Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Concurrent VPN tunnels from behind Linksys Router

Is it possible for a home user to maintain two simultaneous VPN tunnels from behind a Linksys Cable Modem Router?

Basically, both machines use Cisco VPN Client v3.0.2 software connected to a Cisco 3524 switch connected to the uplink of a Linksys Cable Modem Router. The WAN interface of the Linksys is connected to a cable modem. The other end of the tunnel is a Cisco 3005 VPN Concentrator.

The first VPN tunnel establishes without a problem. The second VPN tunnel however fails to connect. The client reports "Failed to establish a secure connection to the security gateway." And the Session Logs of the concentrator report "Group [xxx] received an unencrypted packet when crypto active!!" followed by "Group [xxx] received non-routine Notify message: Invalid hash info (23)".

Any assistance from the VPN experts would be greatly appreciated.

Thanks.

12 REPLIES
New Member

Re: Concurrent VPN tunnels from behind Linksys Router

Sorry.. the BEFR series of Linksys routers will only support one IPSEC tunnel outbound at a time...

New Member

Re: Concurrent VPN tunnels from behind Linksys Router

For those searching the archives and anyone else who wants to know, the latest firmware for the BEFSR41 1.42.3 claims "support for multi-IPSec pass-through". This, however, is not true but the latest BEFVP41 does support up to 70 simultaneous IPSec connections.

Silver

Re: Concurrent VPN tunnels from behind Linksys Router

"support for multi-IPSec pass-through" can -supposedly- be achieved by enabling SPI (stateful packet inspection) in the new firmware. I'll be testing this in a few days ...

Regards,

Mustafa Hussein

Comark, Inc.

New Member

Re: Concurrent VPN tunnels from behind Linksys Router

Yes, please let us know as the TAC specialist that I spoke with indicated that they were not able to get it working in a lab environment. In my situation, the router was refusing to update its firmware when we found the new Linksys product. I'll confirm the usability of the new Linksys this week.

New Member

Re: Concurrent VPN tunnels from behind Linksys Router

I was wondering if you were able to successfully implement Linksys' multi-IPSec pass-through feature? Did enabling SPI resolve your issue?

New Member

Re: Concurrent VPN tunnels from behind Linksys Router

I was sold on the "up to 70 simultaneous IPSec connections" until I had the VPN router inhouse and tested it. I can not get 2 simultaneous connections let alone 70.

I was using the Cisco VPN client 3.5 to the other end - being a 3005 concentrator. My thought was I should be able to use the linksys "new" vpn router to establish the tunnel allowing clients to connect to our xchg server.

Am I on the right path? I'm curious to know if you were successful with the linksys vpn router.

New Member

Re: Concurrent VPN tunnels from behind Linksys Router

If your concentrator or PIX can handle it use the 3.5.2 client with TCP tunneling not UDP. Set it to port 80. We have had the same problem and now we have 20 users all going through the Linksys router at the same time.

New Member

Re: Concurrent VPN tunnels from behind Linksys Router

Where can I find the 3.5.2 client?

New Member

Re: Concurrent VPN tunnels from behind Linksys Router

I have a remote office that just installed the Linksys BEFVR41 today. We did the following:

3005:

----------

Click Configuration - System - Tunneling Protocols - IPSec - NAT Transparency

Check IPSec over TCP

TCP Port(s): 10000 - I left this as the default

Click Apply

VPN Client (v3.62b):

----------------------------

Click Options

Click Properties

Check Enable Transparent Tunneling

Select Use IPSec over TCP (NAT/PAT/Firewall)

Leave 10000 for TCP port

Using these settings I was able to get two machines up and running. They are upgrading the 3rd to the same client version and will be configuring it the same way.

Cisco Employee

Re: Concurrent VPN tunnels from behind Linksys Router

The LINKsys BEFSR41 supports pass-through for multiple IPSec tunnels

ONLY if the VPN 3000 and clients are using NAT-T (UDP-4500) or TCP over TCP transparency. The latest Linksys v 1.43 supports this.

If you don't use Transparency (use standard IPsec over UDP=500) then this Linksys model only supports 1IPSec tunnel. The reason is that the Linksys sources the 1st tunnel on say UDP=500. Then the 2nd and subsequent tunnelsshould be sourced on a different port (ie. UDP-501, UDP=502,etc).

However, they source the 2nd tunnel on the same port UDP=500 and bump off the 1st tunnel.

I've reported this to Linksys in the past but they have not responded.

Nelson

New Member

Re: Concurrent VPN tunnels from behind Linksys Router

It's interesting how this issue has progressed over the months. With the release of v1.43, it appears that a work-around was reached. I, however, could not wait for Linksys. So we bought a Cisco PIX 501 and built a LAN-to-LAN instead.

Thank you to everyone who replied.

New Member

Re: Concurrent VPN tunnels from behind Linksys Router

Update the firmware on the linksys to the very latest version. We are using VPN client 3.6.3 and have serveral ipsec connections happening at once. The box says it only supports one but I have several working without problems.

180
Views
5
Helpful
12
Replies