPN and it works perfectly.  The remote location is 10.0.100.X and our main location is 10.0.10.X.  The remote location can see everything just fine and vice versa.  Network browsing works like a charm as well.

However, if I try to ping other subnets from 10.0.100.X (say 10.0.25.X) I don't get a response.

Now, I have placed routes on both sides for 10.0.25.0 however it just doesn't work.

It seems to me that the routing would be simple, however, it just doesn't work and I'm stumped.  I must be missing something here.

Anyone have any suggestions?
Any assistance would be greatly appreciated.

Thanks.
Nicholas.
markku (ISP)
24 May 02 13:51
Hi Navaldis,

The VPN network works in star-shaped form. The routing between remote nodes is too much for Linksys.

Only change is to create separate tunnels between remote nodes in addition to the tunnel to the main location. Linky supports 70 separate tunnels.

Keep us posted about results.
JNoodle (TechnicalUser)
25 May 02 16:26
Hello,
This is a really long thread, but since people seem to be reading it, might as well post my issues here as well.  I am trying to set up two of the Linksys BEFVP41 routers to create a VPN tunnel between two locations.  One is the main office, and one is the remote office.  Currently I have everything configured pretty close to what everyone describes here, and the tunnel actually comes up and says connected.  However, I can't ping/map across the tunnel and I can't think of any other way to verify that the tunnel is actually being used.  Here is the way I have it configured:

Main Loc. -> BEFVP41 -> 3Com ADSL -> Internet
Internet -> 3Com ADSL -> BEFVP41 -> Remote Location

We were assigned a static IP for the main office, however it's assigned to the 3Com ADSL router.  So I have made the default workstation (where all traffic is forwarded when it's send to the static IP) the BEFVP41 so that it handles all requests from the Internet.
The remote location is a dynamic IP address.
Because of this I have set the BEFVP41 at the main office to accept VPN connections from any remote gateway.  I don't want to use netbios over the tunnel, I just want IP connectivity.
Are there any routing/forwarding issues that I'm overlooking?
Let me also give the ip layout:
Main Office IP: 10.x.x.x
Main Office VPN:
  LAN: 10.x.x.254
  WAN: 192.168.1.2
Main Office DSL:
  LAN: 192.168.1.1
  WAN: ISP Static
Remote Office DSL:
  LAN: 192.168.2.1
  WAN: ISP Dynamic
Remote office VPN:
  LAN: 192.168.200.x
  WAN: 192.168.2.2
Remote Office IP: 192.168.200.x

Also, I believe that NAT is being performed two times on each side, not that it should make much difference.  The DSL routers on both sides are performing NAT.

Does anyone have any ideas why, if the tunnel is connected, I can not send/receive traffic through that tunnel?  Or pretty much, why I can't use the darn thing if it's up?

  -Josh
markku (ISP)
25 May 02 22:21
Hi Josh,

Two possibilities:

You should have machines in your both LANs pointing to the Linky -> Linksys router should be the Gateway in order to have the packets properly routed to the tunnel and back.

Your ISP is blocking protocol #50 ( IPSec ), pls check with your ISP.

NAT should not be a problem, I have similar setup running right here with no problems.

markku (ISP)
26 May 02 0:50
Hi Josh,

There might be still third possibility with 3COM.

Try to configure ADSL-router to bridge iso route, since you need only one IP.

Check the documents / support of 3 COM for IPSec passthru, it might need some hammering. I use Zyxel 645 R which does not need any additonal setup for this.
Navaldis (TechnicalUser)
27 May 02 12:57
Hey markku.

Thank you for you reply.

I'll review the issue as this thread is rather long.

I have a tunnel between two subnets 10.0.100.X and 10.0.10.X and everything is dandy.  However, I can't see any subnets which are connected to the location at 10.0.10.X (10.0.25.X for example) from the 10.0.100.X and vice versa.

So if I understand you correctly I need to create another tunnel between 10.0.10.X and 10.0.25.X?  Once this is done 10.0.100.X will be able to see 10.0.10.X AND 10.0.25.X?

This is my understanding on what I need to do as I can't create a tunnel between 10.0.100.X and 10.0.25.X because they can't see each other.

I am suprised that the ability to see additional subnets besides the on you are connected to does NOT work on the Linksys?

It is a router and the manual does state that you can set up static routes.  I mean, what is the point of the static routes?

I'm still going to try a test with Dynamic Routing (as soon as I turn off RIP on this silly little SCO box out at the 10.0.100.X location who thinks it knows the routes to everywhere and doesn't).  I want to see what get's dynamically reported to the linksys as our Cisco routers also support the RIP protocol.

I'll keep people posted as I'm sure there are people in the same boat as I.

Regards,

N
markku (ISP)
27 May 02 14:27
Hi Navaldis,

The advantage of VPN-boxes is that they do the routing between different VPN-subnets without any other static or dynamic routing automagically = VPN rules are superior to other rules, e.g. static routes. Have tried it with Linky without success.

Therefore the easiest thing is to apply number of tunnels between nodes if _really_ necessary.

The routing between subnets requires ~$1500 upgrade for CISCO PIX, so Linksys cannot be blamed for not having this feature.

Good luck and keep us posted

Markku
Guest (Visitor)
30 May 02 22:41
Has anybody setup a BEFVP41 on a LAN, as the DSL router and VPN endpoint and has remote users with w2k connect to it?
paulbenn (Programmer)
31 May 02 14:33
Well After many sleepless nights and searching the Forums for information I have finally got my VPN Working. Horay!!!

My Set up is as follows:
Office: Netpilot Firewall with VPN
Home: Linksys VP41

I updated the Firmware to 1.4.2 and managed to get a tunnel created everytime however I could not ping the other end, I set rouute's and open ports and no luck. Finally I downgraded to Version 1.39.64 and as if by magic it worked.

