The dreaded "How do I VPN to my home network?" que

Discussion in 'Networking Issues' started by NCBryan01, Jul 31, 2005.

  1. NCBryan01

    NCBryan01 Network Guru Member

    Hello everyone..

    I'm sorta a newbie to VPN and after spending countless hours reading and researching I'm finally going to ask for some help.. I realize this is probably the most reported issue on here but I've not been able to find an answer. Everything I see seems to imply that this should be an easy setup using the create a new network connection wizard in XP.

    I would like to connect to the network at the office using VPN from a computer on my home network.

    At work: Linksys VPN Router BEFVP41 with a tunnel setup. (details below)

    At home: Windows XP Pro behind a Linksys BEFSX41 with VPN Passthrough enabled.

    I've read many "How To" articles on setting up a VPN Network Connection in Windows XP going through that wizard to create a new network connection. I've done that at least 20 times now.

    I've read in the BEFSX41 user guide that I need to create a IPSec policy but no where else I've looked at mentions this so I'm confused as to EXACTLY what is required.

    The Tunnel on the router at work is configured as:
    Local Secure Group - Submet (with internal network address)
    Remote Secure Group - Any
    Remote Security Gateway - Any
    Encryption - Disable
    Authentication - SHA
    Key Management - Auto
    PFS - is selected
    Pre-shared Key - is configured
    lifetime - 3600

    I've tried all combinations of settings in the Network connections settings on my Windows XP computer at home.

    I can remote admin the work VPN Router and view the VPN log as I try to connect.. I get the following: (IP address changed to protect the innocent)

    2005-07-31 14:55:02 IKE[71] Rx << MM_I1 : SA, VID, VID, VID, VID
    2005-07-31 14:55:02 IKE[71] Tx >> MM_R1 : SA
    2005-07-31 14:55:02 IKE[71] ISAKMP SA CKI=[cd56d3a ecd52f22] CKR=[52e417f0 b8cb78d2]
    2005-07-31 14:55:02 IKE[71] ISAKMP SA 3DES / SHA / PreShared / MODP_1024 / 28800 sec (*0 sec)
    2005-07-31 14:55:03 IKE[71] Rx << MM_I2 : KE, NONCE
    2005-07-31 14:55:03 IKE[71] Tx >> MM_R2 : KE, NONCE
    2005-07-31 14:55:03 This connection request matches tunnel 2 setting !
    2005-07-31 14:55:03 IKE[2] Rx << MM_I3 : ID, HASH
    2005-07-31 14:55:03 IKE[2] Tx >> MM_R3 : ID, HASH
    2005-07-31 14:55:03 IKE[2] **Check your PFS setting !
    2005-07-31 14:55:03 IKE[2] Tx >> Notify : PAYLOAD-MALFORMED
    2005-07-31 14:56:06 IKE[2] Rx << Delete ISAKMP_SA : cookie cd56d3a ecd52f22 | 52e417f0 b8cb78d2

    Check the PFS setting huh? Payload Malformed???

    I've changed everything to all possible combinations and get the same result.

    What am I missing ?

  2. littlewhoo

    littlewhoo Network Guru Member

    I have no experience with the BEFSX41 router. Just a few general remarks regarding this error.

    A PAYLOAD-MALFORMED error message usually indicates, that a different encryption algorithm is used on the other side of the connection.

    Usually you can select, which encryption algorithm to use for IKE. I think default is 3DES.
  3. DocLarge

    DocLarge Super Moderator Staff Member Member

    Free SSH Sentinel VPN Client Download

    Do a search on the "The Greenbow VPN Client" and download the 30 Day free trial version. Make sure whatever version you download is 2.50 or higher, then go to this link:

    If you follow these instructions, you'll have a "basic" understanding on configuring a vpn client to work with a hosting vpn server.

    If you don't want to use a 30-Day trial, I found a link to download a free version of SSH Sentinel VPN Client:

    Should you need detailed instructions to load it, send a PM to TazUK because he's a big SSH Sentinel user :)

  4. NCBryan01

    NCBryan01 Network Guru Member

    Thanks for the replies..

    Is it absolutely necessary to use separate VPN Client software? I was under the impression that it would work without any additional client software. I'll certainly go through the setup if the experience will educate me but I'd prefer not to use any special client software if possible.

    Using such a client OR configuring an IPSec policy (as linksys directs users to do) doesn't really make accessing your home network from "anywhere in the world" very easy.. You'd have to install the client software on any computer you wanted to use to access your home net.

  5. littlewhoo

    littlewhoo Network Guru Member

    So far I have only seen PPTP VPN connections using the internal VPN features of XP. Usually the Cisco VPN client is being used for IPSEC connections. So *maybe* there are some issues with XP & IPSEC?

    If you want to access your computer from "anywhere in the world", VPN isn't the way to go. No matter, if you are using the native VPN features of XP or third party software. Most companies/networks and even some ISPs are blocking VPN traffic completely.
    And another problem is, that VPN connections have a huge overhead.

    If you don't need to access shared network ressources over the remote connection, I'd suggest, that you use SSh tunneled connections instead.
    - It's easy to setup
    - Most systems already have a SSH client installed, or you can use a client like Putty, that doesn't even need installation
    - You can tunnel about any TCP connection through SSH (VNC, HTTP, FTP...)
  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    I'll split the difference with littlewoo...

    I've used mostly greenbow vpn (via pptp vpn) with the WAG54G and the WRV54G without issues. Other Linksys users use SSH Sentinel via pptp vpn exclusively, along with the quickvpn IPSEC client (which I use more of these days. VPN's aren't that difficult or costly depending upon how smart one goes about setting up his/her operation. Still, it's wise to have good bandwith when utilizing a vpn solution.

    Given your setup, expense, and what you have available, both technologies serve their needs resulting in one "not" being better than the other, only in one of them being better suited for a particular situation:

    I'll never claim to be a proponent for strictly VPN or SSH, I'll say that depending upon what's going on, one of them will come in handy.

  7. Guyfromhe

    Guyfromhe Network Guru Member

    have you tried turning PFS off?
    also you haev encryption disabled in that setting list.
    I just setup 4 befsx41's to connect to our ipsec vpn and they work fine...
  8. mastagerber

    mastagerber Guest

    Is it possible to connect to my VPN routerIwrv54g) that has lan ip , and at my home has lan ip of 192.168.2.X using QUICK VPN modem on bridge (westel) and my router is wrt54g?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice