Linksys BEFVP41 VPN problems

[ScottCudmore]

Hi,
I just purchased the new Linksys VPN router. I want to be able to connect to my home network from a remote Windows 2000 machine. There are no stpes or docs on how do do this. Only Linksys to Linksys VPN. When I connect from a Windows VPN conenction, all I get is an error on the Linksys.

Does anyone have any ideas?

Scott

 

[iatros56]

I have used all the helpful tips in this thread and have a nice working VPN connection. I have one last question - when traveling I'd like my laptops to be able to access my home computer. My friend can create a tunnel and map to my computer using her laptop, Win98SE, and Sentinel. When she disconnects from her cable modem and dials-up using NetZero she can create a tunnel, but cannot ping or map a drive.

Can NetZero be used for VPN? If so, any ideas why it is working when connected to cable but not dial-up? If NetZero cannot be used any "inexpensive" solutions?

Thanks.

 

[bongster]

Hi Deano,

You need a dynamic dynamic DNS(DDNS) service since you don't have a static IP address.

Search a google for DDNS. You will find many of them.
You have to keep your XP box up with DDNS updates agent service.
Personaly, I use NO-IP.COM for my DDNS service since it's free and works.
The SSH Sentinel client software supports a name entry.
Also you don't have to open isakmp(55) port, to use windows Xp remote desktop. Just make sure disable SPI on Linksys BEFVP41 and reconfigure or disable firewall on XP box.
The Linksys SPI feature never work with port forwading or with BEFVP41's VPN. I am thinking about switch to PIX for that reason.

 

[jm9475]

Hey Guys,
Don't know whether this is off subject or not, but I figured I'd lay out a solution for you guys and things I've noticed while trying to get this thing to actually do VPNs.
I think I've spent a good month or so trying to get this to work w/ a Netscreen 5XP, and today I finally got it. Turns out the main problem was that the Linksys sends out its WAN IP address as its ID when the Phase I exchange is going on. One problem w/ that was it was on an ISDN circuit that was NAT'd, so its WAN address was actually a private IP. When it came time for the ID exchange, it sent its private IP as its ID, the Netscreen recognized it as an IP and also that it was not the originating IP, so the Phase I exchange would fail. Ok, so I got around that by jumping on a DSL circuit using PPPoE so that the ID it was sending was the IP address that it was connecting over. One NOTE: The Linksys has an irritating habit of resetting after every minute little change, so the IP kept changing. That makes for a hard time setting up the gateway. The next problem was that not only does the Linksys send its WAN as the ID, it also only receives IP addresses as an ID from the distant. The only way I could tell that was in the debug msg. it would say it failed b/c it received xxx decimal notation ID and it was expecting xxx decimal ID. Sadly since I can read hex I noticed that it was expecting the decimal form of the gateway IP and what was being sent was the Netscreen's ID in ASCII format. So, in the local ID field of the Netscreen, which oddly enough says optional, put the public IP address that the Netscreen is using.

 

[k8fan]

I've received a lot of useful information on this thread, so I thought I'd post here rather than make another thread:

My two BEFVP41s set up a connection and work, but after a couple of hours, the following error message starts appearing in the log:

2002-09-30 00:44:59 IKE[2] ERROR: Remote Security Gateway domain name problem
2002-09-30 00:45:41 IKE[2] is requested by 192.168.2.107
2002-09-30 00:45:41 IKE[2] ERROR: Remote Security Gateway domain name problem
2002-09-30 00:46:02 IKE[2] is requested by 192.168.2.105
2002-09-30 00:46:02 IKE[2] ERROR: Remote Security Gateway domain name problem
2002-09-30 00:48:37 IKE[2] is requested by 192.168.2.105
2002-09-30 00:48:37 IKE[2] ERROR: Remote Security Gateway domain name problem
2002-09-30 00:48:53 IKE[2] is requested by 192.168.2.109
2002-09-30 00:48:53 IKE[2] ERROR: Remote Security Gateway domain name problem
2002-09-30 00:50:43 IKE[2] is requested by 192.168.2.108

The weird part is that I'm not using FQDN for the remote gateway, but an IP address instead. Anyone else run into thei problem?

 

[markku]

hi k8fan,

There was a problem with BEFVP41 in dynamic IP renewal of WAN DHCP info. Should be solved now with latest firmware.

http://www.dslreports.com/forum/remark,4544513~root=equip,16~mode=flat

 

[dtnpsi]

Just read a post from last April saying the Linksys BEFVP41 only supports Class C nets on the LAN side. Arrrrrghh!

