[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] Linksys BEFVP41 VPN Router
Title: Linksys BEFVP41 VPN Router
To anyone still trying to get a BEFVP41 vpn router to set up a tunnel to a remote site.
After weeks of trying, receiving help from others on the lists, especially Robert Rondeau, who had successfully set up a DES tunnel using the product, I have managed to successfully create a 3des/SHA VPN tunnel. The key to getting it working was accessing a hidden web-page on the Linksys box. By default that address is:
192.168.1.1/IPSecAdvance.htm
If you change the LAN address on the linksys obviously the ip address above should be different. Its my understanding that the address is case sensitive. In my particular case I had to change the default DH groups during the two phases of key negotiation, as well as unchecking the "anti replay" parameter.
I have detailed in note form the setup that I created below for anyone who might benefit.
Malcolm McDuff
Names used for Objects
- LS=linksys router
- LSE=encryp domain of LS
- FW=firewall object
- FWE=fw encryp domain.
LSE- Linksys Encryption Domain
- Define nw object that matches subnet on LAN side of linksys
- Location=External
- Broadcasts=allowed
LS Object
- Use LS WAN address for object
- type=gateway (on General tab)
- use LSE as encryption domain
- Ike 3des/sha1
- Check Support key exchange for subnets
- enter pre-shared secret with fw object
- Leave aggresive mode off (or alternately modify linksys config below).
FW Encryption Domain
- Flatten to a single network such as 10.0.0.0/8, as the linksys setup only allows one subnet to be defined for the remote subnet.
Properties/Encryption Tab
- Ike timeout to 3600
- Ipsec timeout matched (might not be necessary)
CP Rules
Source Dest. service action
- LS FW ike,ipsec accept
- LSE FWE any encrypt
- FWE LSE any encrypt
- Edit encryption properties to match desired setting
- Transform= Encryption+Data Integrity (ESP)
- Encryption Algorithm=3DES
- Data Integrity=SHA1
- Allowed Peer Gateway=Any
- check Use Perfect Forward Secrecy
NAT Rules
- LSE FWE any orig orig orig
- FWE LSE any orig orig orig
Linksys Settings
- Local Secure Group = Subnet on LAN side of Linksys
- Remote Secur Group = subnet that matches FW encryption domain
- Remote Security Gateway = FW external address
- Encryption=3DES
- Authentication=SHA
- Key Management= Auto. (IKE)
- Check Perfect Forwarding Secrecy
- Preshared Key= match preshared secret defined on the firewall
- Key Lifetime=3600 seconds
Linksys IPSec Advanced config
- 192.168.1.1/IPSecAdvance.htm (substitute device's actual address...case matters)
- Set the following
- Phase 1
- Phase 2
- Other Settings