[vpn-help] Linksys BEFSX41 Tunnel not coming up

Sat Nov 24 12:19:41 CST 2012

On 11/22/2012 09:41 PM, Robert Hough wrote:
> I am having trouble connecting to my VPN on a Linksys BEFSX41 which was flashed
> to latest firmware version.  I keep getting a "negotiation timeout occurred"
> when trying to bring up the tunnel.   Logs on the BEFSX41 indicate the VPN
> client is trying to connect.  Logs on the vpn client indicate that resend limit
> exceeded for phase1.
> Not sure what I have configed wrong so all details are below.
> Settings on router:
> IPSEC Passthrough > Enabled
> PPOE Passthough > Enabled
> PPTP Passthrough > Enabled
> Local Secure Group > Subnet x.x.x.x.
> Remote Secure Group > Any
> Remote Security Gateway >  Any
> Encryption > DES
> Authentication > MD5
> Key Management > Auto (IKE)
> ADVANCED SETTINGS >
>
> Phase 1: > Mode: Main mode
>
> Encryption: DES
>
> Authentication: MD5
>
> Group 768 Bit
>
> Key Lifetime: 3600 seconds
>
>
>
> Phase 2: > Encryption: DES
>
> Authentication: MD5
>
> PFS: On
>
> Group: 768 Bit
>
> Key Lifetime: 3600 seconds
>
> Other Setting
>
> Netbios broadcast box checked
> Shrew Soft Client
> NAT Transversal: enable
> NAT Transversal: port 4500
> IKE Fragmentation: enable
> Maximum packet size: 540 bytes
> Other Options
> Enable Dead Peer Detection
> Enable ISAKMP Failure Notifications
> Enable Client Login Banner
> Name Resolution
> All boxes checked
> Authentication Method: MutualPSK
> Identification Type: IP Address
> Remote Identity: IP Address
> Credentials: Pre shared key
> Phase 1
> Exchange Type: main
> DH Exchange: group1
> Cipher Algorithm: des
> Hash Algorithm: md5
> key life time limit: 3600 secs
> key life data limit 0 kb
> Phase 2
> Transform Algorithm: esp-des
> HMAC Algorith: md5
> PFS Exchange: group 1
> key life time limit: 3600 secs
> key life data limit 0 kb
> Policy
> policy generation level: unique
> obtain topology automatically or tunnel all checked

Hi Rob,

Was the VPN was working before the firmware was upgraded?

Based on your description that the Linksys sees the client connection 
(and presumably does not give an error) but that the VPN client does not 
see the Linksys' responses (resend limit exceeded), I would suggest 
using a packet sniffer (like Wireshark) on your VPN client machine to 
see if the machine itself is receiving any packets back from the Linksys.

I do note that you're using Main Mode, IP Addresses and PSK to identify 
the VPN connection.  I would check to make sure that the PSK did not 
somehow get changed during the firmware update.  Re-enter the PSK just 
to be sure.

Most of the VPNs we see here are configured in Aggressive Mode. I could 
be wrong on this too, but I think using Aggressive Mode instead of Main 
Mode works better in situations where the connecting clients have 
dynamic IP addresses, so you could try that too.