Is this still true with the latest firmware?

And if so, what's the absolute cheapest "Ethernet only" router that I can use to route between my 10.x.x.x/16 network and Class C. Does Linksys have such a router? What about Netgear? What's Cisco's cheapest one? (I would prefer not to have to setup yet another W2K PC just to run RRAS)

 

[k8fan]

markku,

I upgraded to the latest firmware, and all seems to be well. Thanks!

On a different topic...

I have two BEFVP41 units, one at Location "A" (the main office with the HP Unix box), the other at Location "B". I wanted to add two more locations, "C" and "D", but I tried to save money, so I purchased two BEFXP41s instead for "C" and "D".

I am able to get a solid link from "C" to "A" in addition to the existing link from "B" to "A". But while "C" can browse the shares on "A", and ping any machine on the "A" network, I cannot run my principal application...a goofy retail "Point of Purchase" terminal.

This program wants ports 7002, 8000, 8500 and a dynamic range from 1372 to 1400. This app works from any machine on "B", but does not work properly from "C".

Initial connection is made, the username and password is accepted, but communication never starts. It would appear the XP "Endpoint" boxes cannot accept the VP on the other end asking for a dymanic port to be opened.

"A" is 192.168.1.*
"B" is 192.168.2.*
"C" is 192.168.3.*
"D" is 192.168.4.*

Any suggestions?

 

[markku]

Hi k8fan

Try turning off the Anti-replay on all VPN-routers, should help with BEFSX41/BEFVP41 combo to maintain the data transmission. VPN-tunnel is transparent so ports are no issue.

 

[theSCHICK]

I can successfully connected two of the BEHVP41 together and a remote computer using ssh sentinel. I have setup a remote win2k machine using the ipsec policy. According to linksys' instructions, you have to use the 'connect' button on the behvp41 to establish the connection. Is there a way a remote user can establish the connection without going to the admin page of the behvp41?

 

[Azureson]

FUNDAMENTAL DESCRIPTION OF LINKSYS BEFVP41-BASED VPN SETUP/OPERATION WITH NOTES ON THE CONFIGURATION OF A PAIR OF BEFVP41s CONNECTING A WIN_NT WORKGROUP AND AN UNRELATED W2K DOMAIN

Greetings,

Thanks to this forum, I was helped in forming a fundamental insight into the working of the BEFVP41 and VPNs configured with it. Based on that insight, and some other important tips I found here (like the need to update the flash prom), I was able to setup an impressive VPN capability for very little money and with very little technical skill on my part.

To return the favor, I will document the important and fundamental -- yet simple -- insight here, and provide a few tips of my own. I'm doing this in part because this thread is way too long, useful as it is. Why? The information I'll provide in this post was not (but should have been) presented in the Linksys documentation AT ALL. Nor have I seen a clear description on any internet thread, including this one. This has wasted countless manhours by Linksys, their customers, and the helpful experts here on this thread and similar ones elsewhere on the internet.

One other thing -- a caveat: I myself am a total novice in Windows networking, forced by the failure of our technical people as well as economic hard times to fend for myself in setting up a VPN. So if this stuff seems elementary, it is!

SO WHO SHOULD KEEP READING?

Linksys newbies, people like me, Linksys technical support people, and netizen experts alike, please read the next paragraph carefully. Understand it (or use similar simple language in communications) before you attempt to setup a VPN or give your customers advice concerning same! And Linksys, you would be well advised to include something along these lines at the VERY BEGINNING of your user manual in the future, given that the BEFVP41 is meant to be a consumer item and is sold over-the-counter in Comp USA!

<<A home-BEFVP41 to BEFVP41-office VPN setup, where &quot;home&quot; is a laptop that is configured to be a part of the &quot;office&quot; W2K domain but is now connected to the office remotely via the BEFVP41s, PRODUCES A COMPLETELY TRANSPARENT REMOTE VPN CONNECTION to the office, almost INDISTINGUISHABLE FROM A LOCAL ETHERNET CONNECTION. THIS SETUP DOES NOT REQUIRE ANY WINDOWS OS CONFIGURATION AT EITHER END, except possibly IP addresses and/or DHCP settings in some cases. IT specifically DOES NOT REQUIRE ANY IPSec POLICIES or VPN OR RAS SETTINGS of ANY KIND IN WINDOWS, as it is the task of the Linksys box to make the remote workstation appear to be directly connected to the LAN.>>

OKAY!!!???

Of course, you old timers and networking experts will readily see that the setup described above represents only a fraction of the possible setups that will be needed by the people who bought in to the BEFVP41 VPN. What if if the user wants to use a BEFVP41 on only the server side? What if BEFVP41s are on both ends, but the connection is between a W2K domain and a remote workstation that's not part of the domain (this is the wrinkle discussed in the balance of this post...)? We have three very different setups, and within each, many variations. Yet the Linksys documentation (and many posts on the various technical support threads here and elsewhere on the internet) fail to distinguish among them!

Well, for those of you interested in a 2-Linksys configuration connecting a WinNT workgroup to an unrelated W2K domain server, read on...

MY LINKSYS SETUP - OVERVIEW

I was able to configure a passable VPN connection between my office and my home (configuration is from office to home, left to right, as follows: <w2k server and lan><BEFVP41 (fixed WAN/LAN addresses)><DSL modem><verizon ISP><cloud><cox cable isp><cable modem>><BEFVP41 (DHCP WAN/LAN addresses)><WinNT4WS>. In the process, I discovered a few tips and tricks for setting up a BEFVP41 VPN, and also ran in to some currently unsolved problems of my own. In the account that follows, the TIPS, TRICKS, and UNSOLVED PROBLEMS are all set off by the upper case strings &quot;TIP&quot; or &quot;UNSOLVED&quot;. The assistance of contributors here on the unsolved problems will be much appreciated!

DETAILS OF THIS BEFVP41 -- BEFVP41 Configuration

Per suggestions found here in this thread, both BEFVP41s were upgraded to the latest flash prom release. Their configurations included enablement of NETBIOS broadcasts on the advanced configuration page. All other details of the configuration follow the successful configurations found in this thread.

The home WinNT is a workstation, not a server, and it is not part of the office W2K domain. The home workgroup incorporates two WinNT workstations. The office domain incorporates several W2K and Linux servers with 1 PDC, fixed external IP address (assumed now by the Linksys), and fixed internal IP addresses (several wll-known TCP/IP ports are routed to specific internal computers for handling).

The &quot;passable&quot; presently realized VPN capabilities are as follows:

1. No office computers appeared on the home WinNT explorer initially. [TIP #1] However, I was able to &quot;explorer>tools>find computer&quot; several office lan computers. [TIP #2] Most of those I could not find using the explorer command I was able to connect to using &quot;net use&quot; from the command prompt and my office domain user id.

2. [TIP #3] I was able to map drives from all computers I was able to connect to via the &quot;net use&quot;, provided I left the &quot;connect as&quot; blank. Once the office drives were mapped, my WinNT explorer incorporated them, providing full &quot;virtual drive&quot; capability across the WAN. I was also able to print documents on the office lan printers with no problems.

3. I was unable to connect to the office PDC, which apparently has an IP configuration problem. Despite that problem, office-based workstations are able to see the PDC. [UNSOLVED #1] It is possible I can't see the PDC from home because I'm not logged on to the domain controlled by the PDC. DOES ANYBODY HERE KNOW IF THIS IS TRUE?

4. The home WinNT workgroup name did appear in the explorers of the office computers (but not the computer name). [UNSOLVED #2] The home computers that are part of the workgroup were not visible to the office and could not be browsed. The alternative &quot;find computer&quot; and &quot;net use&quot; methods outlined earlier were then used to connect to the home workgroup computers, and these failed as well. I plan to turn my home workgroup into a W2K server domain to see if this clears up the problem --- ANY SUGGESTIONS ON THIS?

Anyhow, I am deeply indebted to the people here who put so much time in to helping others. I hope that the foregoing will help repay some of that debt, but more, I hope to see alot more home offices and opportunities to work at home offered by employers. The BEFVP41 eliminates, for somewhere in between US$0 and $150, broad categories of employer excuses not to implement reasonable telecommuting programs.

Regards,
Patrick (azureson)

 

[canteras]

I need to use a dynamic DNS service to setup a VPN between two BEFVP41 units.
I registered &quot;myname.dyndns.info&quot; and made VERY sure that the dyndns database has the correct IP address.

With the host BEFVP41 Remote Security Gateway set to &quot;ANY&quot;
and the client BEFVP41 Remote Security Gateway set to &quot;FQDN&quot; with &quot;myname.dyndns.info&quot; in the box I consistently get a &quot;Remote Security Gateway domain name problem&quot; error and no VPN connection.