I got the Link for the Firmware from this forum thanks curious2

the Link to save you searching:
http://www.dslreports.com/forum/remark,2881005~root=equip,16~mode=flat

I hope that everyone has my success. :)

Paul Benn

Kind Regards, Paul Benn

**** Never Giveup, keep trying, the answer is out there!!! ****

Guest (Visitor)
20 Jun 02 21:28
If you're a novice like me ("I'm a doctor, not a computer programmer"- Leonard McCoy), you made it down this far on the thread, haven't sucessfully created a VPN and haven't pulled ALL of your hair out yet, I will reiterate one peace of advice: Get two of these routers and put one on each end. Piece of cake for a total of $300 (from Buy.com). I tried connecting a Linksys BEFVP41 VPN to another brand VPN router and tried software connections to no avail. I then ordered another Linksys and put one unit on each end and VIOLA!
markku (ISP)
21 Jun 02 0:36
Hi cdoug,

You are quite right, $150/box there is no need to use any client software when connecting two offices.

However, if you have portable then you can use SSH Sentinel to connect to the office network.
Navaldis (TechnicalUser)
21 Jun 02 11:29
I too like the Linksys VP41 router.  However, I am disappointed that it is not possible to route between subnets on the unit.  It would be nice if people working from home could see our entire network and not just the subnet in which they have established the VPN link.

Has anyone had any success in routing between subnets other than the one you are connected to?

At markku's suggestion I have established VPN tunnels from my home and from one of our locations.  All can see the subnet they are connected to, but cannot see the other subnets that are tunnelled within the same Linksys device.

I would have thought that this would have worked at least.  Am I missing some static routing magic?

Secondly, has anyone a better solution for doing this if it is totally not possible to do it with the Linksys device.  For most of our locations it is not necessary to connect to any other subnet than the one that they are connected to.  However, I have a couple of locations that need to be able to "see" other subnets within our internal network.  Any suggestions would be appreciated.

Finally, the VPN tunnel seems to go down every now and again and it requires us to power cycle the router.  Any one experienced this behaviour and has eliminated this condition?  We are on the absolute current version of the firware.

P.S. Many thanks to all the helpful people who stalk this forum, especially markku for his/her invaluable assistance.

N
markku (ISP)
24 Jun 02 13:18
Thank you Navaldis for your kind words.

I have tried to see the other subnets like you did with no success. Tried with static routing only. The only change is to establish more tunnels, fortunately Linky supports 70 tunnels/box. Other possibility is to install all servers to one location, and use the star-shaped architecture.

Linksys is not Cisco or FW-1.

I have noted tunnel going down with ADSL / dynamic IP. The technology which is used in our country ( Finland ) refreshes IP-info between 15 min to 1 hour. This causes BEFVP to freeze occasionally requiring cold boot.

Strange phenomenon is tha BEFSR41/SSH Sentinel combo works flawlessly under same circumstances.

Most probably an issue with firmware, this is a new product.
Guest (Visitor)
25 Jun 02 13:56
Hello Navaldis,

I have tried using the BEFVP as router besides VPN and I was not succeed either.
I dont't know if Markku is not still understanding you, because in my case is not possible using 2 tunnels.
I have the problem as follow:


                        10.15.0.0/16
                             |
                             |
                             |
                     ________|_________
                    |                 |
                    |  Router         |
  Main Site         |_________________|
                             |
                             | 192.168.168.0/24
                             |
                     ________|_________
                    |                 |
                    |  BEFVP Main     |
                    |_________________|
                             |
                             | Cable Network (Valid IP)
 - - - - - - - - - - - - - - | - - - - - - - - - - - - - -
                     ________|_________
                    |                 |
                    |  BEFVP Local    |
                    |_________________|
                             |
                             |
                             |
                     192.168.4.0/24

As Navaldis said, my VPN is dandy and I can ping between the networks 192.168.168.0 and 192.168.4.0. I tried to ping hosts in network 10.15.0.0 from 192.168.4.0 and vice versa but I was not succeed. I put static routes in order to advertise the way for packets with source and destination 10.15.0.0/16 but no way.
I have contacted the distributor technical assistance but they didn't contact me yet.

I'd like to thank Markku in advance, for trying to help us.

Rgs

Robson
Guest (Visitor)
25 Jun 02 15:41
I've been tryimg to connect my home computer (XP running SSH Sentinel) to my office network (Peer-to-Peer using the LINKSYS BEFVP Router).  I can create the VPN tunnel everytime, but like most people, cannot browse network.  Will this even be possible, or do we need a server behind the router?

Rudy
markku (ISP)
25 Jun 02 23:13
Hi cbola2,

Looks bad.

Almost only chance is to replace the units with SonicWALL or similar more advanced VPN-product, since they support multiple trusted subnets through one VPN-tunnel. Linky supports only one subnet/tunnel.

It seems that static routing in Linky has nothing to do with VPN, which means that VPN rules have priority over any other rules.

An educated guess is to try to establish another parallel tunnel for 10.15.0.0/16 -network between Linkys with different parameters. The tunnels seem to be quite independent of each other in Linky.
Guest (Visitor)
26 Jun 02 12:06
Markku,

That sounds interesting.

I'm going to try doing that. The only problem is the network mask that is limited in /24 at the local secure group configuration.

I will let you know about the results.

Thanks

Robson
Navaldis (TechnicalUser)
26 Jun 02 12:10
Looks like I'm going to have to look at the SonicWALL or other such device for certain locations.

The Linksys certainly will do the job for some of our smaller locations in which it is not necessary to "see" the other subnets.

Thanks to all who replied and please keep us informed of any success with the VP41.  It's a nice device I just believe that it falls short in it's inability to route between subnets through the VPN tunnel.  This limitation on the device will certainly keep the device at the entry level of the market.

Cheers!

N
Guest (Visitor)
26 Jun 02 12:57
I found the only way to make it work was to be sure that the PCs on both ends are pointing to their respective Linksys boxes as their default gateways.

