Cisco VPN Behind Linksys Router (NAT Issues)

Unanswered Question
Jun 27th, 2007

Hi. I am having some problems with my setup and was looking for some help. The only thing I know about Cisco I have taught myself, as nothing really practical was taught to me in undergrad, just theory. I think you guys in advance!

I have a unique setup that involves a Cisco 2611XM and a Linksys BEFSR41.

I am trying to setup a Cisco VPN that accepts Cisco VPN Clients (Windows 2000) that sits behind a BEFSR41 (NAT router). Before I go any farther, let me give you the product specifics:

Cisco VPN Client Version

IP Address MASK

Linksys BEFSR41 Firmware Version 1.04.09



Cisco 2611XM IOS C2600-A3JK9S-M Version 12.3(22)

BEFSR41 Link IP Address MASK

Backend Server IP Address MASK

I have attached running-config.txt as the running configuration of this router.

Backend Server

Windows XP Professional

My test setup is as follows:

Cisco VPN Client <-> BEFSR41 <-> 2611XM <-> Backend Server

My problem is that the VPN client times out with Reason 412: Remote peer is no longer responding.

I have forward UDP port 500 and TCP port 10000 from the BEFSR41 to the 2611XM and have verified that the VPN client is using UDP to do VPN. Also, when I turn on debug crypo ipsec error and debug crypo isakmp error I see errors flash by on the console. I have attached isakmp_errors_with_linksys.txt as a log of these.

I have also placed Ethereal before and after the BEFSR41 and have verified that the ISAKMP packets are indeed UDP encapsulated and the only difference I see between the packets is the source and destination values and the time to live field, all three of which I consider to be part of normal routing.

While Ethereal was there, I never saw any return packets from the 2611XM back towards the BEFSR41.

When I take the BEFSR41 out of the picture, and instead connect the VPN client directly to the 2611XM (naturally the IP address is changed to that of the BEFSR41), I have no problems with connecting the VPN client. What is interesting is that I see even more errors with the debug crypo ipsec error and debug crypo isakmp error commands but the VPN seems to setup correctly. I have attached isakmp_errors_no_linksys.txt as a log of this.

Ethereal also shows the 2611XM sending connection packets back to the VPN client.

Once again, any help you guys can provide would be really appreciated!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
iconick Mon, 07/02/2007 - 05:46


Thanks for the response. That is what I was guessing but don't fully understand why it matters if the packets are UDP encapsulated. In any event, I am working on getting rid of the Linksys from the equation completely.


This Discussion