Equipment Support > Hardware By Brand > Linksys > [VPN] BEFSX41 VPN Requirements

reply to JonAlthoff

Re: [VPN] BEFSX41 VPN Requirements

•Unless you have static IP addresses on both sides of the tunnel, you cannot use the built-in Windows 2000/XP IPSEC.MSC policies to setup your VPN tunnel.
•Although Windows XP has a wizard under Network Connections to setup a VPN tunnel to a fully-qualified domain name (versus IP address), this apparently only works when connecting to some Microsoft-brand VPN endpoint/server.
•Remote Desktop Client, which runs over MS-WBT/RDP protocol, is not a VPN technology. It is a remote-control technology, similar to pcAnywhere or VNC. Also, since it does not isolate the target system from anonymous connection attempts, it does pose a risk if public (Internet) access is permitted (potential username/password attack, man-in-middle).
•I think it is intentionally deceptive, or at least negligent, of LinkSys (and Cisco) to advertise products as "VPN Servers" and provide absolutely NO WORKING INSTRUCTIONS for the target consumer to implement said feature. How many home Internet users have static IP addresses?
•I think that Flogator and everyone else involved on this thread should receive at least a note of gratitude from LinkSys/Cisco for doing more for LinkSys BEFVP41 and BEFSX1 owners on this subject than LinkSys itself has ever attempted.

reply to jjsmd6
I am at exactly this point... I am using (home LAN) Sentinal -> BEFSR81 -> BEFSX41 -> Office LAN. I can connect and can browse office shared folders by specific IP address. They don't list by name, in Network Neighborhood, Explorer, etc. My settings are identical to yours. Have you found a solution?

RVJoh:

I gave up on trying to configure a software client, and I replaced the router at the office with another Befsx41. I set up VPN on both routers and it works flawlessly.

Joe

reply to Flogator
Hi, i need urgent help!! VPN is drivring me crazy...

I need to connect a notebook (roadwarrior) to my internal LAN with a VPN.

My network has the following design

inet -> ISP's cisco575 -> (16ip public inet subnet)->cisco catalyst 1900 switch 12ports-> Linux server/NAT/gateway(wan 200.68.85.xx)*(LAN 192.168.1.2) -> internal switch LAN 192.168.1.0 -> clients 192.168.1.xx

i have a linksys bfevp41, wan port to cisco switch and public ip (200.68.85.xx), lan port to internal switch (192.168.1.1), configured tunnel, from the outside with the notebook using sshsentinel or safenet i can connect ok to the linksys vpn, but i'cant ping to the internal net 192.168.1.0.....

what can i do? i want to use the bfevp41 only for vpn, not lan internet, not dhcp, only incoming vpn roadwarrior.

thanks in advance.

Diego.
dfvlavalle@hotmail.com

reply to Eebbbee
Hi,

first: a lot of thanks to all you guys posting such qualified answers - it helps a lot !!

Though i get a windows xp client connect via l2tp/ipsec to the Linksys vpn server, it is impossible to do the same with a windows 2003 sbs server.

Yet, i dont know why. The first stage is recognized by the linksys, but then the log shows an entry like "No proposal chosen". I entered on both sides the preshared key, and told the win2003 client-vpn-connection to use any kind of authentication / encryption. Still, the linksys says that no proposal was chosen.

Did I miss something here or doesnt it work with win2003? I already wanted to call MS-Support for this incident, but we dont have a supportcontract, and I can tell you the prices are _huge_

Best Regards,
Sascha aka MrZweig

reply to Flogator
Flogator,

I have 2 win2k computers both using cable internet. The vpn server is connected to a BEFSX41 router and the client is connected directly to the cable modem. I followed your instructions and have successfully been able to establish a vpn between the two using ssh sentinel. From the client I can ping the server computer. I can also access the shared drives by using the ip address of the machine (i.e. 192.168.1.100). I cannot however use network neighborhood on either computer to browse the other. Unfortunatly this is a neccesity for some applications I am using. After reading your previous post I ran nbtstat and this is what was returned.