Now it works great. Pinging, browsing... sweet.
Guest (Visitor)
27 Jun 02 23:56
I have 2 Linksys VPN Routers one at home and one in the office. The office connection is on a server with a domain name. The home computer is a standalone witha workgroup. I get the Linksys to create the tunnel but I can't see the office in the network neighborhood in W2K. any thoughts as to why this is and what I can do about it?
Appollo (TechnicalUser)
28 Jun 02 0:52
Harrydemo, You need to find out the ip address of the server your trying to communicate with and enter it in the search for computers window (right click on My Network Places)on the home pc. This should find the proper server and then you can set up your shares making sure the home user has permission on the work server. Good Luck
Helperguy (TechnicalUser)
28 Jun 02 5:19
Install WINS service into target private LAN and configure WINS ip address into TCP/IP settings of that network connection profile (LAN, dial-up, PPPoE, ...) used by your VPN client. That helps for browsing MS networks. WINS service may be NT 4.0 or Win2k server, or a *nix based Samba daemon.
dutchboy22 (MIS)
2 Jul 02 18:43
Hi, I'm hoping that someone has an idea what is going on with my Linksys VPN problems. I have a setup with 2 BEFVP41's. One is connected via an Ameritech ppoe DSL modem to Remote Lan 1. The other is sitting behind a Cisco Router + T1 frame relay on our Local Lan. The two Linksys boxes can connect and establish a VPN tunnel. I can ping and even open up folders etc. on the remote computers. However..... when I try to copy a large binary file it just doesn't work at all. I tried all the different security settings. No encryption and no Authentication seems to work a bit better. I can now copy a file but it arrives corrupted.
Called Tech Support. What a joke. They keep telling me to change the MTU setting. Of course this does not help at all.

So here I am, pulling my hair out. The routers "almost work". Without encryption and authentication I can transfer text files, browse other computers. Everything seems to be fine. Large Binary files still get corrupted.

Does anyone have any idea what the problem could be?

Thanks
markku (ISP)
3 Jul 02 0:12
Greetings,

Linksys has come out with new firmware for befvp41. This should finally solve the famous issue connecting to central SonicWALL from a client Linky in dynamic IP.

See:

http://www.dslreports.com/forum/remark,3727458~root=equip,16~mode=flat

Guest (Visitor)
12 Jul 02 13:25
Great markku!

Your idea was a success!!

Now, the subnets conected by BEFVP41's can see each other. And it's working fine. As you said, the number of subnets is limited according with their 70 tunnels.
The configuration of tunnels is not enough. I had to configure the static routing to have the subnets working.

Navaldis, try doing that. Maybe your problem is finished.

Thank you very much.

Robson
markku (ISP)
15 Jul 02 0:11
Hi Robson,

Nice to hear about your success. Can you pls be more specific about static routing you perfomed?
Guest (Visitor)
17 Jul 02 1:03
try setting your protocol to ANY rather than ipsec if still problem occurs in hegotiating ipsec in any endpoint or winxp or win2k be sure that u have configure correctly your ipsec configuration at the other end
Dale123 (MIS)
17 Jul 02 10:17
I have installed (2) BEFVP41 routers; one on the office network and one at home. After configuring the VPN settings the status showed "connected" yet I am unable to ping either router from the opposite end. Any ideas?
Dale123 (MIS)
17 Jul 02 10:19
I have installed (2) BEFVP41 routers; one on the office network and one at home. After configuring the VPN settings the status showed "connected" yet I am unable to ping either router from the opposite end. Any ideas?
TRIPLEA (Instructor)
18 Jul 02 13:36
Dale123:  I have installed 2 routers too.  Once connected I can ping the computers and the BEFVP box.  I hope you are pinging the local LAN address:  192.168.xxx.xxx of the remote machine and not the internet IP address.
I suggest you try 'ping -t 192.168.xxx.xxx' command.
Guest (Visitor)
23 Jul 02 14:21

Markku

I configured static routing in the BEFVP box located at main site where I have a router with others subnets connected to it. In addition, I configured a tunnel for each subnet behind this router besides of configuring static routing.

Regards

Robson

Guest (Visitor)
24 Jul 02 15:49
To all

Just registered another BEFSR41 and the latest firmware update is 1.42.7. Says New enhanced security firmware that recognises and works with ZoneAlarm Pro; has UPnP Support.
Guest (Visitor)
26 Jul 02 17:43
On July 24 Guest Paul says he's found the latest firmware to be 1.42.7.  Today on July 26 at http://www.linksys.com/download/firmware.asp?fwid=158 I only see Version 1.40.3.  Can someone tell me where to find 1.42.7?  Also, has anyone worked with version 1.42.7 and found that it seems to be solid?  Glad to see the UPnP support, if it works.  Does this mean that all features of Windows Messenger will now work automatically?  Lets see. . .  

Thanks in advance.

David
iatros56 (TechnicalUser)
28 Jul 02 18:16
I've read this entire thread and have to say there is a lot of experience out there.  I know this has been discussed, and I know the response will be "buy another BEFVP41 router" but I'd like to try without it if possible.  I have one VPN router on a home network running XP, XP Pro, and Win98 on 5 computers.  I'd like to connect to a friend in another state (no network - just a standalone), and my laptop when traveling (both running 98SE). I've installed Sentinel v1.3.2 on the laptop and was able to create a tunnel (VPN Log showed - 002-07-28 15:54:12 IKE[3] Set up ESP tunnel with 66.19.81.221 Success !).  From there, everything is downhill.  I can't ping either way.  It times out.  I have v1.40.3 on the VPN Router.

I know that my ISP blocks port 80 (Roadrunner). Is it possible this problem is with them?  I'm figuring as long as I have created a tunnel then it shouldn't be.

Any other suggestions?

