dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10752
share rss forum feed

djblack

join:2002-08-19
Troutdale, OR

BEFSX41 VPN to BEFSX41 success...

Well, out of pure curiosity, I went out and bought another BEFSX41... for VPN testing.

With nothing more than a switch between the 2 WAN ports of the 2 BEFSX41s, my first attempt at a VPN came up instantly. NetBIOS broadcast on, and browsing computer names, printers, drive shares, etc. I even printed a couple of documents to a shared printer, across the tunnel.

I've tested 3DES, DES, MD5, SHA, PFS, no authentication, no encryption, etc...all successful. In all honesty, every combination I tried, worked flawlessly. Enabling "ANTI-REPLAY" did however, cause some buggy operation.

As far as IP addressing, I initially used static IPs on both BEFSX41s, and it worked great. Then, I threw in my old BEFSR41 v1 as a DHCP server for the 2 BEFSXs, to simulate them being DHCP clients from an ISP. In other words, the BEFSR41 was acting as the ISP, and the BEFSX41s were DHCP clients. The tunnel came up under that scenario as well. The only odd thing found with a DHCP setup, was a log entry saying "This connection request matches tunnel 1 setting !", but the tunnel came up and worked anyway. Not sure what that meant, but it didn't seem to cause any trouble. I gave both BEFSXs static addresses, and that log message went away.

I tested throughput across the tunnel using 3 different combinations.

1st setup was with phase 1 set to 3DES, SHA, 1024-bit, and standard key lifetime of 3600 secs. Phase 2 set to 3DES, SHA, 1024-bit and 3600 sec key. Throughput of file transfers ended up stabilizing at about 150K/sec. Not bad IMHO.

2nd setup was with phase1 DES, MD5, 768-bit, and same key life. Phase 2 was again set just the same as phase 1. Throughput here was about 350K/sec. Again, not bad.

3rd setup was with encryption and authentication turned off, and that ended up being pretty much a limitation of 100mb ethernet. If there was any slowing due to the routers and the VPN, I couldn't tell.

I've been transferring files across the tunnel for several hours with no problems yet. Not only large files (500mb+), but some smaller ones mixed in too. Also, sustained a healthy connection with multiple file transfers going both directions...3 large files from one side to the next, and visa-versa. Again, no troubles.

So, what does this seem to mean? The BEFSX41 is rock solid when connecting to another BEFSX41. I could not get the 2 routers to hiccup...except with Anti-Replay. Establishing a tunnel to other devices, remains to be seen in my testing. I'll leave this tunnel up for several days, and report any findings.

FYI

EDIT: Was using Firmware 1.43.4 on almost all tests, but 1.43.3 also seemed to do quite well...even when mismatched on either side.
[text was edited by author 2002-12-16 01:56:21]

FF6

join:2002-03-11
Laguna Niguel, CA
Thanks for the info.

mbp6

join:2002-10-01
Bellingham, WA
reply to djblack

Re: BEFSX41 VPN to BEFSX41 success... NOT

Your experience exactly matches mine, yet I have been complaining about how it is impossible to establish a reliable tunnel between a BEFSX41 and BEFVP41. I expect that if I set up my test environment with two BEFSX41s, I would continue to have the same problems.

So why am I complaining, when you claim great success?

There is one crucial difference in our tests. I have set the proposal 1 key lifetime to 10 minutes, rather than the default 8 hours. I also set the proposal 2 key lifetime to 5 minutes. So I simulate days and days of real world operation in a few hours.

In my configuration, the tunnels always get set up successfully (according to the logs), but occasionally the tunnels can not pass data. The logs show constant encryption errors. After 10 minutes (i.e., another proposal 1 key exchange), the tunnel starts passing data correctly again.

In the real world (with 8 hour proposal 1 keys), you would not see a failure for several days. My test environment accelerates the error rate, and I see the error within a couple of hours.

I saw the same results as you with all combinations of encryption and authentication settings (except none, I didn't try that). Most of the time the tunnel would work, but it would always eventually fail.

You said that you were able to transfer files for several hours with no problems. Again, that is my experience. If a tunnel works, it works flawlessly. Since you have 8 hour proposal 1 key lifetimes, your current tunnel will work for hours, or maybe even days. My complaint is that, occasionally, Proposal 1 key exchanges break the tunnel.

Do I have a right to complain about an error that occurs every few days? I think I do. That error will persist for eight hours in the real world. The VPN tunnel will be non-functional for a whole work day unless someone manually resets the routers.

I wanted a turnkey solution to provide to my users. That appears to be impossible with Linksys gear.