If I set the client BEFVP41 Remote Security Gateway to &quot;IP Addr.&quot; and plug in the same address as in the dyndns database,the VPN connects instantly.
Firmware is 1.40.3.

Any ideas on what I am doing wrong?
All ideas gratefully received - Canteras

 

[Azureson]

Greetings,

An update to my October 8 post...

The home-BEFVP41 to BEFVP41-office VPN setup I described is now operational and fully transparent to the WinNT4 workstation and the W2K server software.

As of my October 8 post, I had come to believe that the PDC in the office had a configuration problem that was interfering at different levels with the configuration of the VPN. Indeed this proved to be the case...the PDC had gone down due to a &quot;duplicate network name&quot;. Since the PDC was down, I could not enroll my home pc in the office domain.

After some (admittedly amateur) diagnostic sleuthing, I concluded that my rather narcissistic primary domain controller was &quot;seeing itself&quot; in the domain, creating the duplicate network name. This was the result of the PDC having two network adapters bound to the same protocols and operating in the same network.

Like I said, in my office I was left to fend for myself to become a do-it-yourself net admin, but for the life of me, I could not figure out why that PDC was hooked up that way by our tech guys. In any event, I disabled the driver for the duplicative ethernet adapter, and, lo and behold, the PDC reasserted itself!

That evening, after I went hope, I was able to add my remote client machine to the office domain, and voila! The entire office domain appears in my NT explorer, all shares and printers accessible, etc.

My guess is that most users of the Linksys VPN Router will not need to deal with office LAN configurations like mine, that appear almost intentionally screwed up. If that is your good fortune, you should find using a Linksys-Linksys setup (provided you install the latest flash BIOS and exercise all due caution in configuration) a pretty easy path to VPN. NO OS configuration whatsoever is required, because in the router-router model, not only is such unnecessary, but you would likely sacrifice much of the advantage of offloading the CPU intensive encryption/decryption to the Linksys hardware.

Regards,
Patrick

 

[RESinger]

hi -

this has been an informative but difficult thread to follow. please forgive me if ive missed something.

i have a notebook winxp pro pc that floats around with me to various remote lan locations (all connected to the inernet.) at home i have a linksys befvp41 router with lots of other linksys infrastructure devices, pcs, voip telephones, etc. i need to connect from the notebook pc to various resources behind the linksys router.

based upon the linksys "Connecting Windows 2000/XP to a Linksys VPN Router" support document and information in this thread i implemented the ipsec stuff and have achieved limited connectivity to my home net. specifically, from a remote location i can:
- ping a subset of the linksys boxes at home (by address and by host name from the host file)
- access the web admin interfaces on the linksys boxes which i can ping

i cannot:
- ping most non-network infrastructure devices
- tracert any device ("request timed out")

heres my physical configuration (devices which i can ping are marked with a '*'):

room 1 (sons bedroom)
- linksys cable modem
- linksys vpn router *
- linksys print server *
- linksys wap (configured in infrastructure mode) *
- linksys wap (for wireless non-network infrastructure devices like pcs & cameras) *
- toshiba voip telephone
- pc

room 2 (home office)
- linksys wap (configured in infrastructure mode) *
- linksys network switch *
- linksys print server *
- toshiba voip telephone
- toshiba digital phone system board (administrative interface) *
- toshiba digital phone system voip board *
- pc
- pc

room 3 (guest bedroom)
- linksys wap (configured in infrastructure mode)
- linksys print server
- toshiba voip telephone
- pc

room 4 (home theater)
- linksys wap (configured in infrastructure mode)
- linksys network switch
- toshiba voip telephone
- linksys wireless camera *
- pc
- pc
- crestron processor

all devices have static addresses.

why, you ask, use all the waps? im in a rental house and dont want to fish network and phone wires all over the house. everything does work, and does so reliably.

questions:
- anybody have ideas as to why i cant ping everything at home?
- is it possible to setup the ipsec (rule properties/tunnel setting) on the pc in a way that doesnt require hard ip addresses (i.e. use a fqdn for the tunnel endpoint)? maybe another ipsec product?

thanks - bob singer

 

[hsenculver]

Hi all:
Office BEFVP41, static IP, internal 192.168.1.1
Home BEFSX41 Endpoint, DHCP, internal 192.168.2.1
Finally got them connected with Linksys T/S help, but I can not ping the office 912.168.1.1
They spent 2 hrs connected to both routers & could not fix it!
Any ideas?
Thank you.
Howard