1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BEFVP41 - VPN Connections to XP clients - I gave up

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by GSimpson, Feb 26, 2006.

  1. GSimpson

    GSimpson Network Guru Member

    Greetings:

    I recently bought a BEFVP41 so I could "dial into" my home LAN with my laptop while on the road.

    Like many (so I see) on this website, I first tried and gave up on configuring the "VPN client" that comes with Windows XP and tried a few "free" vpn clients.

    Greenbow: Sorry if I missed something here. 30Day EVAL license is not free in my book. De-installed 5 minutes after installing. I dident even bother configuring it.

    SSH Sentinel v1.3.2.2: While this client is actually free for non-comercial use, (if you can find it) AND can connect with the BEFVP41, HOWEVER, I was never able to connect with any network shares (or even ping any LAN devices) and while this client was installed it INSISTED on taking over my network connection EVEN IF I dident want to open a VPN tunnel. It also insisted on loading @ computer startup requesting a LAN connection. I removed it.

    Draytek_v3.2.5_VPN_Client: While this is intended for buyers/users of Draytek VPN routers, the client is freely available on the Draytek website and the license does not excude NON-Draytek owners from using it. This client installs as a virtual device driver, showing another network connection in the system tray. When the Client is not operating, your network connections remain UNTOUCHED. The client can reconfigure Windows VPN/permit settings on the fly.

    I found this client the easyest to install and use, HOWEVER I was still unable to ping/use any of my network shares on my home LAN.


    In the end, in one of the Forums I was reading another user gave up and installed a SMC VPN router which has a PPTP server. While I couldent find a SMC dealer in my area, I did find (at Frys) the DLINK DI804HV which has IPSEC, L2TP AND PPTP servers built in.

    I was up and using a WindowsXP "Network Wizard" created PPTP VPN connection (and pinging/using LAN shares) within 1/2 hour after getting home with the DI804HV.

    The BEFVP41 does have features that the DI804HV does NOT have:

    1. NAT on/OFF
    2. Firewall on/OFF
    3. Ability to use 255.255.0.0 LAN segment mask

    While I've found the multitude of "VPN help" configuring IPSec tunnels informative, there is little to NO published information on being able to actually USE or even ACCESS LAN resources on ether end of the VPN tunnel. While I'm sure its possible (its being done everyday) and quite possible with the BEFVP41, I found that for my "once in a blue moon" needs for a VPN tunnel to my home LAN resources is better served (and almost automaticly configured) by using a router with a built in PPTP SERVER and WindowsXP's "network connection wizard.


    Mark.
     
  2. TazUk

    TazUk Network Guru Member

    IIRC it's only v1.4.0.x or above of SSH Sentinel that's compatible with XP ;) I've successfully used it to connect to BEFVP41's :)
     
  3. DocLarge

    DocLarge Super Moderator Staff Member Member

    I think you might have missed this one due to being blinded by a 30 day evaluation client not being free :):

    http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=6853

    I put it in bold where it illustrates how to access resources once connected to your tunnel. I personally use greenbow vpn client occasionally, but normally I use the builtin microsoft PPTP tunnels on my SMCBR18VPN router...

    Doc
     
  4. GSimpson

    GSimpson Network Guru Member

    Ahh, mapping windows shares.... never occured to me :D .

    (I did read the greensbow setup information in case it added extra insight to getting a connection functional)

    Actually, I never got that far as I was unable to ping the other side of the BEF, my Di624 or Buffalow (NAS) attached to the LAN side of it.

    The Buffalow (NAS) and Di624 have WEB servers that should be accessable from the BEF (heck the LAN side of the BEF's web/setup page should be!) besides the NAS does not need/require windows login/permits.

    The Di804Hv (like the SMC unit) has a builtin PPTP server, I'm able to ping attached LAN devices and even (almost) get the Di624/Di804hv's web pages to display.

    Much further along then where I was with the BEF, but still not quite there yet.
     
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

  6. GSimpson

    GSimpson Network Guru Member

    Funny you should mention the SMCBR14/18VPN, after giving up on the BEFVP41 I went a-looking for one, (actually almost all over town) Saturday.

    When I found that I couldent find one locally I moved my search online, most places are out-of-stock on these units. Then I decided to re-research ALL models available and found the Di804HV to use ALMOST identical Firmware (different display colors, appears to be the same Tawian OEM?) was in the same price range ($69. at Frys) AND could be had locally I picked one up.

    I bought the BEFVP41/Di804hv to replace a old failing Multitek RF500 that needed to be swapped out. All this is still cheaper (I think) then getting a DSA3100 to segment my LAN into public/private sections. After doing some features hunting, I found that the cheaper consumer units don't have RIP support or Static Route support or Static DHCP options.

    DSL=>Di804hv=>
    Di804hv=>Linkstation
    Di804hv=>Wrt54gs/DDwrtfirmware (on roof)
    Di804hv=>Di624
    Di624=>2 printers, 4 desktops, 3 laptops, 1 handheld

    While this may be a bit off topic for a "linksys" centric forum, the Dlink folks are complaining about the PPTP/VPN link having to be on a different subnet then the Routers on ether end.

    The general thought being that each end of the tunnel SHOULD be within the local LAN's subnet so packets could be automaticly routed to/from it on ether end.

    The general "fix" from the Dlink forums is to 10.x.x.x address space for both LANS and PPTP/VPN tunnels instead of 192.168.x.x space.

    Oddly, on the Windows client end, if the 10.x.x.x space is used a "255.255.0.0" MASK is automaticly generated and applied to the VPN route while if 192.168.x.x space is used a "255.255.255.0" or "255.255.255.255" mask is generated.

    The former netmask would route all (well almost all) private subnet traffic through the tunnel while the latter would only route the tunnels subnet or address through the tunnel, requiring the user to add/create manual entrys into their local route table. (and possibly requiring manual entrys on the VPN-Router end)

    Now here's a question that I've yet to see answered fully: Where does the vpn-router place its end of the tunnel?

    A. Internet<>PublicIP<>Firewall<>LocalLANSegment

    B. Internet<>PublicIP<>Firewall<>LocalLANSegment
    ..................................Firewall<>VPN/PPTPSegment

    C. Internet<>PublicIP<>Firewall<>LocalLANSegment
    ..................PublicIP<>VPN/PPTPSegment<>Firewall<>LocalLANS

    Given that:
    Public IP is 71.111.x.x
    Local Lan segment is 192.168.0.x
    Local end vpn tunnel is 10.0.0.1
    Remote end vpn tunnel is 10.0.1.1
    Remote IP address is 192.168.1.x

    Do you:
    (local)
    A. Route 10.0.0.1 MASK 255.255.0.0 192.168.0.1
    B. Route 192.168.1.x MASK 255.255.255.0 192.168.0.1
    C. Route 192.168.1.x MASK 255.255.255.0 10.0.0.1
    D. Route 192.168.1.x MASK 255.255.255.0 10.0.1.1
    E. Route 10.0.1.1 MASK 255.255.0.0 192.168.0.1
    (remote)
    F. Route 192.168.0.x MASK 255.255.255.0 10.0.0.1
    G. Route 192.168.0.x MASK 255.255.255.0 10.0.1.1

    I remember our IT person having to setup "fake routes" on both ends of a IPSec tunnel to get the packets across:

    Route 192.168.0.x MASK 255.255.255.0 10.0.0.3<fake address
    Route 10.0.0.3 MASK 255.255.255.255 10.0.0.1<tunnel

    10.0.0.3 does not exist, however the two routes creates a packet that appears to be from a 10.0.0.x node on the 10.0.0 segment.


    GS.
     

Share This Page