how-to block ads
|
mbp6
join:2002-10-01
Bellingham, WA
| reply to djblack
Re: BEFSX41 VPN to BEFSX41 success... NOT
Your experience exactly matches mine, yet I have been complaining about how it is impossible to establish a reliable tunnel between a BEFSX41 and BEFVP41. I expect that if I set up my test environment with two BEFSX41s, I would continue to have the same problems.
So why am I complaining, when you claim great success?
There is one crucial difference in our tests. I have set the proposal 1 key lifetime to 10 minutes, rather than the default 8 hours. I also set the proposal 2 key lifetime to 5 minutes. So I simulate days and days of real world operation in a few hours.
In my configuration, the tunnels always get set up successfully (according to the logs), but occasionally the tunnels can not pass data. The logs show constant encryption errors. After 10 minutes (i.e., another proposal 1 key exchange), the tunnel starts passing data correctly again.
In the real world (with 8 hour proposal 1 keys), you would not see a failure for several days. My test environment accelerates the error rate, and I see the error within a couple of hours.
I saw the same results as you with all combinations of encryption and authentication settings (except none, I didn't try that). Most of the time the tunnel would work, but it would always eventually fail.
You said that you were able to transfer files for several hours with no problems. Again, that is my experience. If a tunnel works, it works flawlessly. Since you have 8 hour proposal 1 key lifetimes, your current tunnel will work for hours, or maybe even days. My complaint is that, occasionally, Proposal 1 key exchanges break the tunnel.
Do I have a right to complain about an error that occurs every few days? I think I do. That error will persist for eight hours in the real world. The VPN tunnel will be non-functional for a whole work day unless someone manually resets the routers.
I wanted a turnkey solution to provide to my users. That appears to be impossible with Linksys gear.
I'd ask you to try to duplicate my tests with your equipment. Set very short key lifetimes, and see if your VPN tunnel can always pass data. To test the viability of a tunnel, I would constantly ping a computer at the remote end of the tunnel and log the time and the result. Invariably, I would see 10 minute blocks where all the pings failed. | |
djblack
join:2002-08-19
Troutdale, OR
| said by mbp6  :
There is one crucial difference in our tests. I have set the proposal 1 key lifetime to 10 minutes, rather than the default 8 hours. I also set the proposal 2 key lifetime to 5 minutes. So I simulate days and days of real world operation in a few hours.
Perhaps my calculator is broke, but 3600 seconds is exactly one hour. Where do you get 8 hours from 3600 seconds?
Also, I did leave the 2 routers with key expiration times of both phase 1 and phase 2 at 30 seconds. This was left in place for at least an hour...without fail. I was actually thinking of your findings about the key expirations that were dropping your tunnels, when I changed the timers to 30 seconds. Why you continue to have trouble, and I don't, I would also like to know.
Believe me, I'm not trying to sound like these Linksys BEFSX41s are excellent boxes...I'm actually a bit disappointed in their quality. You may have seen my rantings about their incompatibility with a Cisco PIX. But, this is merely a post of my experience thus far.
As an update, I've returned home, and looked at the status and logs of the tunnel, and all is still well so far. They've renegotiated new keys successfully all night, and all day long.
I will be going to a friend's house tonight to install a BEFSX41 on his AT&T Broadband connection to test the VPN stability there. Again, I will post my luck here.
If it is of any interest to you, I will be glad to test with you, and your BEFSX41, or BEFVP41 any time. I'm doing all this for nothing more than curiosity of whether these things are what they're made out to be. So, if you'd like to set up a tunnel or two between us, let me know. | |
mbp6
join:2002-10-01
Bellingham, WA
| said by djblack
Perhaps my calculator is broke, but 3600 seconds is exactly one hour. Where do you get 8 hours from 3600 seconds?
Click the Advanced Settings button on the BEFSX41 VPN page. There you will see lots more settings. The top half has the phase 1 settings, and the default there is 28800 seconds, or 8 hours. The phase 1 settings are invisible unless you use the Advanced Setting button. Changing settings on the main VPN page only changes the phase 2 settings.
I used the wrong terminology in my first posting. I meant "phase 1" when I actually wrote "proposal 1".
said by djblack
Also, I did leave the 2 routers with key expiration times of both phase 1 and phase 2 at 30 seconds. This was left in place for at least an hour...without fail.
I was actually thinking of your findings about the key expirations that were dropping your tunnels, when I changed the timers to 30 seconds. Why you continue to have trouble, and I don't, I would also like to know.
Changing the values on the main VPN page only changes the phase 2 settings. So your phase 1 key lifetime is still set to 28800 seconds.
said by djblack
Believe me, I'm not trying to sound like these Linksys BEFSX41s are excellent boxes...I'm actually a bit disappointed in their quality. You may have seen my rantings about their incompatibility with a Cisco PIX. But, this is merely a post of my experience thus far.
As an update, I've returned home, and looked at the status and logs of the tunnel, and all is still well so far. They've renegotiated new keys successfully all night, and all day long.
And I always see the same thing as you. My logs from the Linksys routers (both ends) indicate that the keys are always renegotiated successfully.
But, if you use the tunnel, it doesn't always work. About 5% of the time, after a phase 1 key renegotiation, you cannot pass data through the tunnel. That's why I use pings to determine whether the tunnel is actually working or not, because the logs don't indicate if the tunnel that has been created is actually usable.
In the real world, when this happens, users suddenly can no longer see the office network. So I get a phone call, and I have to warm start one of the routers.
said by djblack
If it is of any interest to you, I will be glad to test with you, and your BEFSX41, or BEFVP41 any time. I'm doing all this for nothing more than curiosity of whether these things are what they're made out to be. So, if you'd like to set up a tunnel or two between us, let me know.
Yes, I'm very interested. I'll IM my email to you and we can continue our testing discussion offline.
Perhaps I can get confirmation of the problems I'm seeing. I feel like a lone voice in the wilderness at the moment. I've sent detailed information to support at Linksys, and don't get any replies.
Or (unlikely, I think) we'll find some solution that makes my problems go way. | |
djblack
join:2002-08-19
Troutdale, OR
| Honestly, I have no idea what you're talking about with the 28800 seconds. Mine says 3600 for both Phase1 and Phase2...and yes I know where the "Advanced Settings" are. 
Just for kicks, I defaulted one of the BEFSX41s and looked at the key expiration times, both phases default at 3600 seconds.
Perhaps the BEFVP41 has different default settings...but it's truly a different bird anyway. | |
|
