BEFVP41 + SSH - arrrrgh!

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Razor, Aug 18, 2004.

  1. Razor

    Razor Network Guru Member

    OK I had to bin the WRV54 and swapped it out for the BEFVP + WAP54g and I'm VERY happy with the WAP. It works extremly well, with such reliability.

    But, now on to the VPN setup. I've configured Sentinel and can establish a connection. Checked BEF log and SSH all ok. BUT several questions:

    1. I see no IP address allocated to the Sentinel 'Virtual' network card when I call Ipconfig - so what IP has my client been assigned?

    2. I guess because of the low level nature of Sentinel that it manages the routing as I can ping my local LAN fine - but there's nothing in the route table.

    3. Why does the VPN connection drop regularly?

    4. Why does the Sentinel 'Diagnostics' report everything's ok but I cannot establish a tunnel (ocassionally).

    5. From the client why can't I 'Run' \\Local.LAN.IPAddress.of machine and bring up the LAN machine's shares? - do i need to enable Netbios over TCP/IP - how? Or do I need to link Client for MS Networks + File/Printer sharing idea how to bond them...there's no Network icon for my VPN connection!!!

    Blimey...this isn't easy....

    So, I can ping the local lan but that's it so far, oh and of course the connection regularly drops.

    One more thing - my BEF is a V1 hardware machine, looking through the firmware detail it appears that only V2 units are ICSA approved. The V2 has completely different updates and are more recent. Should I have been sent a V2 - only bought the unit last week....???

  2. Razor

    Razor Network Guru Member

    Solved question 5.

    I'm running ZoneAlarms on the machine I'm trying to see it's shares. ZA sees an incoming WAN address trying to establish a port 445 connection and naturally blocks it.

    Uhm, why does my VPN connection show up as a WAN address? Why can't the VPN software dedicate a private LAN address to the client then fool the private LAN into thinking the client is really connected to the same LAN and not via a WAN IP...

  3. JonAlthoff

    JonAlthoff Network Guru Member

    I'll try to make it to the shop and test out again my configuration for SSH to a BEFVP41. I will try to help answer from memory.

    1. Your IP should be configured using the IP address of your network card or dial-up connection. Maybe SSH allows you to pre-set an IP address. I'll double check.

    2. Not too knowledgable on routing tables.

    3. Without knowing more about your connection for your remote I'd say it would be impossible to answer this.

    4. How is your BEFVP41 configured and what is your remote setup like?

    5. As far as I remember you should be able to run \\\ and bring up the shares of the machine. I don't think netbios needs enabled unless you want to actually see the machine names and the workgroups while browsing the network.

    6. Linksys swapped the WRV54G out with a BEFVP41 version 1 and not a 2? No then you say you bought a new BEFVP41. Did you attempt to contact Linksys about exchanging the WRV54G for a BEFVP41 and a WAP54G. I know they have done this for others. I started to consider it myself. I may even pick up a BEFVP41 and use it as my router and use the WRV54G as an access point. I'd say the version 1 BEFVP41 should work. I'd guess that the version 2 BEFVP41 would be a better choice. I think the internet runs faster on the ver 2 vs. the ver 1.

    #5 part 2. I'd guess that any incoming connection would be treated as a lan connection if it is not on the same subnet or a private subnet. 192.168.X.X or 10.X.X.X. Need more info on remote connetcion.
  4. JonAlthoff

    JonAlthoff Network Guru Member

    I cannot make DHCP work over the VPN. Maybe the BEFVP41 does not support this. I have a Win2K server running DHCP maybe that's why. I also tried another BEFVP41 and could not receive DHCP information over VPN.

    I am able to run \\\shared folder\executable.exe
  5. Razor

    Razor Network Guru Member

    Hi Jon

    Thanks very much for the replies, much appreciated. Yes, I have swapped the WRV54g for the BEFVP and WAP54g and am now quite happy. Both work very well.

    1. The BEFVP is a V1, which I was surprised about until I visited the Linksys site where they ONLY offer the V1 firmware upgrade i.e. destined for V1 hardware. On the other hand, the site offers either V1 or V2 but primarily the V2 - so I conclude that all UK units are V1 ;-( ??

    Not sure if this is a bad thing but I’m curious.

