Equipment Support > Hardware By Brand > Linksys > [VPN] BEFSX41 VPN Requirements

[VPN] BEFSX41 VPN Requirements

V1.45.7 will work...

reply to Eebbbee
If I understand your requirement properly, then you want the BEFSX41 to act as a VPN server and want to run a VPN client on the the portable PC. So you got to solve this issue in two steps: The server and the client.

For the server side, as Jan as kindly suggested, you got to upgrade your router to BEFSX41 firmware 1.45.7 which you can find here. Basically, a bug was introduced by 1.45.3 which makes the BEFSX41 acting as a VPN server useless. Fortunately for you, this is fixed in 1.45.7. The BEFSX41 must be configured to as a VPN server. To do this, access your "VPN" tab of your BEFSX41 configuration web page and enable one VPN tunnel. Then insert the following information:
- Tunnel Name: Mobile Access
- Local Secure Group: Subnet (using same subnet as the BEFSX41's LAN)
- Remote Secure Group: Any
- Remote Security Gateway: Any
- Encryption: 3DES
- Authetication: MD5
- Key Management: Auto. IKE (check PFS box and enter your favorite secret and life time)

Hit the "Apply" button, the "Continue" button and the "Advanced Setting" button. Then enter the following:

Phase1:
- Operation mode: select the "Main mode" radio button
- Proposal1: 3DES/MD5/1024-bit/28800

Phase2:
- 1024-bit/28800

Other options:
- Check the NetBIOS broadcast, Anti-Replay and Keep-Alive box

Hit the apply button.

For the client side, you might need a 3rdParty software. Windows XP Pro comes with a built-in VPN client but I think you need an application wrapper to make it works. I am no expert there. I can only recommend you to post a similar thread in the Networking forum titled something like "How to use the Windows XP Pro built-in VPN client".

Thank you Flogator!

You would not believe how many times I asked this question to Linksys support...to a point where I did not know how to ask anymore.

You say you are no expert...! I guess it's all relative...compared to Linksys support you are a Master!

I AM NO expert so kindly forgive my ignorance. Is it the Router that's acting as server or a PC behind it?
The linksys white paper had a whole thing about security policies, which I followed. Do I still need those policies.
Can you point me to a GOOD whitepaper on the topic?

I have not tried your tips yet -I am confident- but just to let you know; your answer has just convinced me to suscribe to dslreports.

Thanks again.

EB

It's the router. The documentation for Windows 2000/XP in the Linksys manual makes several assumptions, such as static IP addresses for the server site, which is not the case for most home applications, although your situation may be different. As your have seen, the setup for VPN is quite confusing.
For the Mobile laptop, you might look around for the free version of ssh sentinel VPN client which is still available, mostly at university sites. An option that works for me is the Safenet client that comes with Sonicwall products. The setup for these clients is very easy, and works well with the SX41 configuration that Flogator describes.

I admit that I am still locked in to version 1.44.11t of the firmware, rather than 1.45.7.

reply to Eebbbee
In the description I posted earlier, indeed, the BEFSX41 will be the one acting as a server. The computers behind the BEFSX41 totally unaware of the VPN tunnel (and that's the beauty of it). That is because you bought a router with built-in VPN .

reply to MrMoke
MrMoke, I think I understand your scepticism about BEFSX41 firmware in general. As many of us know, firmware 1.45.3 is a fiasco which introduce more bugs than it fixed. However, there are reasons why I asked Linksys to be able to release the 1.45.7 firmware on this forum. That's because I consider it one notch better than 1.44.11t . Everything is a matter of opinion and choice. I, for my part, am running firmware 1.45.7 and am happy with it.

reply to MrMoke
Thank you for your reply MrMoke,

Confusing is a nice way to put it! So the Router is the Server...then it has nothing to do with security policies on a XP machine behind it? why does linksys tell us to set security policies? Trying to understand here.
I did manage to create one connection, months ago, or at least I saw a connection in the log but I could never do anything with it and I could never reproduce it.
I was using the WIN200/XP how-to after I corrected a few errors in the security policies part of that paper .
MY need is to be able to access my LAN while travelling. I try to chose hotels with high-speed connections but often have to work with dialup. I can access fine with gotomypc but it ends up being expensive. I need to access 2 PCs behind the router.

Maybe my comprehension of server is wrong? Are the PCs I am accessing on the LAN clients ? Up to now I was working with the assumption they had to be servers. Probably the source of my confusion.
Do you know if using something like Windows Server or Small Business Server makes it easier? I think you need a dedicated machine for those.
I stumbled across realvnc yesterday. Do you know it?

There has to be a whitepaper somewhere that explains the VPN requirements...

thanks for any help

EB

reply to Flogator
The main reason I stay away from versions 1.45.3 and 1.45.7 is that they cause the browser on my main XP box to malfunction. It can find the web sites, and then locks waiting for a response. An interesting quirk in this scenario is that if I get an e-mail notification from MSN messenger, and click on the notification pop-up, it will login and load the e-mail screen. No other sites will open. This only effects my XP box, not W2K nor RedHat 9.