Thanks.
spectral (IS/IT--Management)
30 Jul 02 16:24
I've read this entire thread also, and have the same problem as IATROS56:  I'm unable to connect a win2k workstation to this device.  Here's my environment/scenario:  I need to connect a Win2k PC (behind a NAT device that has a 10.0.0.x LAN, and dynamic IP WAN) to a BEFVP41 device sitting on a static IP (192.168.1.x on the LAN side).  I have followed the "Appendix C" directions provided by Linksys, have tried other tips that I've seen in this thread (and elsewhere).  Everything appears to be set up correctly, but when I ping a server on the 192.168.1.x network from the Win2k box (with a "-t"), I get repeated "Negotiating IP Security."  The one part of this puzzle that I'm still not entirely sure about is this:  When configuring the IPSec policy on the Win2k machine, do I refer to my 10.0.0.x address, or do I refer to my NAT device's statically-assigned WAN IP address?

On the router end, I have it configured for "Any" on both the "Remote Secure Group" and "Remote Security Gateway" settings (could somebody please differentiate between these?).

I do not care about name resolution or browsing.  I only need to be able to talk IP from the workstation to a server behind this device (wouldn't want to eat up what little bandwidth I have with netBIOS broadcasts).

Any help would be appreciated!

Jim
markku (ISP)
30 Jul 02 23:42
Hi spectral,

On the router end, I have it configured for "Any" on both the "Remote Secure Group" and "Remote Security Gateway -> this is correct for a remote PC residing in dynamic IP in unspecified network. In your case you could specify Remote Secure Group as 10.10.0.x/255.255.255.0, not necessary though.

Forget about Secpol, use SSH Sentinel instead. You can download the software at www.ssh.com with full instructions for Linksys BEFVP41. This works even behind your NAT-device, am using similar setup just now.
Guest (Visitor)
1 Aug 02 17:43
http://www.homenethelp.com/vpn/router-linksys.asp

Excellent step by step on how to connect using a free IPSec client with windows to the linksys router.
markku (ISP)
2 Aug 02 0:46
This one is correct and works, the original one contains erraneous routing instructions.

Enjoy

http://forum.homenethelp.com/tm.asp?m=5590&p=1&tmode=1
AllenKass (TechnicalUser)
4 Aug 02 20:09
Hello All,
I also have just purchased two linksys BEFVP41s. One at the office and one at home. I can ping both ends and access the internet thru both un its.
From the vpn log it appears that the units are talking and start to negotiate a tunnel but then I get the following lines in the log 3 times.

01:15:13 IKE[1] **Check your ISAKMP Pre-share Key setting !
01:15:13 IKE[1] Tx >> Notify : INVALID-PAYLOAD-TYPE

I have been doing some looking but can not determine exactly what this message is telling me.
The pre-share key on both ends is exactly the same. I have made it shorter and longer with no differnece in results.
Anyone have any ideas?

Thanks,
Allen


ghemphill (MIS)
17 Aug 02 17:23
Hello All,

Just purchased a BEFVPN41 and cannot get it to dhcp on the WAN side.  I have an SMC Barricade that I've been using and it has no problems getting an address, GW, etc...

I'm on a Sprint Broadband Wireless connection with a Hybrid network (cable) modem.

Any ideas?

Gordon
MikeyBabes (IS/IT--Management)
17 Sep 02 14:24
Hi all

I have a problem with two BEFVP41s.  I have a fixed IP at one end, dynamic at the other (connecting via a FQDN from dyndns.org) and all works fine.  The fixed WAN IP end has a LAN address range of 192.168.253.x and the other end has a LAN range of 192.168.0.x

So, I am able to make a tunnel just fine but the problem is seeing remote computers - I can ping only two addresses at the 192.168.0.x site, one being the router itself and one other PC (Win2K server).  The other way round, I can ping all of the addresses at 192.168.253.x

The 192.168.0.x network has at least one other internet connection, a separate DSL line into a Nortel router.

I've heard of similar problems before but haven't found a resolution yet.  Any ideas?

Thanks so much.

Mike
markku (ISP)
17 Sep 02 23:20
Hi Mike,

The gateway of the computers in 192.168.0.x network should point to BEFVP41, otherwise the ping-packets have no way back to your tunnel -> your remote network
ChrisWilliams (Programmer)
18 Sep 02 12:27
Markku,

When I read your answer, a light bulb went on over my head. I've been trying to ping a Unix box on my network, and had been tearing my hair out...I just kept getting "Request timed out". Now I know! The Unix box (HP-UX actually) isn't configured with my the Linksys's address as gateway!

I'm off to reconfigure the gateway address of the HP box!

Thanks to everyone who has shared their knowledge.

The biggest "gotcha" I've seen here so far is the advice that you only have to connect from one end. I had been starting both (hey, what did I know?).
MikeyBabes (IS/IT--Management)
18 Sep 02 16:45
Hi Markku

Thanks very much for your reply - that explains the situation perfectly, it's been driving me crazy for weeks!

However - what I really want to achieve is as follows.  The 192.168.0.x network has a second DSL connection, with some kind of VPN router on it at 192.168.0.1 creating, I assume (it's not mine), a tunnel to a remote server somewhere else providing information to about 20 users in the office who use a software application to access it.

I want to give that same connectivity to remote VPN uses,  so someone can VPN into the BEFVP41 (192.168.0.253) and get a connection back out on 192.168.0.1

Is this possible at all or should I consider another approach?

Thanks again for your previous reply hopefully a reply to this.

Regards

Mike
k8fan (TechnicalUser)
18 Sep 02 17:45
OK, following the advice of the folks on this forum, I have everything I need connected. Many thanks!

The pages of the router are as follows, both identical except as noted above:

--------------------------
Setup:

Host Name: myname
Domain Name: myisp.com
Firmware Version: 1.40.3, Apr 24 2002
Time Zone: Central Time(USA & Canada
LAN IP Address: 192.168.1.1 (Different on other end)
MAC Address: (**-**-**-**-**-**)
WAN Connection Type: DHCP

--------------------------
VPN:

This Tunnel: Enable
Tunnel Name: Network A
Local Secure Group -
  [Subnet] IP Addr: 192.168.1.0
           Mask: 255.255.255.0
 
Remote Secure Group-
  [Subnet] IP Addr: 192.168.1.0
           Mask: 255.255.255.0
 
Remote Security Gateway-
  [FQDNA] Fully-Qualified Domain Name: from-dyndns.org
    
 
Encryption: [3DES]
Authentication: [MD5]

Key Management: [Auto. (IKE)]
PFS (Perfect Forward Secrecy) [checked]
Pre-shared Key: **************
Key Lifetime: 3600 Sec.

