Linksys BEFVP41 VPN problems

[ScottCudmore]

Hi,
I just purchased the new Linksys VPN router. I want to be able to connect to my home network from a remote Windows 2000 machine. There are no stpes or docs on how do do this. Only Linksys to Linksys VPN. When I connect from a Windows VPN conenction, all I get is an error on the Linksys.

Does anyone have any ideas?

Scott

 

[RGN]

To all:

I haven't had a chance to read the ENTIRE thread yet but it does seem that the Linksys VPN router is having some sucess and some failures. I have a ticket open with Linksys, but I thought I'd get input into whether what I am try to do should (already has been proven to?) work.

I put together a diagram

( see

http://pages.sbcglobal.net/rgniehuser/Sample_VPN_1.PDF)

I'm trying to connect Office 1 (192.168.1.x) which is BUSINESS DLS with FIXED IP address from IPS #1. It has a combination of Windows XP (Home) and Windows ME running a workgroup named WORKGROUP.

I'm trying to keep it simple by only establishing Tunnel 1 first. It would conect the 192.168.2.x network (a Residential DLS connection--with dynamic WAN IP address) provided by IPS #2. The user(s) on this network are XP (Home) I plan to put them in a Workgroup named WORKGROUP.

Then when (IF?) I get this working I plan to add the third site.

I have yet to get the tunnel to establish. Any Ideas?

I assume once I do get them working that:

from the 192.168.2.x network I will be able to PING the 192.168.1.x network and that from the 192.168.1.x network I will be able to PING the 192.168.2.x network. Is that right?

Also will I need to do anything special to see all machines as part of the network neighborhood (turn on netbios, etc.)

Any help would be appreciated.

Thanks

 

[markku]

RGN

Your setup should work perfectly.

It is directly from the book, no mistakes.

I have similar setup, 1 office ( fixed IP )and 3 remote offices ( 1 fixed, 2 alternate IP:s ) and it is working exactly according to your scheme )

Better stick in star-shaped architecture, because routing between remote offices is too much for Linky . I can see all machines ( between remote offices ) in network neighbourhood, but they are not really reachable.

Still fighting to connect to SonicWALL. Have succeeded in estabilishing the contact, no problem and the packets flow occasionally but it is not reliable, will try the solution of ShovelhEd today.

Am also interested in the dynamic routing solution, if more details are available.

This box certainly is not SonicWALL, but would love to see it working as client for large SW-box.

 

[spinge]

RGN:

Just remember to set up the remote VPN's with the IP of the main VPN as the remote security gateway(fixed), and set up the main to accept any IP (since with a dynamic IP, you never know what it will be). Keep in mind that if the settings on each end of the tunnel do not match (including local and remote secure groups) they will not connect.

As a side note, now having FQND as an option as the remote security gateway (in firmware 1.4.2) it is possible to connect two dynamic IP VPN's automatically. You will need to get a dynamic DNS service from somebody such as TZO (I DON'T work for them) on one end of your tunnel. Set that end of the tunnel to accept any remote secure gateway, and use your new domain name on the other end.

Hope this helps - that is as far along as I am - now if I could only ping all of my machines.

 

[Yasmania]

I have a Linksys BEFVP41 that I am trying to setup in a remote office to connect to a Win2K server running RRAS. The W2K server is behind a Linksys BEFSR41 cable/dsl firewall/router. I have no idea what I'm doing (I was volunteered for this mission). Do I need to buy a second Linksys box or can someone tell me how to initiate a tunnel connection from the one I have to the server. My head feels like it's gonna explode and I'm no closer to an answer. Any help you guys can give me would be greatly appreciated.

Yas

 

[nagolcj]

spinge:

you don't have a firewall (ie zonealarm) running on the machines that won't answer your pings, do you? I ran into that problem with one of my remote workstations & it drove me nuts until I realized that as a different subnet it wasn't considered one of the trusted networks in zonealarm.

 

[spinge]

nagolcj:

Great thought, but unfortunately I don't have any software like that running yet, but thanks!

