Can't get BEFSX41 VPN to work

[martin]

Archived from groups: comp.dcom.vpn (More info?)

I replaced my Linksys BEFSR41 router with a BEFSX41 router. The router
is on the inside of my cable modem and I have a small network branched
off the router. I have the new one installed and everything seems to
work as expected - except the VPN.

I think I have the VPN stuff configured correctly but I can't connect
to it (from the WAN side). For testing/learning purposes, I'm trying
to connect using a Windows 2000 laptop, dialing out through a
separate phone connection (with the laptop disconnected from the LAN).

I'm getting error: "L2TP connection failed ... security layer
processing error..."

Question: do I have to use IPSec? The Linksys literature seems to
imply that this is required. They have a whole appendix on how to
create an IP Security policy but I'm not clear as to whether this
applies to the remote computer or to something else. And, when I
create the policy and apply it per their instructions, it screws up
the connection to my own LAN.

Another question: should I have "IPSec Passthrough", "PPTP
Passthrough" and "PPPOE Passthrough" enabled or disabled?

Help?

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

Martin wrote:
> I replaced my Linksys BEFSR41 router with a BEFSX41 router. The router
> is on the inside of my cable modem and I have a small network branched
> off the router. I have the new one installed and everything seems to
> work as expected - except the VPN.
>
> I think I have the VPN stuff configured correctly but I can't connect
> to it (from the WAN side). For testing/learning purposes, I'm trying
> to connect using a Windows 2000 laptop, dialing out through a
> separate phone connection (with the laptop disconnected from the LAN).
>
> I'm getting error: "L2TP connection failed ... security layer
> processing error..."
>
> Question: do I have to use IPSec? The Linksys literature seems to
> imply that this is required. They have a whole appendix on how to
> create an IP Security policy but I'm not clear as to whether this
> applies to the remote computer or to something else. And, when I
> create the policy and apply it per their instructions, it screws up
> the connection to my own LAN.
>
> Another question: should I have "IPSec Passthrough", "PPTP
> Passthrough" and "PPPOE Passthrough" enabled or disabled?
>
> Help?
>


Well this is simple.

BEFSX41 does not support L2TP.

You imply that you read the instructions but it seems you did not
comprehend them. Yes, with only Windows 2000 you need to create an
IPSEC security policy to connect to this router remotely. You can also
use a VPN client software product, there are a few different ones on the
market and you will likely need to figure out the settings on your own
since Linksys does not support that. Or you can get a second router and
create a permanent connection between the two from one site to another.

IPSec and PPTP passthrough are for using a client inside the router to
make a connection to another separate router outside of your network.
These options have nothing to do with connecting to your VPN router as a
VPN endpoint, it only affects connections passing through the router
where the router is not an endpoint in the VPN connection.

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)

 

[martin]

Archived from groups: comp.dcom.vpn (More info?)

Mike - Thanks for the response.
>
>BEFSX41 does not support L2TP.
OK...

>You imply that you read the instructions but it seems you did not
>comprehend them.
That is true.

>Yes, with only Windows 2000 you need to create an
>IPSEC security policy to connect to this router remotely.
If I were to connect from an XP machine or one running NT would it be
any different? Does the router "require" IPSec to be used? Could PPTP
be used instead?

> Or you can get a second router and
>create a permanent connection between the two from one site to another.
That is actually what I'm going to end up with. There are two small
networks that I want to link together. But, right now, I'm just trying
to get a connection established to test and learn from.

>IPSec and PPTP passthrough are for using a client inside the router to
>make a connection to another separate router outside of your network.
>These options have nothing to do with connecting to your VPN router as a
>VPN endpoint, it only affects connections passing through the router
>where the router is not an endpoint in the VPN connection.
Ok, I'm clear on that.

FWIW, since I posted my original questions, I updated the firmware in
the router. I didn't make a note of the old version number but now
it's running version 1.50.18. The userinterface changed completely.
After setting things up again (the update set everything back to
factory defaults), the L2TP error went away only to be replaced by one
telling me that the "domain couldn't accept a dial-up connection".
Since there is no domain involved here, that has me kind of stumped.

I guess I'll try activate the IPSec policy on the Win2K box and try
things again.

Any further advice you might be able to offer will be greatly
appreciated.

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

When you say you want to connect two networks, do you mean through two
separate routers? Although I have not done it, I understand that connecting
two BEFSX41s together is not too difficult. What I have done is to connect
a remote computer to a network through a VPN using client software: SSH
Sentinel v. 1.3.