Name Type Status
---------------------------------------------
BO1 UNIQUE Registered
BO1 UNIQUE Registered
WORKGROUP GROUP Registered
WORKGROUP GROUP Registered
BO1 UNIQUE Registered
WORKGROUP UNIQUE Registered
..__MSBROWSE__. GROUP Registered

MAC Address = XX-XX-XX-XX-XX-XX (removed mac)

I am at a loss here, I am sure it is something simple since otherwise the connection seems great. Any information would be greatly appreciated.

Thanks

You have reach a limitation of SSH Sentinel -oops-. SSH Sentinel does not support NetBIOS broadcast which is required to browse computers by name. The BEFSX41 do support NetBIOS broadcast though, so if you find a better VPN software client, perhaps will you be able to implement this.

At the mean time, you've got two alternatives. The first one involve using the IP address. If that is not satisfactory for you, then your other hope is to run some kind of name server (i.e. WINS) but I'm no expert there so can't help you much. There is a solution in between . If you can have all node on static IP, you can manually populate the LMHOST files on all PC to do the name resolution.

i have the same issue, i have setup and configured my VPN and it works fine, but when i try and browse network neighbourhood i can't see my workgroup of the vpn side?

reply to Eebbbee
I managed to find a solution to this. I got the hint at this document: »www.jp.ssh.com/documents/31/ssh_···ksys.pdf

The trick is after getting everything working right "normally" go back into your policy, and check Acquire Virtual IP address, Choose manual IP address, and punch in a BOGUS IP(one that is NOT on your network would be best) then punch in your REAL wins/DNS servers (if you don't have any, then you might be out of luck).

This seemed to do the trick for me! its all in the PDF.

reply to Eebbbee
I'm using a befvp41 at my office, and have managed to connect to it from home using SSH Sentinel 1.3. I can ping my router and the computer I want to connect to, but when I type in the IP address I get nothing. I'm sharing some folders on the computer but not all. Is there something else I need to share in order to get to my files?

reply to Flogator
I think I discovered a couple horrible problems with these routers... at least the particular "ver2" flavored ones.

I first noticed that the configs are buried and unintuitive to navigate, and realized it was different somehow (thinking maybe the new "Cisco" icon on the box meant they made some kewl updates). Wrong! It seems they broke stuff.

In the Phase 1 of the IKE proposal ("advanced settings" in the VPN tunnel tab), you can only save DES. If you select 3DES and return to verify, it says DES no matter what. NETBIOS name queries won't work, either -- no matter if the "NETBIOS Broadcast" is checked on the LINKSYS side of the tunnel and no matter what Post-IPsec filters I set up on the SSHSentinel client to try to force it. I created and attached to a "non-ver2" router at another client's office with the exact same tunnel settings on the Linksys and SSHSentinel config and it worked beautifully. I contacted Linksys and they sent me a downgraded firmware that didn't do anything to fix it. They asked that I send it back to them for a replacement.

If you're having problems with NETBIOS and/or the DES/3DES encryption setting, check for the "ver. 2" label on the bottom by the model number. If you find it, I suggest setting it on fire and buying a new one.

-Zigy

Oops - forgot to mention the model number It's the Linksys BEFVP41.

-Zigy

reply to Eebbbee
I have follow the instruction v2 and the connection between the BEFSX41 and my win2k computer (behind NAT router - BEFSR41) work.
But how do I browse the network? I can't ping IP adresses and I don't see any computer in my network place, but I know the connection was good (both by the log of the router and the SSH Sentinel message)

Thank you

You have reached a limitation of SSH Sentinel 1.3.2. In this version, SSH Sentinel does not support NetBIOS broadcast. Rumors are that more recent version of SSH Sentinel (i.e. 1.4) do support NetBIOS broadcast but these are not free.

Meanwhile, there are two alternative to browse your computer:
1) Use the IP address (i.e. dir \\192.168.1.100\c)
2) Use a WINS server to resolve the PC name instead of NetBIOS

reply to wishnight
It's working now..., i have just make a mistake in the ip address of the vpn, I have take the one of the remote system....

Nice work Flogator, we need more guy like you who make HOW-TO of that quality, and who take time on that forum to help us

One of the greatest AMATEUR post I've read in a long time. I emphasize amateur, beacuse the PROs in (Linksys/CISCO) give me a bitter taste.

THIS POST NEEDS TO BE A STICKY, at least for the duration of 2004.

-bigEz