Moving back to 1.44.11t makes the problem go away immediately.

I haven't had the time or inclination to test other applications, but standard stuff like ping and tracert seem to work, just not the browser. It's hard to complain here if you can't use a browser

They don't have to be anything special, nor do they have to be windows boxes. All VPN is handled by the SX41 and VPN software on the laptop. You merely have two interconnected networks, using different subnets, running through a VPN tunnel.

reply to MrMoke
You speak of firmware revision 1.44.11t. I have several befsx41 router at remote locations utilizing the vpn connectivity. The most stable of all of them is one with the 1.44, Nov 22 2002 firmware. Would that be the same as 1.44.11t? If so, could you direct me to were I could get the bin?

Thanks

You can get the latest BEFSX41 firmware here. If firmware 1.44 is the most stable one, then your other routers must be running older firmware. The only thing you lose by upgrading to 1.44.11t or later is the inbound filters. If you are not using those, I would recommend you 1.45.7. If you need those, then you must stay at 1.44.8 or earlier.

We are using a linux server (freeswan) for connectivity to all the befsx41. Currently, we are running 1.44, 1.45.3, and 1.45.7 on the linksys routers. As I said before the most stable of them is the firmware 1.44. Is it possible to still get that bin file? Do you know of any posts of anyone else using freeswan to connect to these linksys routers?

Thanks again.

I hate to go too far in the past but here goes. You can get to BEFSX41 firmware 1.44 at the link below:

»ftp://ftp.linksys.com/pub/befsr41/befsx-144.zip

May I suggest you start a new thread and explain your problems. Perhaps there are solutions for you. This thread is covering up the usage of Windows XP mobile acting as a VPN client and a BEFSX41 acting as a VPN server.

reply to Eebbbee7
Eebbee, I was doing a bit of reading about Windows XP VPN client. You might be able to get it working without too much trouble. I'll try out something tonight and post my findings.

BTW, welcome to the forum mon ami.

reply to Eebbbee
Just notice the thread below was started in the VPN forum. Just doing the cross reference

»Simple VPN Solution with BEFSX41

I intend to report my findings to this thread since we have already covered up half the setup.

Hello Flogator!

I did upgrade the firmware to 1.45.7 and configured the tunnel as you said but could not even create a (vpn) log event while using a XP VPN connection that I created. (Network places|Create A New Connection|VPN|through Internet).
I then dialed my ip as it shows on the wan side of the SX41 status.
On the client side (portable) I played around with the security settings and I could not chose MD5 challenge option-probably because I don't have any security policies defined on it.
So I managed to get error 800 and 769 .
I think I am starting to get a better grasp of the concept-some would say it's about time!- and I think you might be right about using XP client fairly easily. All I have to do (I think) is set the right Ipsec policies on the client.

It 's a lot easier when you can get some answers to you questions...

A Note on firmware 1.45.7: It's been running 'bout 12 hours now and seems to have resolved a problem I had with ghost IPs. Don't know what else to call them. LAN access would periodically get denied and when I checked DHCP table it was always one PC or mac address showing 2 IP addresses usually one with the LAN Name and one without name . Up to now I thought it was a problem with the PCs XP (2 out of 5 PCs) but since I had none in the past 12 hours I am now thinking firmware. My Work around was delete both IPs from DHCP and disable/enable the NIC to refresh the IP without affecting other users ; router reset (power off) also worked .

Thanks again

EB

reply to Eebbbee
Ironically, I have tried a similar thing last night just to get a better understanding on how to get an XP machine to connect to the BEFSX41 VPN end-point.

I tried many settings and was even getting some of the handshake to get to the BEFSX41. However, I was getting messages in my BEFSX41 logs such as "INVALID-COOKIE", or "PAYLOAD-MISMATCH" or simply "Check your authentication and encryption parameters". After doing a bit of reading, I think the Windows XP built-in VPN client is too much Microsoft-ish. My next step was to look around for other software VPN clients.

Meanwhile, if you find anything, please post them in this thread so will I. Tonight or tomorrow night, I will try the "GreenBow VPN client" and see if it makes a difference.

reply to Flogator

said by Flogator:

---

The only thing you lose by upgrading to 1.44.11t or later is the inbound filters. If you are not using those, I would recommend you 1.45.7. If you need those, then you must stay at 1.44.8 or earlier.

---

Morbo, that's not what I meant. By inbound filter I was referring to the "Filter" tab from the router's configuration web page. Feature such as "Block WAN Request", "Multicast passthough" and "IPSec passthrough" are still functional.

Really, what I should have said is the "Filter" tab got a major change from 1.44.8 to 1.44.11t such that you can no longer setup inbound filters. Only outbound filters can be set using 1.44.11t and beyond.

Hope this clarify any ambiguities from previous post .