I'd ask you to try to duplicate my tests with your equipment. Set very short key lifetimes, and see if your VPN tunnel can always pass data. To test the viability of a tunnel, I would constantly ping a computer at the remote end of the tunnel and log the time and the result. Invariably, I would see 10 minute blocks where all the pings failed.

djblack

join:2002-08-19
Troutdale, OR
said by mbp6:
There is one crucial difference in our tests. I have set the proposal 1 key lifetime to 10 minutes, rather than the default 8 hours. I also set the proposal 2 key lifetime to 5 minutes. So I simulate days and days of real world operation in a few hours.
Perhaps my calculator is broke, but 3600 seconds is exactly one hour. Where do you get 8 hours from 3600 seconds?

Also, I did leave the 2 routers with key expiration times of both phase 1 and phase 2 at 30 seconds. This was left in place for at least an hour...without fail. I was actually thinking of your findings about the key expirations that were dropping your tunnels, when I changed the timers to 30 seconds. Why you continue to have trouble, and I don't, I would also like to know.

Believe me, I'm not trying to sound like these Linksys BEFSX41s are excellent boxes...I'm actually a bit disappointed in their quality. You may have seen my rantings about their incompatibility with a Cisco PIX. But, this is merely a post of my experience thus far.

As an update, I've returned home, and looked at the status and logs of the tunnel, and all is still well so far. They've renegotiated new keys successfully all night, and all day long.

I will be going to a friend's house tonight to install a BEFSX41 on his AT&T Broadband connection to test the VPN stability there. Again, I will post my luck here.

If it is of any interest to you, I will be glad to test with you, and your BEFSX41, or BEFVP41 any time. I'm doing all this for nothing more than curiosity of whether these things are what they're made out to be. So, if you'd like to set up a tunnel or two between us, let me know.

mbp6

join:2002-10-01
Bellingham, WA
said by djblack

Perhaps my calculator is broke, but 3600 seconds is exactly one hour. Where do you get 8 hours from 3600 seconds?

Click the Advanced Settings button on the BEFSX41 VPN page. There you will see lots more settings. The top half has the phase 1 settings, and the default there is 28800 seconds, or 8 hours. The phase 1 settings are invisible unless you use the Advanced Setting button. Changing settings on the main VPN page only changes the phase 2 settings.

I used the wrong terminology in my first posting. I meant "phase 1" when I actually wrote "proposal 1".

said by djblack

Also, I did leave the 2 routers with key expiration times of both phase 1 and phase 2 at 30 seconds. This was left in place for at least an hour...without fail.

I was actually thinking of your findings about the key expirations that were dropping your tunnels, when I changed the timers to 30 seconds. Why you continue to have trouble, and I don't, I would also like to know.

Changing the values on the main VPN page only changes the phase 2 settings. So your phase 1 key lifetime is still set to 28800 seconds.
said by djblack

Believe me, I'm not trying to sound like these Linksys BEFSX41s are excellent boxes...I'm actually a bit disappointed in their quality. You may have seen my rantings about their incompatibility with a Cisco PIX. But, this is merely a post of my experience thus far.

As an update, I've returned home, and looked at the status and logs of the tunnel, and all is still well so far. They've renegotiated new keys successfully all night, and all day long.

And I always see the same thing as you. My logs from the Linksys routers (both ends) indicate that the keys are always renegotiated successfully.

But, if you use the tunnel, it doesn't always work. About 5% of the time, after a phase 1 key renegotiation, you cannot pass data through the tunnel. That's why I use pings to determine whether the tunnel is actually working or not, because the logs don't indicate if the tunnel that has been created is actually usable.

In the real world, when this happens, users suddenly can no longer see the office network. So I get a phone call, and I have to warm start one of the routers.
said by djblack

If it is of any interest to you, I will be glad to test with you, and your BEFSX41, or BEFVP41 any time. I'm doing all this for nothing more than curiosity of whether these things are what they're made out to be. So, if you'd like to set up a tunnel or two between us, let me know.

Yes, I'm very interested. I'll IM my email to you and we can continue our testing discussion offline.

Perhaps I can get confirmation of the problems I'm seeing. I feel like a lone voice in the wilderness at the moment. I've sent detailed information to support at Linksys, and don't get any replies.

Or (unlikely, I think) we'll find some solution that makes my problems go way.

djblack

join:2002-08-19
Troutdale, OR
Honestly, I have no idea what you're talking about with the 28800 seconds. Mine says 3600 for both Phase1 and Phase2...and yes I know where the "Advanced Settings" are.

Just for kicks, I defaulted one of the BEFSX41s and looked at the key expiration times, both phases default at 3600 seconds.

Perhaps the BEFVP41 has different default settings...but it's truly a different bird anyway.

mbp6

join:2002-10-01
Bellingham, WA
reply to djblack

Re: BEFSX41 VPN to BEFSX41 success...