--------------------------
Password:

Nothing changed from default other than the password.


--------------------------
Status:

Host Name: myname
Firmware Version: 1.40.3, Apr 24 2002
Current Time: Sep. 18 2002 Wed. 16:35:01

Login: Disable

LAN: (MAC Address: **-**-**-**-**-**)
   IP Address: 192.168.2.1
   Subnet Mask: 255.255.255.0
   DHCP server: Disabled
 
WAN: (MAC Address: **-**-**-**-**-**)   
   IP Address: ***.***.***.***
   Subnet Mask: 255.255.254.0
   Default Gateway: ***.***.***.***
   DNS: ***.***.***.***
        ***.***.***.***
        ***.***.***.***
   DHCP Remaining Time: 17:04:23
 
--------------------------
DHCP:

Disabled

--------------------------
Log:

Nothing changed from default

--------------------------
Filters:

Nothing changed from default. All values at 0.

SPI:                    Disable
Block WAN Request:      Enable
Multicast Pass Through: Enable
IPSec Pass Through:     Enable
PPTP Pass Through:      Enable
Remote Management:      Disable
Remote Upgrade:         Disable
MTU:                    Disable   Size: 0

--------------------------
Forwarding:

Nothing changed from default.

--------------------------
Dynamic Routing

Nothing changed from default.

--------------------------
Static Routing

Nothing changed from default.

--------------------------
DMZ Host

Nothing changed from default.

--------------------------
Mac Address Clone

Mac address from ethernet cards inside of their respective LAN segments.

------------------------------------------------

The main thing that messed me up was not being able ping a unix machine. It turned out that it did not have domain name server addresses in the /etc/hosts file. Also, the gateway address was wrong, as well as the netmask.

Markku's post about the not being able to respond to pings was the final piece of the puzzle. Thanks again.

markku (ISP)
18 Sep 02 22:50
Hi Mike,

Your problem has been covered in this thread before, yes I know this is a long thread.

One way is to use separate router ( or machine with routing capability ) in your 192.168.0.x network to perform the static routing between different VPN-subnets. This router should be gateway for all machines in your network.

In BEFVP41 you should create another parallel tunnel ( with different preshared key )for your remote subnet behind another VPN-router. The 70 VPN-tunnels in BEFVP seem to be independent of each other.

Another possibility ( easier )is to create separate tunnel between your remote VPN-boxes. Linky is compatible with many other VPN-boxes.
obryan (TechnicalUser)
18 Sep 02 23:42
I have two befvp41 routers set up, one at home one at the office.  I am able to connect them reliably, but the speed is very slow.  I have a 400 kbps adsl connection at the office and a 1.5 mbps cable modem connection at home. Should it be very slow, or is there possibly something I am doing wrong?  Thanks for any help.

John
markku (ISP)
19 Sep 02 0:10
Hi John,

Your connections are probably:

ADSL: 400k down/128k up
Cable: 1.5 Mb down /256 up

-> effective bandwidth of VPN is 128/256 = slow
obryan (TechnicalUser)
19 Sep 02 1:09
markku:

I am not so bright sometimes. The office is a fractional T1.  It should be 400k both ways, I think.

Given this, should it still be slow?  If so, what can I do to speed it up.
KOKOKO (IS/IT--Management)
19 Sep 02 23:32
Unable to ping or connect to a BEFVP41 firmware 1.40.3 using
SSH Sentinel version 1.3.2 (build 2) on an XP SP1 remote client. Both ends have highspeed ADSL connections with dynamic IPs. Both logs from router and SSH show that the tunnel is successful and connected, while I am unable to even ping the private IP address of the Router which is 192.168.100.1.

What I Have tried so far:
Tips and tricks from this thead.
SSH pdf on configuring this router.
Homenethelp.com tutorial on this router.
Linksys support (lol).
SSH email support.
Removed firewall on client side and router (SPI)
Used windows find to search IP of router.
And numerious other combinations of settings.


Still no access to vpn resources and as I write this the tunnel is connected but that is it. Any insight or help is greatly appreciated.

Thanks in Advance

Deano
markku (ISP)
20 Sep 02 0:28
Hi Deano,

Pls follow this document to the point, nothing else. No tweaking.

http://forum.homenethelp.com/tm.asp?m=5590&p=1&tmode=1

- Pls rechect that your remote computer is in different subnet than your network behind Linky and no traces of IP's of network behind Linky are hiding in your network settings in case you are using dial-up, e.g. ADSL-card.

- Pls check that your operator is not blocking #50 ( IPSec )

Should work

KOKOKO (IS/IT--Management)
20 Sep 02 7:27
Thanks for the quick reply Marku, I have entered the setings from the updated tutorial and the compariable SSH pdf and I know them by heart. The remote computer is standalone, so there is no private IP address only the public IP.

Port 500 isakmp is open as I can make a successful tunnel.
I am unable to ping even the private IP of the router is this normal, because I am beginning to think that this router is faulty as my first router would not even open remote management from a webbrowser. Is port 50 required or just a typo as it is the Remote Mail Checking Protocol?

I have been troubleshooting this on and off for about a week
and have tried a lot of setup attempts with no success. The tunnel negotiation has been working since I first saw the settings for the updated tutorial on homenethelp.com.

