Is it possible for a home user to maintain two simultaneous VPN tunnels from behind a Linksys Cable Modem Router?
Basically, both machines use Cisco VPN Client v3.0.2 software connected to a Cisco 3524 switch connected to the uplink of a Linksys Cable Modem Router. The WAN interface of the Linksys is connected to a cable modem. The other end of the tunnel is a Cisco 3005 VPN Concentrator.
The first VPN tunnel establishes without a problem. The second VPN tunnel however fails to connect. The client reports "Failed to establish a secure connection to the security gateway." And the Session Logs of the concentrator report "Group [xxx] received an unencrypted packet when crypto active!!" followed by "Group [xxx] received non-routine Notify message: Invalid hash info (23)".
Any assistance from the VPN experts would be greatly appreciated.
For those searching the archives and anyone else who wants to know, the latest firmware for the BEFSR41 1.42.3 claims "support for multi-IPSec pass-through". This, however, is not true but the latest BEFVP41 does support up to 70 simultaneous IPSec connections.
"support for multi-IPSec pass-through" can -supposedly- be achieved by enabling SPI (stateful packet inspection) in the new firmware. I'll be testing this in a few days ...
Yes, please let us know as the TAC specialist that I spoke with indicated that they were not able to get it working in a lab environment. In my situation, the router was refusing to update its firmware when we found the new Linksys product. I'll confirm the usability of the new Linksys this week.
I was wondering if you were able to successfully implement Linksys' multi-IPSec pass-through feature? Did enabling SPI resolve your issue?
I was sold on the "up to 70 simultaneous IPSec connections" until I had the VPN router inhouse and tested it. I can not get 2 simultaneous connections let alone 70.
I was using the Cisco VPN client 3.5 to the other end - being a 3005 concentrator. My thought was I should be able to use the linksys "new" vpn router to establish the tunnel allowing clients to connect to our xchg server.
Am I on the right path? I'm curious to know if you were successful with the linksys vpn router.
If your concentrator or PIX can handle it use the 3.5.2 client with TCP tunneling not UDP. Set it to port 80. We have had the same problem and now we have 20 users all going through the Linksys router at the same time.
I have a remote office that just installed the Linksys BEFVR41 today. We did the following:
Click Configuration - System - Tunneling Protocols - IPSec - NAT Transparency
Check IPSec over TCP
TCP Port(s): 10000 - I left this as the default
VPN Client (v3.62b):
Check Enable Transparent Tunneling
Select Use IPSec over TCP (NAT/PAT/Firewall)
Leave 10000 for TCP port
Using these settings I was able to get two machines up and running. They are upgrading the 3rd to the same client version and will be configuring it the same way.
The LINKsys BEFSR41 supports pass-through for multiple IPSec tunnels
ONLY if the VPN 3000 and clients are using NAT-T (UDP-4500) or TCP over TCP transparency. The latest Linksys v 1.43 supports this.
If you don't use Transparency (use standard IPsec over UDP=500) then this Linksys model only supports 1IPSec tunnel. The reason is that the Linksys sources the 1st tunnel on say UDP=500. Then the 2nd and subsequent tunnelsshould be sourced on a different port (ie. UDP-501, UDP=502,etc).
However, they source the 2nd tunnel on the same port UDP=500 and bump off the 1st tunnel.
I've reported this to Linksys in the past but they have not responded.
It's interesting how this issue has progressed over the months. With the release of v1.43, it appears that a work-around was reached. I, however, could not wait for Linksys. So we bought a Cisco PIX 501 and built a LAN-to-LAN instead.
Thank you to everyone who replied.
Update the firmware on the linksys to the very latest version. We are using VPN client 3.6.3 and have serveral ipsec connections happening at once. The box says it only supports one but I have several working without problems.