On 11/25/2012 09:53 AM, Robert Hough wrote:
No it wasn't working before the firmware upgrade.
I did fire up wireshark and see the traffic going to the router but did not see
any return traffic from the router. I flipped it to aggressive mode and retyped
the PSK in. Kinda mystified me but maybe I need to upgrade it.
Rob
-------- Original Message --------
Subject: Re: [vpn-help] Linksys BEFSX41 Tunnel not coming up
From: Kevin VPN <[email protected] <mailto:[email protected]>>
Date: Sat, November 24, 2012 1:19 pm
To: [email protected] <mailto:[email protected]>
On 11/22/2012 09:41 PM, Robert Hough wrote:
> I am having trouble connecting to my VPN on a Linksys BEFSX41 which was
flashed
> to latest firmware version. I keep getting a "negotiation timeout
occurred"
> when trying to bring up the tunnel. Logs on the BEFSX41 indicate the VPN
> client is trying to connect. Logs on the vpn client indicate that resend
limit
> exceeded for phase1.
> Not sure what I have configed wrong so all details are below.
> Settings on router:
> IPSEC Passthrough > Enabled
> PPOE Passthough > Enabled
> PPTP Passthrough > Enabled
> Local Secure Group > Subnet x.x.x.x.
> Remote Secure Group > Any
> Remote Security Gateway > Any
> Encryption > DES
> Authentication > MD5
> Key Management > Auto (IKE)
> ADVANCED SETTINGS >
>
> Phase 1: > Mode: Main mode
>
> Encryption: DES
>
> Authentication: MD5
>
> Group 768 Bit
>
> Key Lifetime: 3600 seconds
>
>
>
> Phase 2: > Encryption: DES
>
> Authentication: MD5
>
> PFS: On
>
> Group: 768 Bit
>
> Key Lifetime: 3600 seconds
>
> Other Setting
>
> Netbios broadcast box checked
> Shrew Soft Client
> NAT Transversal: enable
> NAT Transversal: port 4500
> IKE Fragmentation: enable
> Maximum packet size: 540 bytes
> Other Options
> Enable Dead Peer Detection
> Enable ISAKMP Failure Notifications
> Enable Client Login Banner
> Name Resolution
> All boxes checked
> Authentication Method: MutualPSK
> Identification Type: IP Address
> Remote Identity: IP Address
> Credentials: Pre shared key
> Phase 1
> Exchange Type: main
> DH Exchange: group1
> Cipher Algorithm: des
> Hash Algorithm: md5
> key life time limit: 3600 secs
> key life data limit 0 kb
> Phase 2
> Transform Algorithm: esp-des
> HMAC Algorith: md5
> PFS Exchange: group 1
> key life time limit: 3600 secs
> key life data limit 0 kb
> Policy
> policy generation level: unique
> obtain topology automatically or tunnel all checked
Hi Rob,
Was the VPN was working before the firmware was upgraded?
Based on your description that the Linksys sees the client connection
(and presumably does not give an error) but that the VPN client does not
see the Linksys' responses (resend limit exceeded), I would suggest
using a packet sniffer (like Wireshark) on your VPN client machine to
see if the machine itself is receiving any packets back from the Linksys.
I do note that you're using Main Mode, IP Addresses and PSK to identify
the VPN connection. I would check to make sure that the PSK did not
somehow get changed during the firmware update. Re-enter the PSK just
to be sure.
Most of the VPNs we see here are configured in Aggressive Mode. I could
be wrong on this too, but I think using Aggressive Mode instead of Main
Mode works better in situations where the connecting clients have
dynamic IP addresses, so you could try that too.
_______________________________________________
vpn-help mailing list
[email protected] <mailto:[email protected]>
http://lists.shrew.net/mailman/listinfo/vpn-help
Hi Rob,
If you're not seeing return packets from the router on the client, my
guess would be that the Linksys is rejecting the connection for some
reason and is not responding back to the client. On the Linksys, check
the VPN logs carefully to see what it is telling you.
Did you check the PSK on the Shrew client side? The safest way to
ensure that the PSK is the same on both sides (especially if it's
complicated) is to type it out then copy and paste it into the Linksys
and Shrew configs.
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