Thanks

Deano



k8fan (TechnicalUser)
23 Sep 02 2:36
I wonder if anyone has run into this problem? I have the connection working, but it drops occasionally. Is there any way to have the tunnel automatically reconnect after a disconnection?
iatros56 (TechnicalUser)
23 Sep 02 7:16
I have used all the helpful tips in this thread and have a nice working VPN connection.  I have one last question - when traveling I'd like my laptops to be able to access my home computer.  My friend can create a tunnel and map to my computer using her laptop, Win98SE, and Sentinel.  When she disconnects from her cable modem and dials-up using NetZero she can create a tunnel, but cannot ping or map a drive.

Can NetZero be used for VPN?  If so, any ideas why it is working when connected to cable but not dial-up?  If NetZero cannot be used any "inexpensive" solutions?

Thanks.
bongster (TechnicalUser)
23 Sep 02 23:33
Hi Deano,

You need a dynamic dynamic DNS(DDNS) service since you don't have a static IP address.

Search a google for DDNS. You will find many of them.
You have to keep your XP box up with DDNS updates agent service.
Personaly, I use NO-IP.COM for my DDNS service since it's free and works.
The SSH Sentinel client software supports a name entry.
Also you don't have to open isakmp(55) port, to use windows Xp remote desktop. Just make sure disable SPI on Linksys BEFVP41 and reconfigure or disable firewall on XP box.
The Linksys SPI feature never work with port forwading or with BEFVP41's VPN. I am thinking about switch to PIX for that reason.



jm9475 (TechnicalUser)
26 Sep 02 16:42
Hey Guys,
  Don't know whether this is off subject or not, but I figured I'd lay out a solution for you guys and things I've noticed while trying to get this thing to actually do VPNs.
  I think I've spent a good month or so trying to get this to work w/ a Netscreen 5XP, and today I finally got it.  Turns out the main problem was that the Linksys sends out its WAN IP address as its ID when the Phase I exchange is going on.  One problem w/ that was it was on an ISDN circuit that was NAT'd, so its WAN address was actually a private IP.  When it came time for the ID exchange, it sent its private IP as its ID, the Netscreen recognized it as an IP and also that it was not the originating IP, so the Phase I exchange would fail.  Ok, so I got around that by jumping on a DSL circuit using PPPoE so that the ID it was sending was the IP address that it was connecting over.  One NOTE:  The Linksys has an irritating habit of resetting after every minute little change, so the IP kept changing.  That makes for a hard time setting up the gateway.  The next problem was that not only does the Linksys send its WAN as the ID, it also only receives IP addresses as an ID from the distant.  The only way I could tell that was in the debug msg. it would say it failed b/c it received xxx decimal notation ID and it was expecting xxx decimal ID.  Sadly since I can read hex I noticed that it was expecting the decimal form of the gateway IP and what was being sent was the Netscreen's ID in ASCII format.  So, in the local ID field of the Netscreen, which oddly enough says optional, put the public IP address that the Netscreen is using.

k8fan (TechnicalUser)
30 Sep 02 2:56
I've received a lot of useful information on this thread, so I thought I'd post here rather than make another thread:

My two BEFVP41s set up a connection and work, but after a couple of hours, the following error message starts appearing in the log:

2002-09-30 00:44:59 IKE[2] ERROR: Remote Security Gateway domain name problem
2002-09-30 00:45:41 IKE[2] is requested by 192.168.2.107
2002-09-30 00:45:41 IKE[2] ERROR: Remote Security Gateway domain name problem
2002-09-30 00:46:02 IKE[2] is requested by 192.168.2.105
2002-09-30 00:46:02 IKE[2] ERROR: Remote Security Gateway domain name problem
2002-09-30 00:48:37 IKE[2] is requested by 192.168.2.105
2002-09-30 00:48:37 IKE[2] ERROR: Remote Security Gateway domain name problem
2002-09-30 00:48:53 IKE[2] is requested by 192.168.2.109
2002-09-30 00:48:53 IKE[2] ERROR: Remote Security Gateway domain name problem
2002-09-30 00:50:43 IKE[2] is requested by 192.168.2.108

The weird part is that I'm not using FQDN for the remote gateway, but an IP address instead. Anyone else run into thei problem?
markku (ISP)
30 Sep 02 23:54
hi k8fan,

There was a problem with BEFVP41 in dynamic IP renewal of WAN DHCP info. Should be solved now with latest firmware.

http://www.dslreports.com/forum/remark,4544513~root=equip,16~mode=flat
dtnpsi (Programmer)
1 Oct 02 14:04
Just read a post from last April saying the Linksys BEFVP41 only supports Class C nets on the LAN side. Arrrrrghh!

Is this still true with the latest firmware?

And if so, what's the absolute cheapest "Ethernet only" router that I can use to route between my 10.x.x.x/16 network and Class C. Does Linksys have such a router? What about Netgear? What's Cisco's cheapest one? (I would prefer not to have to setup yet another W2K PC just to run RRAS)
k8fan (TechnicalUser)
2 Oct 02 3:09
markku,

I upgraded to the latest firmware, and all seems to be well. Thanks!

On a different topic...

I have two BEFVP41 units, one at Location "A" (the main office with the HP Unix box), the other at Location "B". I wanted to add two more locations, "C" and "D", but I tried to save money, so I purchased two BEFXP41s instead for "C" and "D".

I am able to get a solid link from "C" to "A" in addition to the existing link from "B" to "A". But while "C" can browse the shares on "A", and ping any machine on the "A" network, I cannot run my principal application...a goofy retail "Point of Purchase" terminal.

This program wants ports 7002, 8000, 8500 and a dynamic range from 1372 to 1400. This app works from any machine on "B", but does not work properly from "C".

Initial connection is made, the username and password is accepted, but communication never starts. It would appear the XP "Endpoint" boxes cannot accept the VP on the other end asking for a dymanic port to be opened.

