On 11/22/2012 09:41 PM, Robert Hough wrote:
I am having trouble connecting to my VPN on a Linksys BEFSX41 which was flashed
to latest firmware version. I keep getting a "negotiation timeout occurred"
when trying to bring up the tunnel. Logs on the BEFSX41 indicate the VPN
client is trying to connect. Logs on the vpn client indicate that resend limit
exceeded for phase1.
Not sure what I have configed wrong so all details are below.
Settings on router:
IPSEC Passthrough > Enabled
PPOE Passthough > Enabled
PPTP Passthrough > Enabled
Local Secure Group > Subnet x.x.x.x.
Remote Secure Group > Any
Remote Security Gateway > Any
Encryption > DES
Authentication > MD5
Key Management > Auto (IKE)
ADVANCED SETTINGS >
Phase 1: > Mode: Main mode
Encryption: DES
Authentication: MD5
Group 768 Bit
Key Lifetime: 3600 seconds
Phase 2: > Encryption: DES
Authentication: MD5
PFS: On
Group: 768 Bit
Key Lifetime: 3600 seconds
Other Setting
Netbios broadcast box checked
Shrew Soft Client
NAT Transversal: enable
NAT Transversal: port 4500
IKE Fragmentation: enable
Maximum packet size: 540 bytes
Other Options
Enable Dead Peer Detection
Enable ISAKMP Failure Notifications
Enable Client Login Banner
Name Resolution
All boxes checked
Authentication Method: MutualPSK
Identification Type: IP Address
Remote Identity: IP Address
Credentials: Pre shared key
Phase 1
Exchange Type: main
DH Exchange: group1
Cipher Algorithm: des
Hash Algorithm: md5
key life time limit: 3600 secs
key life data limit 0 kb
Phase 2
Transform Algorithm: esp-des
HMAC Algorith: md5
PFS Exchange: group 1
key life time limit: 3600 secs
key life data limit 0 kb
Policy
policy generation level: unique
obtain topology automatically or tunnel all checked
Hi Rob,
Was the VPN was working before the firmware was upgraded?
Based on your description that the Linksys sees the client connection
(and presumably does not give an error) but that the VPN client does not
see the Linksys' responses (resend limit exceeded), I would suggest
using a packet sniffer (like Wireshark) on your VPN client machine to
see if the machine itself is receiving any packets back from the Linksys.
I do note that you're using Main Mode, IP Addresses and PSK to identify
the VPN connection. I would check to make sure that the PSK did not
somehow get changed during the firmware update. Re-enter the PSK just
to be sure.
Most of the VPNs we see here are configured in Aggressive Mode. I could
be wrong on this too, but I think using Aggressive Mode instead of Main
Mode works better in situations where the connecting clients have
dynamic IP addresses, so you could try that too.
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