 

[ShovelhEd]

Yasmania,

What you have will work but will take some doing. You are in the right place to get answers. If you want to spend the time to learn and are willing then read away.
An easier way is to get a second befvp41...you will have no problems then at all and won't have to fiddle around with your Win2K server.

 

[Prof3205]

I've been intently reading this thread and I'm pretty sure that I've got the wrong product, but maybe somebody can tell me for sure.

What I'm trying to do is setup the LinkSys box as the VPN/Router in the office and have remote users using Win2K Pro (who will be using combinations of dial-up, DSL and Cable with dynamic IP's) access the network in the office. I have been able to get the box to work (sort of) as long as I enter, manually, the IP address given by the ISP into the IPSec policy. If this has to be done every time then it's an unacceptable solution, since typical users could figure out how to do it. Obviously a different Win2K client might work and I've been hunting for those solutions as well.

Please help!!! And thanks in advance.

 

[ShovelhEd]

Prof3205,

The newest version of the befvp41 firmware has support for Domain names. I would reccommend you update your firmware.

Next thing to do would be to have your users register or you register at a name forwarding service like

http://www.dyndns.org

This service will map any IP you have to a free domain name that they provide. For example a cable ip like 24.112.xxx.xxx would be mapped to "Prof3205.dyndns.org". At the dyndns site you can find links to programs that automagically update your IP with the dyndns servers each time a user boots up or his IP changes.

If you have a question post away. Hope that helps!!

ShovelhEd

 

[RGN]

Well I got the configuration of my previous post

( see

http://pages.sbcglobal.net/rgniehuser/Sample_VPN_1.PDF)

working (with the help of Linksys) for tunnel #1 in the diagram.

I'll post the configurations (for the Linksys') soon.

But I still have two problems.

a) I can't see the other machine's in the Network Neighborhood (even with netbios box checked on the Linksys) I work around this by using fixed (not DHCP) addreses on the 192.168.1.x network (bottim left in the diagram) That way, when I need to get to something from a machine on the I use the UNC of //192.168.1.20/sharename instead of //hpserver/sharename. It works, but I'd like to be able to see the names.

and

b) it is SLOW!! Are there any ideas to speed it up? Opening a Quickbooks file (from Home location--top of diagram) it takes about 1.5 to 2 minutes. Once opened, I'm able to run it okay. Then, of course closing the file back takes time too.
Would going to DES encryption instead of 3DES improve performance (I'm thinking the Linksys would not have to work as hard)? Other Ideas?

Any help would be appreciated...

Thanks,

...RGN

 

[ShovelhEd]

RGN,

Congrats on your successes. I still am unable to "browse" a computer on the network, though I am able to see then if I search by \\192.168.xxx.xxx\sharename. I can even map the drive. But I get an error that the device is already connected to z:\ etc. I am getting tired of trying to get this working. It's enough to cause madness!

 

[markku]

Hi,

Your configuration is perfect. You should see the network neighbourhood assuming:
- your workgroup name matches
- you have necessary user/password for remote 2000/NT/XP-server
- Netbios is enabled both ends of the tunnel.

Not very useful feature anyway, NETBIOS can clog your tunnel with unnessary traffic. Real men use direct IPs...

I tried the 3DES-speed with 512k ADSL to the server in remote network ( 4 Mb/s ) by ftp. Speed was 540 k / 517k bypassing the tunnel/through 3DES-tunnel. Better than old SonicWALLs. I do not know Quickbooks but I know applications which have to be used with Terminal Server locally in order not to exhaust 100 Mb LAN. How about "normal browsing" and copying files?

 

[Guest_imported]

RGN,

The VPN speed issue concerned me as soon as I got it going. Then I remembered that it is only as fast as the fastest upload speed of my connections. Is your DSL limited to 128K up?

 

[Guest_imported]

HOPE THIS HELPS SOMEONE! I wish I saw this when I gave up on linksys support and was looking for some info on my own..