"A" is 192.168.1.*
"B" is 192.168.2.*
"C" is 192.168.3.*
"D" is 192.168.4.*

Any suggestions?
markku (ISP)
2 Oct 02 13:27
Hi k8fan

Try turning off the Anti-replay on all VPN-routers, should help with BEFSX41/BEFVP41 combo to maintain the data transmission. VPN-tunnel is transparent so ports are no issue.
theSCHICK (MIS)
7 Oct 02 12:47
I can successfully connected two of the BEHVP41 together and a remote computer using ssh sentinel.  I have setup a remote win2k machine using the ipsec policy.  According to linksys' instructions, you have to use the 'connect' button on the behvp41 to establish the connection.  Is there a way a remote user can establish the connection without going to the admin page of the behvp41?
Azureson (IS/IT--Management)
8 Oct 02 19:02
FUNDAMENTAL DESCRIPTION OF LINKSYS BEFVP41-BASED VPN SETUP/OPERATION WITH NOTES ON THE CONFIGURATION OF A PAIR OF BEFVP41s CONNECTING A WIN_NT WORKGROUP AND AN UNRELATED W2K DOMAIN

Greetings,

Thanks to this forum, I was helped in forming a fundamental insight into the working of the BEFVP41 and VPNs configured with it.  Based on that insight, and some other important tips I found here (like the need to update the flash prom), I was able to setup an impressive VPN capability for very little money and with very little technical skill on my part.

To return the favor, I will document the important and fundamental -- yet simple -- insight here, and provide a few tips of my own.  I'm doing this in part because this thread is way too long, useful as it is.  Why?  The information I'll provide in this post was not (but should have been) presented in the Linksys documentation AT ALL.  Nor have I seen a clear description on any internet thread, including this one.  This has wasted countless manhours by Linksys, their customers, and the helpful experts here on this thread and similar ones elsewhere on the internet.  

One other thing -- a caveat:  I myself am a total novice in Windows networking, forced by the failure of our technical people as well as economic hard times to fend for myself in setting up a VPN.  So if this stuff seems elementary, it is!  

SO WHO SHOULD KEEP READING?

Linksys newbies, people like me, Linksys technical support people, and netizen experts alike, please read the next paragraph carefully.  Understand it (or use similar simple language in communications) before you attempt to setup a VPN or give your customers advice concerning same!  And Linksys, you would be well advised to include something along these lines at the VERY BEGINNING of your user manual in the future, given that the BEFVP41 is meant to be a consumer item and is sold over-the-counter in Comp USA!  

<<A home-BEFVP41 to BEFVP41-office VPN setup, where "home" is a laptop that is configured to be a part of the "office" W2K domain but is now connected to the office remotely via the BEFVP41s, PRODUCES A COMPLETELY TRANSPARENT REMOTE VPN CONNECTION to the office, almost INDISTINGUISHABLE FROM A LOCAL ETHERNET CONNECTION.  THIS SETUP DOES NOT REQUIRE ANY WINDOWS OS CONFIGURATION AT EITHER END, except possibly IP addresses and/or DHCP settings in some cases.  IT specifically DOES NOT REQUIRE ANY IPSec POLICIES or VPN OR RAS SETTINGS of ANY KIND IN WINDOWS, as it is the task of the Linksys box to make the remote workstation appear to be directly connected to the LAN.>>

OKAY!!!???

Of course, you old timers and networking experts will readily see that the setup described above represents only a fraction of the possible setups that will be needed by the people who bought in to the BEFVP41 VPN.  What if if the user wants to use a BEFVP41 on only the server side? What if BEFVP41s are on both ends, but the connection is between a W2K domain and a remote workstation that's not part of the domain (this is the wrinkle discussed in the balance of this post...)?  We have three very different setups, and within each, many variations.  Yet the Linksys documentation (and many posts on the various technical support threads here and elsewhere on the internet) fail to distinguish among them!  

Well, for those of you interested in a 2-Linksys configuration connecting a WinNT workgroup to an unrelated W2K domain server, read on...

MY LINKSYS SETUP  - OVERVIEW

I was able to configure a passable VPN connection between my office and my home (configuration is from office to home, left to right, as follows:  <w2k server and lan><BEFVP41 (fixed WAN/LAN addresses)><DSL modem><verizon ISP><cloud><cox cable isp><cable modem>><BEFVP41 (DHCP WAN/LAN addresses)><WinNT4WS>.  In the process, I discovered a few tips and tricks for setting up a BEFVP41 VPN, and also ran in to some currently unsolved problems of my own.  In the account that follows, the TIPS, TRICKS, and UNSOLVED PROBLEMS are all set off by the upper case strings "TIP" or "UNSOLVED".  The assistance of contributors here on the unsolved problems will be much appreciated!

DETAILS OF THIS BEFVP41 -- BEFVP41 Configuration

Per suggestions found here in this thread, both BEFVP41s were upgraded to the latest flash prom release.  Their configurations included enablement of NETBIOS broadcasts on the advanced configuration page.  All other details of the configuration follow the successful configurations found in this thread.  

The home WinNT is a workstation, not a server, and it is not part of the office W2K domain.  The home workgroup incorporates two WinNT workstations.  The office domain incorporates several W2K and Linux servers with 1 PDC, fixed external IP address (assumed now by the Linksys), and fixed internal IP addresses (several wll-known TCP/IP ports are routed to specific internal computers for handling).  

The "passable" presently realized VPN capabilities are as follows:

1. No office computers appeared on the home WinNT explorer initially.  [TIP #1] However, I was able to "explorer>tools>find computer" several office lan computers.   [TIP #2]  Most of those I could not find using the explorer command I was able to connect to using "net use" from the command prompt and my office domain user id.  

2.  [TIP #3]  I was able to map drives from all computers I was able to connect to via the "net use", provided I left the "connect as" blank.   Once the office drives were mapped, my WinNT explorer incorporated them, providing full "virtual drive" capability across the WAN.  I was also able to print documents on the office lan printers with no problems.    

3.  I was unable to connect to the office PDC, which apparently has an IP configuration problem.  Despite that problem, office-based workstations are able to see the PDC.  [UNSOLVED #1]  It is possible I can't see the PDC from home because I'm not logged on to the domain controlled by the PDC. DOES ANYBODY HERE KNOW IF THIS IS TRUE?