This website has instructions for configuring the client for the BEFVP41
(which is pretty much the same as for the BEFSX41--I've done both):
http://www.homenethelp.com/vpn/router-client-v13.asp. Here is a link to get
a free, personal use version of the client:
http://nts.wustl.edu/wireless/SSHSentinel1.3.2.2.exe. SSH no longer makes
the software, so it is pretty much an orphan product.

The only problem I had with the SSH Sentinel client was that it interfered
with the wireless driver on one of my notebooks (a Sony with a Lan-Express
internal wireless card). I have since disguarded the Linksys box in favor
of a more expensive, heavier-duty Netgear one (the Linksys routers seemed to
each give out after a year). At the same time, I have switched to the
Netgear client, which is fairly cheap (it came with my router, or can be
bought for about $40 for one license or $120 or so for 5).

My understanding is that the built-in VPN capability of Windows 2000 and
Windows XP is annoyingly difficult to set up, and only works with a static
IP address--not too useful if you travel or have a dynamic IP.

Paul




"Martin" <martinvalley@comcast.net> wrote in message
news:58n8t05v7m6jf94t5pjg8ut4egfe5l9sul@4ax.com...
> Mike - Thanks for the response.
>>
>>BEFSX41 does not support L2TP.
> OK...
>
>>You imply that you read the instructions but it seems you did not
>>comprehend them.
> That is true.
>
>>Yes, with only Windows 2000 you need to create an
>>IPSEC security policy to connect to this router remotely.
> If I were to connect from an XP machine or one running NT would it be
> any different? Does the router "require" IPSec to be used? Could PPTP
> be used instead?
>
>> Or you can get a second router and
>>create a permanent connection between the two from one site to another.
> That is actually what I'm going to end up with. There are two small
> networks that I want to link together. But, right now, I'm just trying
> to get a connection established to test and learn from.
>
>>IPSec and PPTP passthrough are for using a client inside the router to
>>make a connection to another separate router outside of your network.
>>These options have nothing to do with connecting to your VPN router as a
>>VPN endpoint, it only affects connections passing through the router
>>where the router is not an endpoint in the VPN connection.
> Ok, I'm clear on that.
>
> FWIW, since I posted my original questions, I updated the firmware in
> the router. I didn't make a note of the old version number but now
> it's running version 1.50.18. The userinterface changed completely.
> After setting things up again (the update set everything back to
> factory defaults), the L2TP error went away only to be replaced by one
> telling me that the "domain couldn't accept a dial-up connection".
> Since there is no domain involved here, that has me kind of stumped.
>
> I guess I'll try activate the IPSec policy on the Win2K box and try
> things again.
>
> Any further advice you might be able to offer will be greatly
> appreciated.

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

Hi Paul,

>When you say you want to connect two networks, do you mean through two
>separate routers? Although I have not done it, I understand that connecting
>two BEFSX41s together is not too difficult. What I have done is to connect
>a remote computer to a network through a VPN using client software: SSH
>Sentinel v. 1.3.

Do you need any special RAS server on LAN Windows computer? Or it is
enough to open a bidirectional tunnel between BEFSX41 and a dedicated
Windows XP? I have only one static address (the router's), all my
local computers are DHCP-ed on 192.168.0.x. I'm aware I need at least
to fix IP address on the dedicated server (unfortunately, BEF doesn't
allow for it. Earlier I used IAS 690 for HIS and it allowed to assign
IP addresses to MAC addresses centrally).


>
>This website has instructions for configuring the client for the BEFVP41
>(which is pretty much the same as for the BEFSX41--I've done both):
>http://www.homenethelp.com/vpn/router-client-v13.asp. Here is a link to get
>a free, personal use version of the client:
>http://nts.wustl.edu/wireless/SSHSentinel1.3.2.2.exe. SSH no longer makes
>the software, so it is pretty much an orphan product.
>
How it is working? Is that something analogous to Dial-Up server in
Windows 95 (would be perfect)? How many simultanous VPN connections
can be established?

Is it enough to pass-through only PPPoE via BEFSX and to disable IPSec
and PPTP (I don't need to configure router-to-router networking)?

Thanks a lot. If you are so pleased, just answer privately to
leksem@leksem.com.pl (double "l" in my visible address is for
anti-spaming).

Cheers
Tomek