[vpn-help] Linksys BEFSX41 Tunnel not coming up

Kevin VPN kvpn at live.com
Sun Nov 25 16:13:51 CST 2012 

On 11/25/2012 09:53 AM, Robert Hough wrote:
> No it wasn't working before the firmware upgrade.
> I did fire up wireshark and see the traffic going to the router but did not see
> any return traffic from the router.  I flipped it to aggressive mode and retyped
> the PSK in.    Kinda mystified me but maybe I need to upgrade it.
>
> Rob
>
>      -------- Original Message --------
>      Subject: Re: [vpn-help] Linksys BEFSX41 Tunnel not coming up
>      From: Kevin VPN <kvpn at live.com <mailto:kvpn at live.com>>
>      Date: Sat, November 24, 2012 1:19 pm
>      To: vpn-help at lists.shrew.net <mailto:vpn-help at lists.shrew.net>
>
>      On 11/22/2012 09:41 PM, Robert Hough wrote:
>      > I am having trouble connecting to my VPN on a Linksys BEFSX41 which was flashed
>      > to latest firmware version. I keep getting a "negotiation timeout occurred"
>      > when trying to bring up the tunnel. Logs on the BEFSX41 indicate the VPN
>      > client is trying to connect. Logs on the vpn client indicate that resend limit
>      > exceeded for phase1.
>      > Not sure what I have configed wrong so all details are below.
>      > Settings on router:
>      > IPSEC Passthrough > Enabled
>      > PPOE Passthough > Enabled
>      > PPTP Passthrough > Enabled
>      > Local Secure Group > Subnet x.x.x.x.
>      > Remote Secure Group > Any
>      > Remote Security Gateway > Any
>      > Encryption > DES
>      > Authentication > MD5
>      > Key Management > Auto (IKE)
>      > ADVANCED SETTINGS >
>      >
>      > Phase 1: > Mode: Main mode
>      >
>      > Encryption: DES
>      >
>      > Authentication: MD5
>      >
>      > Group 768 Bit
>      >
>      > Key Lifetime: 3600 seconds
>      >
>      >
>      >
>      > Phase 2: > Encryption: DES
>      >
>      > Authentication: MD5
>      >
>      > PFS: On
>      >
>      > Group: 768 Bit
>      >
>      > Key Lifetime: 3600 seconds
>      >
>      > Other Setting
>      >
>      > Netbios broadcast box checked
>      > Shrew Soft Client
>      > NAT Transversal: enable
>      > NAT Transversal: port 4500
>      > IKE Fragmentation: enable
>      > Maximum packet size: 540 bytes
>      > Other Options
>      > Enable Dead Peer Detection
>      > Enable ISAKMP Failure Notifications
>      > Enable Client Login Banner
>      > Name Resolution
>      > All boxes checked
>      > Authentication Method: MutualPSK
>      > Identification Type: IP Address
>      > Remote Identity: IP Address
>      > Credentials: Pre shared key
>      > Phase 1
>      > Exchange Type: main
>      > DH Exchange: group1
>      > Cipher Algorithm: des
>      > Hash Algorithm: md5
>      > key life time limit: 3600 secs
>      > key life data limit 0 kb
>      > Phase 2
>      > Transform Algorithm: esp-des
>      > HMAC Algorith: md5
>      > PFS Exchange: group 1
>      > key life time limit: 3600 secs
>      > key life data limit 0 kb
>      > Policy
>      > policy generation level: unique
>      > obtain topology automatically or tunnel all checked
>
>      Hi Rob,
>
>      Was the VPN was working before the firmware was upgraded?
>
>      Based on your description that the Linksys sees the client connection
>      (and presumably does not give an error) but that the VPN client does not
>      see the Linksys' responses (resend limit exceeded), I would suggest
>      using a packet sniffer (like Wireshark) on your VPN client machine to
>      see if the machine itself is receiving any packets back from the Linksys.
>
>      I do note that you're using Main Mode, IP Addresses and PSK to identify
>      the VPN connection. I would check to make sure that the PSK did not
>      somehow get changed during the firmware update. Re-enter the PSK just
>      to be sure.
>
>      Most of the VPNs we see here are configured in Aggressive Mode. I could
>      be wrong on this too, but I think using Aggressive Mode instead of Main
>      Mode works better in situations where the connecting clients have
>      dynamic IP addresses, so you could try that too.
>      _______________________________________________
>      vpn-help mailing list
>      vpn-help at lists.shrew.net <mailto:vpn-help at lists.shrew.net>
>      http://lists.shrew.net/mailman/listinfo/vpn-help
>

Hi Rob,

If you're not seeing return packets from the router on the client, my 
guess would be that the Linksys is rejecting the connection for some 
reason and is not responding back to the client.  On the Linksys, check 
the VPN logs carefully to see what it is telling you.

Did you check the PSK on the Shrew client side?  The safest way to 
ensure that the PSK is the same on both sides (especially if it's 
complicated) is to type it out then copy and paste it into the Linksys 
and Shrew configs.

More information about the vpn-help mailing list