My goal was to setup 2 routers that would talk to each other. This would get rid of any client crap and all that crazy IPSEC stuff in the back of the Linksys VPN book. I wanted to browse my office lan from home.

I ventured off to my local computer shop bough 2 VPN routers. I setup one at the office and one at my house. I created my tunnel on each router and hit the connect button (easy enough).. now.. here is where the fun started.. I could not see anything at the office.. so here is what I had to go throught to get it running...

Issue #1

UPGRADE THE FIRMWARE!!! You should have 1.4x something on the router.. if you don't.. upgrade it! check by going to the VPN tab and on the bottom right you should see a "more..." link. If you have this link, you should be ok.

Issue #2

Make sure that your network addresses are different on both ends. my office ip pool is 10.0.1.x and the ip pool at my home is 10.0.0.x. Apparently the routers will not work correctly if the ip pools are the same.

Issue #3

If you upgraded the firmware, click on the VPN tab and select the "More.. " option and enable the "Netbios Broadcast" option on both routers. This will allow you to browse the network and find machines on the office wan

Issue #4

Disable any fireware programs. In my case I had to uninstall Zonealarm, even though I had it disabled. My wan did not work until there was no trace of Zone alarm. If you are using XP make sure you also diable the ICF (XP's built in firewall)

After pulling out most of my hair I finally got my wan setup.. I can browse the network.. print on the printers at work.. Now I can get all kinds of work done at home.. now if anyone knows how I can bill my boss for all this extra work, please let me know..

All in All, the routers are a great deal for the cash.. a bit slow.. but I need to read all the other threads and see if anyone has a fix..

Good luck to everyone who has had the problems I did.. If you were thinking of calling tech support at linksys.. give up now.. and look for other people who had setup the routers correctly...

Regards

 

[Appollo]

I am a computer consultant with what I consider a vast knowledge of PC's and local area networks. However I have never attempted to setup a VPN before now. I found this Tek-Tip thread about the BEFVP41 quite enlighting and it also answered a number of questions I had but also posed a couple new questions.

My client has a home office with a Win 2K Server SP2 server with 8 workstations all with Win 2K SP2 Professsional connected to a 3Com 16 Port hub which is connected to the BEFVP41 which is connected to a cable modem with a dynamic IP address. I am attempting to connect 2 remote locations to the home office's server and printer with a Win 2K Pro SP2 workstation in each remote site connected to a Linksys BEFSR41 which is connected to a fractional T1 line. I have been struggling with setting up the IPSEC policy on the home office server. When I enable the policy the 8 workstations no longer see the server but can still browse the internet. I then called Linksys (oh boy!!!) with out much success because they do not support their router connected to their vpn router, just vpn router to vpn router.

Now having read the threads I realize about setting the (in this case 3) network IP address schemes to different numbers and all that, where I am confused is when I read a post further up the page from a user called Certman who said that if you have 2 BEFVP41's you don't even need to mess with IPSEC on the Win 2K boxes. Is this true?

Also is the method I am/was trying using a mix of router to vpn router more trouble than it's worth? Should I just invest in a couple more BEFVP41's?

 

[markku]

Hi Appollo,

Just buy some more BEFVP:s and forget about the WIN2000 VPNs. The tunnels will route your separate LANs via IPSEC together.

Just follow the excellent drawing of RGN couple messages back and it will work.

 

[thomasdp]

I just bought another BEFVP41 for home so now have one at each location.All problems solved.Connecting was a snap.

 

[TimRaines]

Yes.....that would solve everything. Unless, of course, you're trying to set this whole thing up for someone on the road.

I've got the router set up at my office (10 pcs with a Win2k domain). I screwed around with the Windows IPSec policy to create the tunnel, but my ISP gives me a dynamic IP when I'm on the road, so I knew I'd be constantly editing that policy.

I bought a client called SafeNet SoftRemoteLT which is, I guess, "smarter" than Windows and "attaches" itself to whatever my IP address is to create the tunnel.

