1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BEFSX41 to BEVP41 VPN

Discussion in 'Cisco/Linksys Wireless Routers' started by Bicycles, Jul 24, 2005.

  1. Bicycles

    Bicycles Network Guru Member

    I have a BEFSX41 on an XP machine at one location and BEVP41 at another location that has Win 2000 machines on its network. I managed to get the two connected according to each router's web utility. What I don't understand is what the next steps are. I thought I would be able to see shared network drives on the remote networks by going to My Network Places and browsing, and seeing the remote network, but I don't. What else might I be missing? Do I need to assign IpSec policies on either or both networks?

    Thank You,
    Ben
     
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    Once you’ve made the connection and you want to connect to a shared resource that you have rights to, open up windows explorer and click on “map a network drive.†After clicking on that, choose a driver letter and type the ip address of a computer you have rights to on that network. You would type the following: \\192.168.1.10\sharename
    Where you see sharename would be where you would substitute the name of a folder you have share permissions to access (i.e., \\192.168.1.10\vpn).

    Before you click finish, click on “connect as different user†because in order to connect, that local computer needs to have a username and password created on it so it recognizes who you are. When you click this link, you’ll be asked to type in a username and password that has rights to the machine. Click O.K., then click finish. The shared resource you’ve been given access to should pop up! If the account you‘re connecting to has the permissions set properly, you’re all good now!

    Here’s one last tidbit: if someone has connected to a shared resource on your computer via quickvpn, you won’t be able to connect out using Quickvpn to “the same connection†that’s coming in, namely, the remote end client that is currently connecting to you. However, you can traverse the incoming connection and connect “in a reverse fashion†if the connected user has a username and password, to include a shared folder on its end available for you. If so, just click "map a drive" and type the ip address and share name of the vpn client that's connecting to you, click "connect as different user", type in a username and password that's recognized, then click "okay" and "okay." You should be able to see your shared folder on the computer that originally connected to you for remote access!

    Be sure that you have DNS and active directory running on your network, otherwise, you'll have to add a username/password of each remote user to every computer if they need access to all of your network resources.

    Doc
     
  3. Bicycles

    Bicycles Network Guru Member

    THANK YOU!!!! I mixed up \\ and //, etc, but finally found the right way.

    Now, should I be able to connect 3 different BEFSX41 to the same BEVP41 at the same time? That's my goal.

    Have a great day!
    Ben :D
     
  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    Greenbow VPN Made Easy (Courtesy of the Good Doctor...)

    If you are referring to having these routers at three different locations while 3 different users connect (via each router) using a third party vpn client such as the greenbow vpn client, yes. You'll just have to make sure that you program a route for "each" router to connect by ensuring you have a suitable vpn client (again, greebow vpn).

    Here are some instructions I put together for connecting with the greenbow vpn client:

    --------------------------------------------------------------------------------------
    GREENBOW VPN SETUP GUIDE!!!!!

    Use version 2.50 (or latest version) of the greenbow client by the way. Also, third party vpn clients "will not" connect to a WRV54G if you are connecting from behind another WRV54G; you will have to make a "direct connection" (computer to modem) to connect. Linksys devices that do not have this NAT-T problem when "hosting" VPN tunnels are the WAG54G ADSL Gateway (sold over here in England and Europe) which supports 5 IPSEC tunnels, the BEFVP41, which supports 50 IPSEC tunnels, and the BEFSX41, which supports 2 IPSEC tunnels. If you want to make a secure vpn connection to a WRV54G, you'll need to use the Linksys Quickvpn client, or configure a WRV54G to WRV54G dedicated tunnel.

    Below is a "step-by-step" baseline example to get started.

    Phase I (Greenbow VPN Client):
    1) Tunnel: The name you use should be the same on the router you're connecting to
    2) Interface: leave it as an asterik.
    3) Remote gateway: This is the WAN address (ISP provided ip address) of the router you're trying to connect to obviously.
    4) Pre-shared key: Use a hexadecimal string beginning with 0x (i.e. 0x123456789 with most other routers); if you are connecting to a WRV54G, upper or lowercase words seem to work better (meagainstwhomever).
    5) Certificate: N/A
    6) Encryption: Use 3DES
    7) Authentication: SHA (the equivalent on the WRV54G is SHA1)
    8) Key Group: Set this to DH1024
    9) Save and apply settings.

    Phase II (Greenbow VPN Client):
    1) Tunnel Name: Same as Phase I
    2) Vpn client address:This is "your" WAN ip address (provided to you by your ISP) if you are connecting directly to a modem; use the local LAN IP if you are behind a router that supports NAT-T (again, the WRV54G, right now, does not support this feature; use quickvpn instead).
    3) Address Type: Use "Subnet" address. Input the Remote LAN's local IP settings
    (i.e.) Local IP: 192.168.1.5
    Subnet: 255.255.255.0
    4) Encryption: 3DES
    5) Authentication: SHA
    6) Mode: Tunnel
    7) PFS: Ensure this box is checked
    8) Group: The group should be dh1024
    9) Save and apply settings

    Additionally, make sure you set the "maximal lifetime settings" for encryption and authentication to "3600." You can do this by clicking on the "parameters" link.