Oh, whoops.

Where's the <blush> markup when you need it?

You're right. The default phase 1 lifetime on my BEFSX41 is also 3600 seconds. And the default phase 1 lifetime on the BEFVP41 is 28800 seconds. I've gotten used to setting phase 1 to 28800 seconds for the user's routers and ignoring whatever was the original value.

mbp6

join:2002-10-01
Bellingham, WA
reply to djblack
With the help of djblack, I can confirm his success of a stable BEFSX41 to BEFSX41 VPN tunnel. I have only one BEFSX41 available for testing, so I set up a tunnel to one of his BEFSX41 routers, and then subjected the tunnel to my torture test. See »Re: [general] Still problems with the BEFSX41

The pings to a machine connected to his remote BEFSX41 have not failed the way I have always seen between a BEFSX41 and a BEFVP41. There are occasional failures, 26 out of 2600, but I can attribute these to the almost constant creation and destruction of tunnels.

So, BEFSX41 <-> BEFSX41 tunnels work. Others have reported that BEFVP41 <-> BEFVP41 tunnels work. But, BEFVP41 <-> BEFSX41 tunnels are not reliable, and that is my environment.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe

reply to djblack
Guys, could you please post exact config for every field in VPN and Advanced VPN options for each router?
I just can't make it to connect (BEFSX41 to BEFSX41 1.44.3).
Thanks,
B.

EDIT:
Just getting this into log and that's it, no connect.
LOG: 00:00:02 IKE[1] Tx >> AG_I1 : 66.23.xx.xx SA, KE, Nonce, ID

[text was edited by author 2003-01-08 23:01:05]

markku

join:2001-11-15
Finland
Hi Beaujolais,

BEFSX/BEFSX combo should work with any VPN-settings assuming they match. Do not select any Other Options in Advanced page during initial setup.

You should see something like this if the tunnel is progressing properly:

2003-01-09 06:48:08 IKE[2] Tx >> AG_I1 : 212.xxx.11.yyy SA, KE, Nonce, ID
2003-01-09 06:48:09 IKE[2] Rx __ AG_R1 : 212.xxx.11.yyy SA, KE, NONCE, ID, HASH
2003-01-09 06:48:09 IKE[2] ISAKMP SA CKI=[19e8af1f faf332d4] CKR=[1967a578 90ffbfd8]
2003-01-09 06:48:09 IKE[2] ISAKMP SA DES / MD5 / PreShared / MODP_768
2003-01-09 06:48:09 IKE[2] Tx >> AG_I2 : 212.xxx.11.yyy HASH
2003-01-09 06:48:09 IKE[2] Tx >> QM_I1 : 212.xxx.11.yyy HASH, SA, NONCE, ID, ID
2003-01-09 06:48:10 IKE[2] Rx __ QM_R1 : 212.xxx.11.yyy HASH, SA, NONCE, ID, ID, NOTIFY
2003-01-09 06:48:10 IKE[2] Tx >> QM_I2 : 212.xxx.11.yyy HASH
2003-01-09 06:48:10 IKE[2] ESP_SA DES / MD5 / 28800 sec / SPI=[d711f20b:4159ce4b]
2003-01-09 06:48:10 IKE[2] Set up ESP tunnel with 212.xxx.11.yyy Success !

[ text edited for visibility ]

BTW, this capture is actually BEFSX41/SonicWALL-combo, Linky being in Dynamic IP.

If you do not receive any response from your remote Linky pls check that remote tunnel is enabled and you are shooting the correct Remote Security Gateway IP (= WAN IP of Linky, not operators gateway ). There should be _some_ response in your local/remote VPN-logs when firing up the tunnel.

etherpeeker

join:2003-02-22
Oswego, IL
reply to djblack
I've read your notes on testing the VPN tunnel. Great Work!! You mentioned that used an old BEFSR41 V1 acting as a DHCP server.
My objective is to set up a VPN using two BERSR41's. However on each side of the tunnel are two different ISP's that provide dynamic IP's.
In the configuration screen of the router if you set the Remote Security Gateway to "any" then I'm assuming that you also need to set the Host to "any" as well. Accoriding to Linksys this will allow any IP address to connect. Is the security of the connection (tunnel) controlled by Encryption and Authentication? Can you explain?
Also I've be told by Linksys that a service by dydns.com will monitor changes to dynamic IP addresses. For example when your service provider leases you an address it's only for a specific time. Once to the router receives a new IP address the dydns service updates the FQDN.

Thanks for your assistance...

djblack

join:2002-08-19
Troutdale, OR
said by etherpeeker:
...My objective is to set up a VPN using two BERSR41's...
What routers are you planning on using?