NETWORK PRESENCE

ABOUT

SERVICES

PRODUCTS

TRAINING

CONTACT US

SUPPORT

Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Linksys BEFVP41 VPN Router

To: [email protected]
Subject: [FW-1] Linksys BEFVP41 VPN Router
From: "McDuff, Malcolm" <[email protected]>
Date: Mon, 25 Mar 2002 10:09:51 -0800
Comments: cc: [email protected]
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: Linksys BEFVP41 VPN Router

To anyone still trying to get a BEFVP41 vpn router to set up a tunnel to a remote site.

After weeks of trying, receiving help from others on the lists, especially Robert Rondeau, who had successfully set up a DES tunnel using the product, I have managed to successfully create a 3des/SHA VPN tunnel. The key to getting it working was accessing a hidden web-page on the Linksys box. By default that address is:

192.168.1.1/IPSecAdvance.htm

If you change the LAN address on the linksys obviously the ip address above should be different. Its my understanding that the address is case sensitive. In my particular case I had to change the default DH groups during the two phases of key negotiation, as well as unchecking the "anti replay" parameter.

I have detailed in note form the setup that I created below for anyone who might benefit.

Malcolm McDuff

Names used for Objects

LS=linksys router
LSE=encryp domain of LS
FW=firewall object
FWE=fw encryp domain.

LSE- Linksys Encryption Domain

Define nw object that matches subnet on LAN side of linksys
Location=External
Broadcasts=allowed

LS Object

Use LS WAN address for object
type=gateway (on General tab)
use LSE as encryption domain
Ike 3des/sha1
Check Support key exchange for subnets
enter pre-shared secret with fw object
Leave aggresive mode off (or alternately modify linksys config below).

FW Encryption Domain

Flatten to a single network such as 10.0.0.0/8, as the linksys setup only allows one subnet to be defined for the remote subnet.

Properties/Encryption Tab

Ike timeout to 3600
Ipsec timeout matched (might not be necessary)

CP Rules
Source Dest. service action

LS FW ike,ipsec accept
LSE FWE any encrypt
FWE LSE any encrypt
Edit encryption properties to match desired setting

Transform= Encryption+Data Integrity (ESP)
Encryption Algorithm=3DES
Data Integrity=SHA1
Allowed Peer Gateway=Any
check Use Perfect Forward Secrecy

NAT Rules

LSE FWE any orig orig orig
FWE LSE any orig orig orig

Linksys Settings

Local Secure Group = Subnet on LAN side of Linksys
Remote Secur Group = subnet that matches FW encryption domain
Remote Security Gateway = FW external address
Encryption=3DES
Authentication=SHA
Key Management= Auto. (IKE)
Check Perfect Forwarding Secrecy
Preshared Key= match preshared secret defined on the firewall
Key Lifetime=3600 seconds

Linksys IPSec Advanced config

192.168.1.1/IPSecAdvance.htm (substitute device's actual address...case matters)
Set the following
Phase 1

Operation Mode=main (unless you want to try aggressive mode)
Enc=3des
Auth=SHA
Group=1024
Key Lifetime=3600 sec.

Phase 2

Group=1024
Key Lifetime=3600 sec

Other Settings

checked Netbios broadcast
Unchecked Anti-replay
Unchecked "if ike failed..."

Prev by Date: [FW-1] Scheduled tasks in exporting and purging logs
Next by Date: Re: [FW-1] Add a remote module
Previous by thread: Re: [FW-1] Scheduled tasks in exporting and purging logs
Next by thread: [FW-1] Silent Installation of SecuRemote 4.1 SP4 for Windows 2000
Index(es):
- Date
- Thread

ABOUT

SERVICES

PRODUCTS

TRAINING

CONTACT US

SUPPORT

SITE MAP

LEGAL

All contents © 2004 Network Presence, LLC. All rights reserved.