    ON THE ROUTER

    IPSEC: Enabled
    PPTP: Enabled
    L2TP: Disabled

    Tunnel Name: Same as Greenbow
    VPN Tunnel: Enabled
    VPN Gateway: Disabled

    Local Secure Group: Your local router settings. Either host or subnet work (I prefer subnet)

    Remote Secure Group: This is the router/client at the distant end. Either input the local LAN settings of the “remote†router/client by choosing the “Subnet†option or use “Any†to make your initial connection; I’d recommend using “Any†first (handles all incoming connections). Try using “Subnet†to specify connections (Local LAN IP and Subnet) after you get the hang of it. “Any†isn’t too secure but allows you to see the connection for the first time without breaking a sweat. Once you understand the configuration better, vary your configuration.

    Remote Secure Gateway: This is the WAN IP “or†the FQDN of the router/client that is going to be connecting to your router. My personal success comes from using “Any†and “FQDN.†Use FQDN if you have registered a dynamic dns name (you can do this at wwwdyndns.org).

    Encryption and Authentication is 3DES and SHA1.

    Key Management: Auto(IKE) [Enabled]
    PFS: Enabled
    Pre Shared Key: Same as Greenbow
    Key Lifetime: Same as Greenbow

    Click “Advanced VPN Tunnel Setup:

    Phase I:

    Mode: Main
    Encryption: 3DES
    Authentication: SHA1
    Group: Same as Greenbow
    Key Lifetime: Same as Greenbow

    Phase II:

    Encryption: 3DES
    Authentication: SHA1
    PFS: Enabled
    Group: Same as Greenbow
    Key Lifetime: Same as Greenbow

    Under “Other Options,†check the “Netbios†option and leave all others blank, unless required.

    ONCE YOU GET CONNECTED:

    Once you’ve made the connection and you want to connect to a shared resource that you have rights to from a remote location, on the "client" computer, open up windows explorer and click on "tools," then “map a network drive.†After clicking on that, choose a driver letter and type the ip address of a computer you have rights to on that network. You would type the following: \\192.168.1.10\sharename

    Where you see sharename would be where you would substitute the name of a folder you have share permissions to access (i.e., \\192.168.1.10\vpn).

    Before you click finish, click on “connect as different user†because in order to connect, that local machine needs to have a "username and password" created on it so it recognizes who you are. If you are part of a domain, make sure that your "domain user account" has been added to each computer you want to access remotely.

    When you click this link, you’ll be asked to type in a username and password that has access rights. Click O.K., then click finish. The shared resource you have been given access to should pop up! If the account you’re connecting to has the permissions set properly, you’re all good now!

    VERY IMPORTANT: Make sure all of your greenbow settings match your router settings and that the remote ip settings are different from your own!

    Just in case anyone new to this forum doesn't understand the difference between PPTP server settings and Linksys Quickvpn, the settings listed above for greenbow connectivity are "specifically" intended for use with the built-in pptp server that comes with the WRV54G/RV0XX/BEFVP41 (50 available tunnels) and BEFSX41 (2 tunnels) routers. The difference is that with the WRV54G/RV0XX routers, the quickvpn client sets all of this up when it loads on the client computer. Additionally, quickvpn uses MD5 for authentication whereas greenbow gives you the option for SHA and MD5.

    Here are some brief examples to connect greenbow to your router:

    Config #1

    Local Secure Group: Subnet
    Remote Secure Group: Any
    Remote Secure Gateway: Any

    Config #2

    Local Secure Group: Host
    Remote Secure Group: Host
    Remote Secure Gateway: FQDN

    I'm not sure how successful you might be with dialup; these settings have been verified successfully over broadband, but try anyway and see what happens...

    DocLarge
     
  5. Bicycles

    Bicycles Network Guru Member

    As I understand it(or at least what I would like), if I use 3 different BEFSX41 routers at 3 different locations, they will all be able to be connected to the the one BEFVP41 at another location, all at the same time.

    If a software method would work better, I'll consider it too.
    Thank you,
    Ben

    >If you are referring to having these routers at three different locations while 3 different users connect (via each router) using a third party vpn client such as the greenbow vpn client, yes. You'll just have to make sure that you program a route for "each" router to connect by ensuring you have a suitable vpn client (again, greebow vpn).
    <
     
  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    Oooops, if you are also talking about establishing a router "gateway-to-gateway configuration, you can do that also...

    Let me know if you need to see some examples of a router-to-router configuration.

    Doc
     

Share This Page