1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BEFVP41 Multiple Connections from Dyn IPs

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by UptimeJeff, Mar 9, 2006.

  1. UptimeJeff

    UptimeJeff Network Guru Member

    I have a BEFVP41 in the main office. This is connected directly to the T1 with a static IP.

    We'll have 5 home users with dynamic IPs who will need to make simultaneous VPN connections. Some will use software and others will have BEFSX41 routers.

    I've setup my home and am connecting to the VPN just fine.. I have no issues with this.

    My question is about the setup of the BEFVP41:
    I'm not sure how I should setup the BEFFVP41 to receive connections from these different locations simultaneously.

    Do I setup a tunnel for each user <from any>, giving them unique shared secrets?


    Should I setup 5 tunnels all with the exact same setup <from any> and with same shared secret?

    I don't understand how, when the connection is negotiating, the BEFVP41 decides what tunnel to try and authorize the client to. If you have multiple <from any> tunnels, does it just try each tunnel until auth info matches?

    Any direction appreciated.

  2. TazUk

    TazUk Network Guru Member

    You'd setup 5 tunnels but specify a different remote secure group for each ie. person 1 would have a local address of 192.168.1.x, person 2 192.168.2.x, etc.
  3. UptimeJeff

    UptimeJeff Network Guru Member

    For the desktop home users, this will work because their LAN IP won't change. If the user has a laptop, their LAN IP will change depending on how/where they are connected.

    Your post did help, but I'm still confused about how the the router knows which tunnel to authenticate the user to.

    So suppose I have 20 laptop users who will be connecting from any address and their LAN addresses will change depending on where they are. How do I set that up?
    - 20 tunnels identical except different secrets?
    - 20 tunnels with the same secret?

    When the client connects, how does the server know which tunnel to attempt authenticating with?

    Thanks for your patience...
    I feel like I'm just missing one piece of the puzzle and things will fall into place.

  4. TazUk

    TazUk Network Guru Member

    I would say 20 tunnels with the same secret, the router should then use the first one that's available.
  5. UptimeJeff

    UptimeJeff Network Guru Member

    Resurfacing this topic

    I still haven't figured out how to set this up....

    My current testing is with a BEFSX41 which needs to have both tunnels available to accept a connection from anywhere.
    I need for multiple IPSec Clients (using client software) to connect to my BEFVP41 simultaneously.

    I setup both tunnels, each with:
    Remote Secure Group <any>
    Remote Secure Gateway <any>

    All settings for the tunnels are identical, including the secret, and this has been very carefully verified.

    If I test with two clients which are at different locations, either can connect to tunnel 1, but they are not able to connect simultaneously.
    The second client never connects to tunnel 2.

    My guess is that there's some way the server determines which tunnel the client should connect to. Since they're both set to any/any it tries to connect to the first tunnel.

    I know I could narrow things down with a dynamic IP client on the client side, or a range of IPs... But I can't really do that, I need each tunnel to accept any connection attempt (with correct secret of course). I can't really specific IP ranges or dynamic IPs because their are two tunnels which need to accept connections from more than two clients (only two simultaneous).

    So what am I missing?

    Should the two tunnels be configured identically?
    If so, then that's a config which isn't working for me.

    Any direction appreciated.

  6. HercNav

    HercNav LI Guru Member

    I hate to insult your intelligence (you've probably already thought of this), but what are the Local Addresses of the clients' laptops? Perhaps you should consider giving your clients a range within the same IP family. Let them all use the exact same secrets.

    IP address for client's Local Area Connection:
    You get the picture....

    Okay, now setup your VPN to establish multiple tunnels--as many as, if not more than, the number of users you expect will connect at any given time.

    Remote Secure Group: Subnet

    Remote Secure Gateway: Any

    Now hope that the previous advice is correct, and the client will connect to the first free tunnel....

    [Edit] Nevermind, I see that the Local Area Connection will change, as you suggested above, by the DHCP which gives the laptop user internet access....
  7. DocLarge

    DocLarge Super Moderator Staff Member Member


    I hate to put this out here seeing as we're jumping in linksys's azz about poor support, but you might consider a WRV54G or one of the RV0XX series routers because quickvpn will solve your problem. Now before anyone "cuss's me out," I'm only saying this because your road warriors are going to be your biggest pain to deal with because of them being all over the place.

    A WRV54G with 2.37.13 works great! Taz uses 2.38.6, I believe, and he has no problems either. I run vpn tunnels with my WRV54G all of the time when I'm not hosting endpoint connections for clients.

    The two biggest factors that determine functionality for your WRV54G is your ISP's network configuration and the firmware, from my experience.

    So, other than getting one of the two aforementioned routers, you'll just have to have your folks change their ip addresses each location they go to.

  8. TazUk

    TazUk Network Guru Member

    2.39 now ;)
  9. turtle2472

    turtle2472 Network Guru Member

    Rather than starting a new thread I thought I would add onto this one.

    DocLarge, TazUk or other knowledgeable person,
    I'm looking to set up a VPN on my SOHO network for when I'm out and about to connect into it from say a hotstop or family members house, etc. I would like access to all networks shared resources and also to connect to the net through the VPN top ensure encryption of data submitted at the open WiFi connections.

    I have a BEFSX41 but figured out it isn't what I need. Since I'm going to be getting a new VPN router I'm looking to get the best one for me.

    My home IP is dynamic though I have an account with Dyndns that I forward my web server through. So I can get to my router via myweb.dyndns.org. Of course my laptop will be on ever changing IP addresses. I would like something that is open for Mac OS X as well, though this isn't as crucial.

    My Topo is: HSI -> BEFCMU10 -> BEFSX41 -> EZXS16W -> WRT54G

    All computers are connected to the EZXS16W, this will be upgraded to a 10/100/1000 switch in the near future. I have a PAP2 connected directly to the BEFSX41 also. WRT54G is only used as an AP.

    I will only need about 4 tunnels max at one time. Thanks for your help.
  10. DocLarge

    DocLarge Super Moderator Staff Member Member

    Are you saying you want all of you vpn traffic to go through your vpn tunnel? Off hand, I know the wrv54g does not send traffic through the tunnel if you're using quickvpn. Also, with the wrv54g, I believe the "gateway" option was removed from the 2.39 firmware, but you'll have to confirm that through the forum of someone else in this thread. That option would also let you push vpn traffic through the router "if" you were using a third party IPSEC client with the builtin IPSEC server.

    However, if you're just concerned about making the most secure connection you can from a WIFI spot, then you'll most likely need to connect with an IPSEC VPN client. Should that be all you need, then you should go with a wrv54g, rv042/rv082 series router, or possibly the new wrv200 using either quickvpn or a third party vpn client. Here are some specs on the new WRV200 router:


    As you'll see in the post, I've already put one on backorder. I'm skeptical about it being able to do NAT-T and pass GRE, but if it doesn't, I'll just put it behind my SMCBR18VPN because it can pass those protocols, and all will be well :thumbup:

  11. turtle2472

    turtle2472 Network Guru Member

    Yeah, my plan is to put all my e-mail, web and FTP traffic through the VPN when I log in. Not hat I would do this all the time, but just the extra measures of security. I could edit my web site while mobile with little concern for security.

    Since I'm not in the market for another wireless option, it looks like the RV042 will fit my needs. I have 15MG/2MG DL/UL here at the house so I'm not too concerned about being able to support the speeds while remote.

    So with the RV042, is QuickVPN the only software to work? What about when I'm on my Mac, how do I connect then? Linksys is known for not supporting Mac so what option would I have here?

    Thanks for your input again!
  12. DocLarge

    DocLarge Super Moderator Staff Member Member

    Take a look at the simulator for the RV042 router and see if this helps:


    It appears that in this particular version, the RV042 doesn't support quickvpn. They've been talking about updated firmware that will do it, but with this particular older simulator version, it doesn't. However, this will give you better insight nonetheless...

  13. turtle2472

    turtle2472 Network Guru Member

    Thanks for that link.

    Looks like it will be able to do what I need. Does it support standard WinXP IPSec configuration or will I have to get a third party software?
  14. DocLarge

    DocLarge Super Moderator Staff Member Member

    I have "NEVER" been able to get that friggin' microsoft IPSEC policy to work, "EVER!" Obviously, it must be me because about 2 people on the entire net have spoken about they were able to make it work. If you can, good luck. If not, just use greenbow vpn or SSH Sentinel if you can still find a free copy on the net somewhere.

    There's also secure point services:


  15. turtle2472

    turtle2472 Network Guru Member

    Thanks again Doc. It looks like I'm gonna go with the RV042 and I'll have to plan out the software. I've heard a lot about greenbow, so I might go that route. What about Cisco VPN software? I have a copy of that for my job VPN, would it work for this router? Any idea?
  16. turtle2472

    turtle2472 Network Guru Member

    Hey DocLarge,
    I got the RV042 and it is working great for me. I have been able to VPN connect using QuickVPN as well as WinXP Connection Wizard VPN. I enable PPTP on the router and set up user account on the router. It worked well for me. I guess I'll have to RDC connect to one of my PC's once I VPN in, this seems like it would be the most secure. I'm not sure I want to run QuickVPN, while it is really simple, it's yet another program to be running in the background.

    I wasn't able to configure out the Cisco VPN software yet, but I only played with the connection for about 15 minutes at a local hotspot. I have the router configured so I can access it using the web through a specific port number allowing me to modify it on the run. I don't think I have it the best I can, but I was able to at least get into my network and open IP addresses for my other Linksys stuff.

    Any pointers for me to get the most out of this router? I configured most of my devices and PC's to have static IP addresses controlled by the routers web based software. Pretty cool to, very easy to understand and configure. Is there a way to access files on my NLSUS without having to use the web interface? Also, I saw something about modifying it and making it fast, any ideas on it? I'll search to forum a little later today for that if you don't have a recommendation for me.

    Also, I upgraded the firmware to be running from the Linksys site.

Share This Page