4.  The home WinNT workgroup name did appear in the explorers of the office computers (but not the computer name). [UNSOLVED #2]  The home computers that are part of the workgroup  were not visible to the office and could not be browsed.  The alternative  "find computer" and "net use" methods outlined earlier were then used to connect to the home workgroup computers, and these failed as well.  I plan to turn my home workgroup into a W2K server domain to see if this clears up the problem --- ANY SUGGESTIONS ON THIS?

Anyhow, I am deeply indebted to the people here who put so much time in to helping others.  I hope that the foregoing will help repay some of that debt, but more, I hope to see alot more home offices and opportunities to work at home offered by employers.  The BEFVP41 eliminates, for somewhere in between US$0 and $150, broad categories of employer excuses not to implement reasonable telecommuting programs.

Regards,
Patrick (azureson)
canteras (TechnicalUser)
11 Oct 02 9:24
I need to use a dynamic DNS service to setup a VPN between two BEFVP41 units.
I registered "myname.dyndns.info" and made VERY sure that the dyndns database has the correct IP address.

With the host BEFVP41 Remote Security Gateway set to "ANY"
and the client BEFVP41 Remote Security Gateway set to "FQDN" with "myname.dyndns.info" in the box I consistently get a "Remote Security Gateway domain name problem" error and no VPN connection.

If I set the client BEFVP41 Remote Security Gateway to "IP Addr." and plug in the same address as in the dyndns database,the VPN connects instantly.
Firmware is 1.40.3.

Any ideas on what I am doing wrong?
All ideas gratefully received - Canteras
  
Azureson (IS/IT--Management)
16 Oct 02 1:49
Greetings,

An update to my October 8 post...

The home-BEFVP41 to BEFVP41-office VPN setup I described is now operational and fully transparent to the WinNT4 workstation and the W2K server software.

As of my October 8 post, I had come to believe that the PDC in the office had a configuration problem that was interfering at different levels with the configuration of the VPN.  Indeed this proved to be the case...the PDC had gone down due to a "duplicate network name".  Since the PDC was down, I could not enroll my home pc in the office domain.

After some (admittedly amateur) diagnostic sleuthing, I concluded that my rather narcissistic primary domain controller was "seeing itself" in the domain, creating the duplicate network name.  This was the result of the PDC having two network adapters bound to the same protocols and operating in the same network.  

Like I said, in my office I was left to fend for myself to become a do-it-yourself net admin, but for the life of me, I could not figure out why that PDC was hooked up that way by our tech guys.  In any event, I disabled the driver for the duplicative ethernet adapter, and, lo and behold, the PDC reasserted itself!  

That evening, after I went hope, I was able to add my remote client machine to the office domain, and voila!  The entire office domain appears in my NT explorer, all shares and printers accessible, etc.

My guess is that most users of the Linksys VPN Router will not need to deal with office LAN configurations like mine, that appear almost intentionally screwed up.  If that is your good fortune, you should find using a Linksys-Linksys setup (provided you install the latest flash BIOS and exercise all due caution in configuration) a pretty easy path to VPN.  NO OS configuration whatsoever is required, because in the router-router model, not only is such unnecessary, but you would likely sacrifice much of the advantage of offloading the CPU intensive encryption/decryption to the Linksys hardware.

Regards,
Patrick
RESinger (Programmer)
15 Jun 05 19:51
hi -

this has been an informative but difficult thread to follow.  please forgive me if ive missed something.

i have a notebook winxp pro pc that floats around with me to various remote lan locations (all connected to the inernet.)  at home i have a linksys befvp41 router with lots of other linksys infrastructure devices, pcs, voip telephones, etc.  i need to connect from the notebook pc to various resources behind the linksys router.

based upon the linksys "Connecting Windows 2000/XP to a Linksys VPN Router" support document and information in this thread i implemented the ipsec stuff and have achieved limited connectivity to my home net.  specifically, from a remote location i can:
- ping a subset of the linksys boxes at home (by address and by host name from the host file)
- access the web admin interfaces on the linksys boxes which i can ping

i cannot:
- ping most non-network infrastructure devices
- tracert any device ("request timed out")

heres my physical configuration (devices which i can ping are marked with a '*'):

room 1 (sons bedroom)
- linksys cable modem
- linksys vpn router *
- linksys print server *
- linksys wap (configured in infrastructure mode) *
- linksys wap (for wireless non-network infrastructure devices like pcs & cameras) *
- toshiba voip telephone
- pc

room 2 (home office)
- linksys wap (configured in infrastructure mode) *
- linksys network switch *
- linksys print server *
- toshiba voip telephone
- toshiba digital phone system board (administrative interface) *
- toshiba digital phone system voip board *
- pc
- pc

room 3 (guest bedroom)
- linksys wap (configured in infrastructure mode)
- linksys print server
- toshiba voip telephone
- pc

room 4 (home theater)
- linksys wap (configured in infrastructure mode)
- linksys network switch
- toshiba voip telephone
- linksys wireless camera *
- pc
- pc
- crestron processor

all devices have static addresses.

why, you ask, use all the waps?  im in a rental house and dont want to fish network and phone wires all over the house.  everything does work, and does so reliably.

questions:
- anybody have ideas as to why i cant ping everything at home?
- is it possible to setup the ipsec (rule properties/tunnel setting) on the pc in a way that doesnt require hard ip addresses (i.e. use a fqdn for the tunnel endpoint)?  maybe another ipsec product?

thanks - bob singer
hsenculver (MIS)
20 Jul 05 1:05
Hi all:
Office BEFVP41, static IP, internal 192.168.1.1
Home BEFSX41 Endpoint, DHCP, internal 192.168.2.1
Finally got them connected with Linksys T/S help, but I can not ping the office 912.168.1.1
They spent 2 hrs connected to both routers & could not fix it!
Any ideas?
Thank you.
Howard

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close