dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
102
mbp6
join:2002-10-01
Bellingham, WA

mbp6 to StangKid

Member

to StangKid

Re: [general] Still problems with the BEFSX41

I'm a sys admin who bought a BEFVP41 for the office network and a number of BEFSX41s for people who work at home. I want to connect each home subnet to the office subnet. These routers (on paper) seem to be exactly the right solution.

I have found a number of problems, and found workarounds. But I *still* cannot get a stable VPN between a VP41 and SX41.

I have been testing with a SX41 connected to the same switch as the VP41, which is outside the firewall. I have a laptop connected to the SX41. I run three testing scripts. One pings the laptop from an internal office machine (subnet to subnet) and logs the result. Another collects the log info from the VP41. The third collects log info from the SX41.

The VPN connection randomly dies after a ISAKMP handshake. It stays dead until another ISAKMP handshake. Normally, the key lifetime is large (8 hours), so you could go days until a failure. But, if it fails, the connection is dead for 8 hours, or the next reset.

Now, the log *says* that it correctly created a tunnel, but the tunnel doesn't work. That's why I have the ping test.

So, for testing, I have set very short key lifetimes, to aggravate the error. I've been trying to find some set of encryption options that doesn't fail. I haven't found one yet. In 24 hours, I might get six failures (4% failure). And Linksys techs have never commented to anyone that have mentioned this problem. I suspect it is a known problem, and there is no solution, short of getting a router from another manufacturer.

"Normal" operation, where a Win2000/XP laptop connects to a VPN server (either a SX41 or VP41) would mask this problem. "Normally", people don't leave their laptop connected to the network for days on end. But, having a "always-on" connection does not work.
MrMoke
join:2002-06-06
Austin, TX

MrMoke

Member

BMP-
You aren't the first to mention this VPN problem between the two Linksys products. It seems to be isolated to the SX41 firmware, as others can get the VP41/VP41 links stable. Which version of the SX41 firmware are you using?
mbp6
join:2002-10-01
Bellingham, WA

mbp6

Member

said by MrMoke:
BMP-
Which version of the SX41 firmware are you using?
I am running 1.43.3, the latest release version. I know there is a 1.43.4 beta, but I am unwilling to put beta software on the production routers. I now do have a spare SX41 that I have been using for testing, but nothing in the information released about the 1.43.4 beta implied that VPN would work any better. But I have sent a request for the beta software, and I'll try it, also.
markku
join:2001-11-15
Finland

markku

Member

BEFVP41/BEFSX41 VPN not work

Hi mbp,

Unfortunately I have to agree with you on having a "always-on" connection does not work between BEFSX/BEFVP41-boxes.

Have tried next to all possible combinations of parameters, but the tunnels are still flaky.

Just ( again ) studied the VPN-logs and saw following. The lifetime of the tunnel is 28800 seconds, however after 5 seconds the tunnel will time out.

Symptoms vary, but the problem remains.

2002-11-14 14:06:48 IKE[1] Set up ESP tunnel with xxx.101.yy.zzz Success !
2002-11-14 14:06:48
2002-11-14 14:06:53 IKE[1] MM : ISAKMP SA time out
2002-11-14 14:06:53 IKE[1] Tx >> Delete ESP_SA : spi = 99a7aae3
2002-11-14 14:06:53 IKE[1] Tx >> Delete ISAKMP_SA : cookie 7d4d37b3 dd7e3da7 | 9762fc93 50ca868f
2002-11-14 14:06:54 IKE[1] Rx > Delete ESP_SA : spi = 528bae5c
2002-11-14 14:06:56 IKE[8] Rx Delete ESP_SA : spi = 5066f4fa
2002-11-14 14:06:59 IKE[1] Rx Delete ISAKMP_SA : cookie 7d4d37b3 dd7e3da7 | 9762fc93 50ca868f
mbp6
join:2002-10-01
Bellingham, WA

mbp6

Member

said by markku:

Unfortunately I have to agree with you on having a "always-on" connection does not work between BEFSX/BEFVP41-boxes.

Just ( again ) studied the VPN-logs and saw following. The lifetime of the tunnel is 28800 seconds, however after 5 seconds the tunnel will time out.

[ log data deleted... ]

I have accumulated and studied days and days of logs, and what you see is actually normal behavior. You need to pay attention to the SPI numbers in the DELETE messages. Right after creating a new ESP_SA, the routers delete the previous one. Likewise for ISAKMP exchanges.

That said, I also see cases where a new ISAKMP forces the current (and possibly just created) ESP_SA to be deleted. However, a replacement is created soon afterwards. Since the ESP_SA key is dependent on the ISAKMP value, this makes sense.