Everything's fine.....sort of. The tunnel appears to be created, as I can ping any machine on the network. But if I try to actually use any of the machines' shares.....well...

Calling Linksys is actually quite scary. Every time I've talked to anyone there, I'm MORE confused.

When I *am* able look at the shares (by specifying my WINS server in my orignal connection's configuration), using those shares is so slow as to be useless.

I'm sure there's some tiny thing I've overlooked, but I'm completely lost as to what it might be.

 

[Guest_imported]

Hello, all,

First time here... some good info, some confusion. Maybe I can help?

I've been dealing with VPNs in some form for 4 years now, and here's some of what I know.

Windows network BROWSING: is terrible. In order to browse a remote network, your client needs to contact a browsemaster on the remote network (enabling NetBIOS broadcast *may* allow you to use a local browsemaster). Problem: browsemaster may change everytime someone reboots. Solution: WINS (or DDNS), though not 100% reliable, cuz still need to connect to browsemaster; WINS just makes it easier to find that guy. If you can distribute a list of names for the important computers (file server, print server, email server), then just connect with drive mapping or by directly connecting to the server, and completely avoid browsing (Windows browsing does *NOT* directly correlate with name resolution), then you are much better off. Still recommend WINS or DDNS (or at the very least, put entries in *everyone's* 'hosts' file (only need 'lmhosts' if you have an NT Domain)).

NetBIOS (aka SMB): very slow and not overly reliable over WAN/VPN. Would suggest Web/FTP/RemoteControl/TermServ solution if must have speed or working with large quantities of data. Since we are dealing with sub-T1 speeds, "large" can be as small as 10-20 MB.

Win2k (and I assume XP) IPSec client: is terrible. I've installed several IPSec products, and none of them are 1/10th as difficult or confusing to configure as M$'s. I know it can be done, I've seen it done, I've never done it (I have tried), my hat's off to anyone who's done it. My suggestion is to go with site-to-site (BEFVP41-t0-BEFVP41) VPN if you can. The BEFVP41 is not really designed for client-to-site VPN and will cause headaches if you try to stick that round peg into the square hole. Go with M$'s PPTP (included with Win2k server for "free" and relatively easy to set up, but known vulnerabilities), or get a dedicated product designed for client-to-site (Cisco, Check Point, Nortel, etc.) (more secure, but also more costly).

Get "connected" (according to router) but have no connectivity: Possible that ISP is allowing UDP 500 (IKE authentication for IPSec Tunnel), so router thinks it successfully connected (my theory, have not verified with Linksys), but ISP does not allow IP Protocol 50 (actual IPSec Tunnel). Some ISPs claim it's a "Business Service" and so won't allow it on their "residential" packages. Of course the "business" packages that *will* allow IP 50 do cost more...

Nice that the Linksys allows dynamic IPs for their VPNs in any fashion. That actually breaks the RFC's for IPSec, as I understand them, but sure makes the VPN routers more useful.

Final note: please don't bash Linksys too hard. They have the most features out of anyone for their price range ($300+ for another vendor for the same functionality, and it limits you to 8 IPs on your LAN), and I'm shocked that their products are as reliable as they are for the price! I used to be a Linksys basher (back when every mini-hub had at least one bad port), but they've been reasonably solid the past 2 or 3 years (no, I don't work for them). For the prices I pay, I am not overly surprised that their tech support is not stellar.

I will be setting up my BEFVP41's tonight. Based on what I've read here, I expect smooth sailing. Wish me luck.

And remember... browsing bad!

Hope this helps someone.

 

[TimRaines]

Thanks for the info, Johnny.

You mention that trying to get the router to do client to router VPN is a square peg in a round hole. And THAT is my only problem with Linksys. If it doesn't work that way, then don't put a bunch of marketing / promo copy on your site that says it DOES.

At THIS point, I'd have been happy to spend $1,000 on a solution that would have worked easier. Now, though, it's almost become a crusade......a crusade to prove that I'm smarter than the tiny $150 box sitting in the next room.