    2. Browsing my LAN (\\myip\myshare) works fine over the VPN only when I disable ZA on the LAN machine, however that now make sense as ZoneAlarms (ZA) ‘see's’ the incoming port 445 requests as emanating from a WAN IP (the ip of the VPN client's ISP). BUT, this is a real problem as ZA can never distinguish data coming through the BEF VPN connection and any other WAN connection. Of course, if my client held a static IP then I could create a rule for ZA but my client will always be DHCP.

    So now I'm stuck with having to disable ZA until I find a solution.

    3. But another question - assume the client running Sentinel is behind a corporate firewall it will try and establish a tunnel to the VPN router through UDP port 500. That's a problem too if the firewall doesn't allow data out of port 500! I wonder how I can redirect port 500 data out through one of the firewall’s open ports? Uhm, there is an app called Htthost/Httport which may help here???

    4. My connection seems much more reliable lately, so I wonder if it was more of an ISP thing rather than my actual set-up??

    Cheers Jon - BTW, can you recommend a couple of other VPN help forums?

  6. JonAlthoff

    JonAlthoff Network Guru Member

    I liked the version 1 because it has 70 tunnels instead of only 50 with the version 2. The Version 1 has some problems. FQDN/DNS gives me troubles all the time. I'm not sure yet why. Since the DDNS for DYNDNS doesn't work in the router I started using No-IP Dynamic services. I'm now thinking I need to change my ipcheck time from 30 minutes to something far lower. The version 1 has problems with running a traceroute. It sounds like it should be fine for what you are doing. I have many of them in locations I need access to and they sometimes access each other. Maybe the version 2 is not available in UK. Some cryptography laws could possibly prevent this but I'm not sure. The version 2 router could have a faster processor or more memory.

    I think in Zone Alarm you should be able to add a LAN or ip address subnet that is allowed to pass through the firewall.

    I don't know if you can select a port in Sentinel. I'd guess you could try to port forward a port in the BEFVP41 to port 500 and the ip address of the router. I've tried forwarding a port to the router for remote administration and it works.
  7. Razor

    Razor Network Guru Member

    Yes you can add a LAN subnet to ZA, that's no problem but it doesn't help. The problem is ZA see's the Sentinel client as a WAN IP and not a LAN IP and so blocks it as it should. Of course had the client actually been connected to the LAN then ZA would allow it through due to the local LAN subnet rule.

    Tricky eh?

    sorry not sure what you mean here. The client VPN connection sits behind a firewall and tries to establish a VPN connection with the outside BEFVP on port 500. There is no need to port forward 500 in the BEFVP as this traffic doesn't find it's way onto the LAN behind the BEFVP.

    The problem is trying to get Sentinel to use a port other than 500. I'm sure there must be an app out there somewhere which does exactly this :) just needs a little more Googling I'd guess.

  8. TazUk

    TazUk Network Guru Member

    The way I got around it was to setup a DynDNS account for the client and then specified this domain name rather than the public IP in ZAP :)
  9. Razor

    Razor Network Guru Member

    Nice Taz....hadn't crossed my mind. I've never used DYNdns or any similar service before so off to find out a bit more...cheers matey


    so, do you set up a free account then use an app on the client to detect the new IP upon a dial up connection. Then somehow ZA detects that the incoming has a * domain and allows it to pass - have I got the jist??

    How does dynDNS update all the DNS servers so quickly - normally this takes 24 hours!?
  10. TazUk

    TazUk Network Guru Member

    Yep, there are a number of free utilites which can update a DynDNS account when a new IP is detected.

    Well in ZA you just enter the domain name, i.e., and of course a lookup of that domain will give your laptops IP address.

    It takes 24 hours for a change to replicate around the net, these domains are setup a bit different so replication doesn't happen. All DNS requests go to DynDNS's DNS servers, which they can update as quickly and as often as they like :)
  11. Razor

    Razor Network Guru Member

    cheers Taz....

    so now all i got to resolve is how to bypass my company firewall.... I think the only option is to use an HTTPforward proxy app...don't you just hate company firewalls....??

    What I need is to access my private LAN over VPN then use my own HTTP proxy so I can surf on MY account...but guess this requirement isn't unique!...

    any tips??
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice