I’ve spent a fair number of hours getting Win2k working with the Linksys BEFVP41, but after all that I’ve found it isn’t a workable solution.
There’s a good Microsoft page on setting up IPSec on Win2k, but the problem comes about a third of the way down in the page where you have to ping the destination LAN, wait to see it fail with Negotiating IP Security messages, and then keep trying until the negotiation completes. This just doesn’t work, and I didn’t realize it until I had this whole thing working and saw how disruptive it was to my work flow and train of thought. If, for whatever reason, my connection goes away and comes back, the two ends don’t automatically come back up and establish the VPN tunnel, so I have to go ping it to bring it back up.
There has also been some flakiness that hasn’t been reported by my co-worker who has been using a second BEFVP41 unit at home to talk to the one at the office, so I’ve moved to that kind of setup (possible, because the Linksys boxes are so cheap) and that configuration will be the subject of another entry.
It looks like Linksys has a support page on Win2k IPSec configuration now:
http://www.linksys.com/support/support.asp?spid=86
Comment by Jim Moy — 2/27/2002 @ 8:38 pm
Jim,
I have a net with a Unix box and several Win2K workstat and I need to connect it with a remote small net which has win2K workstations for terminal emulation and running a Unix app.
I am thinking in using 2 linksys and VPN connection. I was playing around with a VPN router against a win2K and it seem to be too complex solution. So I decided to use a Linksys VPN router in each end.
So, question . . Once I established the tunnel between the Linksys routers do I have to set up any route (or even configure an aditional protocol)in order to be able to see the PCs and network printers in the remote end and configure my unix services?
Thanks in advance for your answer
Comment by Willy — 6/30/2002 @ 11:55 am
The “other” side of the VPN box is a different subnet, so there are other issues with the Windows Network Neighborhood that you’d have to deal with before file sharing and printing worked seamlessly. However, I’ve been using the Remote Desktop on XP (essentially the same as Terminal Services, I believe) with no hitch just by hard coding some IPs in my Win2k hosts file. You might experiment with the new “Advanced” VPN features in the latest Linksys firmware update. It has a “NetBIOS broadcast” feature.
Comment by Jim Moy — 6/30/2002 @ 1:59 pm
Jim,
I did it. I updated the firmwere on both routers and then got the tunnel between the routers.
I checked the NetBIOS broadcast feature and I can see computers from the “other” network but I can’t see (using ping) the Unix box neither the print servers that I have on both nets.
I can get telnet sesions against Win2K machines and then other telnet sesion to the Unix box but not with the Unix box directly. Seems like Microsoft packets go well but TCP/IP packets can’t go through the tunnel. Do you have any suggestion?
Comment by Willy Vidable — 7/2/2002 @ 2:00 pm
It’s hard to tell without knowing the exact network configuration. If you’ve got the connection going with the Windows boxes, and have not turned on the filtering features of the Linksys, then I’d look at how the Unix boxes differ in their network config.
Comment by Jim Moy — 7/13/2002 @ 4:15 pm
hey jim,I am having the same problem that your having with the vpn router and a standard linksys router thew win2k, I setup the shared keys thew the secpol.msc command and when i activeate it i get the
Negotiating IP Security, i have tried everything,i even tried to forward a few ports like 1723 and 500, 47, i spoek to linksys about it,( maybe this might help you to as well) but iam fresh out of ideas,,any ideas yourself?
Comment by dan — 11/11/2002 @ 5:47 am
Jim another question for ya,on both linksys router (vpn router and the standard linksys router) do i have disable block wan request so that two boxes can see each other?thanks again
Comment by dan — 11/11/2002 @ 6:02 am
Dan, no, actually you’ve probably noticed from subsequent articles that I gave up on the Win2K IPSec.
Comment by Jim Moy — 11/15/2002 @ 11:14 pm
I have a simple question?
WHY DOES THIS SH*T HAVE TO BE SO COMPLICATED?
I sometimes wonder if techs keep it complicated just stay in biz…. (kinda like the IRS) I would rather do my own taxes and succeed. And…. they are not exactly a simple return!!!! BUT at least I would succeed at it!!!!
I know this does not help anyone.
Sorry, just frustrated with it all…
Comment by Ron Dycks — 6/21/2003 @ 11:54 am
I have a user with a similar vpn issue. The tunnel gets created and I can see the home computer connected to the remote vpn linksys router, but I can not ping or see the remote server. I have netbios broadcats enabled.
Comment by net admin — 7/25/2003 @ 2:17 pm
Hello fellow linksys customers. I’ve got it halfway working—home office can ping and connect to shares over netbios, but the central office can’t ping back or establish shares. Anyone else seen this happening? Yes, both sides have NETBIOS broadcast turned on. Please email me at linksysvpn -at- robbyslaughter.com
Comment by Robby — 7/31/2003 @ 10:54 am
Solved my own problem! The trick is to use the hosts file, and associate computer names with ip addresses. A little cumbersome for networks of any size, but it works like a charm.
Comment by Robby — 7/31/2003 @ 11:17 am
Jim,
Is there a third party ipsec client that works w/ the BEFVP41? I have dialup clients needing access through the BEFVP41 to our office stuff.
Comment by johnny — 9/8/2003 @ 2:14 pm
JIM, Good day! I would like to know if I set up two (2) branches (A & B) using Linksys VPN Router on each side,
can a remote computer with operating systems such as Mac or Windows be able to connect
to either branch A or branch B using their built-in VPN software.
This should apply to our current situation because we have a Plant(branch A), an office (branchB)
and mobile and home users (remote without Linksys VPN router) that needs to get connected
on either branch. Is this possible?
Please advise. More power!
Comment by razel dazel — 11/6/2003 @ 7:57 pm
This might help some people… concerning NETBios over your tunnels. You must turn on NETBios broadcasting in order to allow the routers send NETBios data over the tunnel. NETBios is a Microsoft Windows protocol. To resolve name to I.P., you need a WINS server (or DNS server) on your network. Otherwise, you’ll have to have a host file (HOST or LMHOST) on each of your machines… on both sides of the tunnel. A host file contains hostname and corresponding I.P.’s. Each machine does it’s own name resolution with a host file. For those of you looking for a good, easy to use, Win32 IPSec Client, check out the Greenbow VPN client made by SISTech. This is a French company, but they make an English version, about $69 U.S. This client supports 3DES, SHA/MD5, and DH IPSec tunnels. You can do the same thing with IPSec Tunneling in the SECPOL.MSC on a Win2k or WinXP box free of charge! For those of you trying to establish a tunnel through a Linksys router to a IPSec endpoint inside, the Linksys box supports IPSec pass through, but you have to forward port 500 to your host that’s the VPN endpoint. You might also have to forward ports 1723 and 47. Check the Linksys web sight (FAQs). Good Luck Tunneling!!
Comment by SECPOL Admin — 12/9/2003 @ 9:07 pm
Jim,
I just read your article about your Linux firewall and two Linksys routers. Good work!
You might want to check out the IPCOP firewall/VPN client. This is a hardened, statefull packet inspection, firewall that runs in it’s own kernel on a standard old PC. It supports IPSec tunnels using 3DES, SHA/MD5, PFS and more. It also has several other built in features like IDS (Snort), SSH, traffic graphing through MRTG, etc… IT”S ALL FREE and can be located at http://www.ipcop.org My partner and I have built several (using 3 interfaces: red, yellow (DMZ), and green)and tested them. We’ve run all kinds of port scanners and hacks against them and the boxes seem pretty hardened.
Comment by SECPOL Admin — 12/9/2003 @ 9:17 pm
SECPOL, I’ve looked longingly at ipcop, especially for some of the monitoring capabilities. I’m somewhat invested in my LEAF firewall though, a lot of custom config stuff just for my site, so it would be somewhat of an investment to switch over. I’ll keep it in mind though, thanks for the pointer.
Comment by Jim Moy — 12/16/2003 @ 5:54 pm
The Netgear VPN01L client loaded on a XP Pro box works with the Linksys BEFVP41 as of 1/9/2005. I bought it through DELL (cheapest) for around $40.00.
Comment by Greg — 1/9/2005 @ 7:19 pm
I was trying to use with windows 7 but no luck. Anyone using this for Windows 7?
Comment by George — 7/18/2010 @ 8:29 pm
Some of the newer linksys routers can be flashed with DD-WRT and then you can run OpenVPN on them. I find OpenVPN very stable on Win2k and super simple to setup and configure.
Comment by Roger Lawfield — 9/13/2010 @ 7:10 am