1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BEFVP41 Stable? Issues?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by sbnt, Oct 8, 2005.

  1. sbnt

    sbnt Network Guru Member

    Just bought a BEFVP41, configured it for my home and shortly after have experienced some issues. First, I set the gateway to 192.168.2.1 (default from 1.1). Rebooted the router and adjusted my IP address from 1.1 to 2.1 etc. Went back to the config page fine, then went I went to another page I could no longer access at all the config page. Eventually had to reset the device and start all over.

    Next I encountered more serious issue after getting it set up (while the WAN was disconnected). When ever I would try to go out to the internet the router would reboot. Network connection would go on and off each time I refreshed a page or tried to open up a page.

    I also found that the VPN would not connect to a PIX firewall.

    Is this router known to be a problematic one? The reason I ask is this is only the second BEFVP41 I have ever worked with. The first belonged to a friend who I found out later purchased another router.
     
  2. TazUk

    TazUk Network Guru Member

    Never had any problems with the ones I've set up :?

    When you say you changed the IP address of the gateway I assume you mean the routers LAN address?
     
  3. sbnt

    sbnt Network Guru Member

    Correct, it is the internal LAN address. I have now had to 'reset' the device about 5 times, this device just does not seem to like being on a 2.1 network.

    I think I have already decided come Monday morning to return this. The only reason I bought this was to make a VPN tunnel to my office. But with the price of 1700 series routers about the same now, I can just get a Cisco router and at least be assured I will have no issues making a VPN.

    But, in the meantime I did try to get this Linksys to work all weekend with no success. Either the #*$@ would reboot every time I tried to access something across the internet, or I just would not be able to access the device at all. Overall considering this is the 2nd attempt at one of these units I am less that pleased with Linksys than ever before. I think it will be a cold day in hell before I ever purchase Linksys product again.

    This takes into account of course how many clients I have have issues using Linksys Wifi routers with non Linksys adapters. Sad because years back their products were top of the line in their price range.
     
  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    Is this a more recent version of the befvp41 you've bought? Just as Tas was saying, this particular model has been the "bedrock" of vpn connectivity for linksys prior to the WRV and RV0XX series. It has never "not" been recommended.

    Off the cuff, did you try upgrading the firmware?

    Doc
     
  5. sbnt

    sbnt Network Guru Member

    This is a ver. 2 model. The firmware ver. is also the only one available (1.01.04 - 3/08/2005).
     
  6. sbnt

    sbnt Network Guru Member

    Well, I gave it another try today and it has interestingly been stable. So far everything has been working ok, except for VPN tunnel.

    I dont know if I should start a new thread on this in another folder or not. Here is the config on my Cisco PIX:
    ip address outside 6x.xxx.xxx.xx 255.255.255.248
    ip address inside 192.168.1.1 255.255.255.0

    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set Cisco esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map cisco 1 set peer 2x.xxx.xxx.xx
    crypto dynamic-map cisco 1 set transform-set Cisco ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map interface outside
    isakmp enable outside
    isakmp key ******** address 2x.xxx.xxx.xx netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400

    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
    vpdn group PPTP-VPDN-GROUP client configuration address local VPN
    vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.2 192.168.1.4
    vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.2 192.168.1.4
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username adminvpn password *********
    vpdn enable outside
    vpdn enable inside

    Here is the log output on the Linksys BEFVPN41:
    2005-10-10 22:01:07
    2005-10-10 22:01:07 IKE[1] Tx >> AG_I1 : 6x.xxx.xxx.xx SA, KE, Nonce, ID
    2005-10-10 22:01:07 IKE[1] Rx << AG_R1 : 6x.xxx.xxx.xx SA, VID, VID, VID, VID, KE, ID, NONCE, HASH
    2005-10-10 22:01:07 IKE[1] ISAKMP SA CKI=[861417a7 8c843633] CKR=[b0b3d1ec 9f7df067]
    2005-10-10 22:01:07 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
    2005-10-10 22:01:07 IKE[1] Tx >> AG_I2 : 6x.xxx.xxx.xx HASH
    2005-10-10 22:01:07 IKE[1] Tx >> QM_I1 : 6x.xxx.xxx.xx HASH, SA, NONCE, ID, ID

    One problem is I have changed the config on both so many times I believe somewhere I might have screwed up. I have re-read the Cisco config over and over and can not seem to see what I might have done wrong. Any ideas?
     
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    I've read in other forums that NAT has to be implemented before IPSEC on order for an IPSEC vpn tunnel can work.

    Doc
     
  8. sbnt

    sbnt Network Guru Member

    I added the following:

    isakmp nat-traversal 20

    But this did not seem to change. In the PIX, I do not know if or how you change order to specify that NAT is implimented before IPSEC


    isakmp enable outside
    isakmp key ******** address 2x.xxx.xxx.xx netmask 255.255.255.255
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400
     
  9. owenmpk

    owenmpk Guest

    BEFVP41

    I have 2 BEFVP41 and have never been able to get a VPN client to attach, I gave up and purchased a PIX 501 and use the Cisco VPN 3000 client which works great! I would like to get my BEFVP41 working just for knowledge but for my clients I will stick with the PIX 501.
     
  10. sbnt

    sbnt Network Guru Member

    You know I think I have about given up on Linksys all together. The only reason I got this one is because supposedly this is the one Linksys VPN device that CAN work with Cisco PIX VPNs. I followed a discussion thread at Cisco's site titled "Linksys BEFSX41 VPN to Pix 515E". The end result was the BEFSX41 did not work but a BEFVPN41 does. I even tried the suggested config without success. Reading through more threads I think the conclusion is that Linksys VPN solutions just do not work with Cisco VPNs. Kind of sad when you consider Cisco has owned Linksys for some time now, and they brand their logo on Linksys devices now. I would think that something as basic as an IPSec tunnel should be compatible.

    At this point I think I am just going to look at a Cisco 1700 series modular router with an ethernet interface that I could just put behind my firewall and create a site to site tunnel. At least then I am assured no compatability issues, which should not exist in the first place anyways with Linksys.

    Linksys has really gotten in my dog house of late. Besides this I have had to encounter numerous issues with their Wifi solutions, yet I have never once had an issue with a D-Link AP or Router.
     
  11. sbnt

    sbnt Network Guru Member

    Just wanted to add. I went and set up a Linux based firewall called m0n0wall (http://m0n0.ch/wall). Site to site vpn to a Cisco PIX took about half a minute and it was up with out any issues. Another firewall that looks promising is Endian (http://www.efw.it/wiki) based of IPCop. So if anyone is looking for a more robust firewall with more features for no cost here they are. Nice thing about the m0n0 wall is you can save the config to an XML fire. Installation takes just a couple of minutes. The Linksys router on the other hand will be returned ASAP. Sorry Linksys, I am just one who prefers things to actually work.
     
  12. DocLarge

    DocLarge Super Moderator Staff Member Member

    SBNT,

    at this point, I'd be willing to place my money on version and firmware. As both Taz and I have stated, the befvp41 has been the "only" working vpn router for linksys prior to the WRV and RV0XX series routers.

    Unfortunate that it wouldn't work for you though :(

    Try it again once you set up your PIX :)

    Doc
     
  13. sbnt

    sbnt Network Guru Member

    The PIX has already been set up and worked fine for a long time using PPTP and the Cisco client. There is only one version available on Linksys's support site of the firmware, and that is what is on the device. At this point I think the m0n0wall will work much better anyways, since first it is free, second the site to site VPN works flawlessly. I already have set up my SIP phone at home and it works just as if I was at the office.

    The BEFVPN41 may be good in some circumstance for VPNs, but it is in my opinion kind of pathetic that it can not work with a Cisco PIX. The more I have scoured the internet the more people I see now say the same thing. They tried and had to learn the hard way that the two are just not compatible.
     

Share This Page