Linksys BEFVP41 with concurrent tunnels

Web Server Talk > WebserverTalk Community > VPN > Linksys BEFVP41 with concurrent tunnels

Last Thread Next Thread Next

Linksys BEFVP41 with concurrent tunnels

Claeton

06-07-06 06:12 PM

I am using three BEFVP41 routers for site-to-site LAN connections over
VPN.  Two routers connect remote sites with dynamic IP addresses to a
main site with a static IP address.  The connections are initiated by
traffic originating at the remote sites.  With one site connected, the
tunnel comes up (and stays up) automatically.  But the second site does
not connect.  The main router's tunnels are configured to accept
connections from ANY Remote Security Gateway.  When main router's
tunnels are changed to only accept connections from a specific
domainname or a specific IP address, the VPN connections come right up.
But since these remote sites are on dynamic IP addresses, that is not
a permanent solution.  My guess is that since the only difference
between the two tunnels is the subnet, that once a connection is made,
the main router does not know how match the second connection request
to a tunnel definition.  Any ideas on how to change this configuration
to solve this problem?  Details are below.  Thanks in advance, Claeton

Name, IP Address, Location
--------------------------------------------------
R1, static, main site
R2, dynamic, remote site
R3, dynamic, remote site

R1 SETTINGS
-----------
VPN Tunnel: Enabled
Tunnel Name: VP1
Local Secure Group: (Subnet)
IP: 192.168.200.0
Mask: 255.255.255.0
Remote Secure Group: Subnet
IP: 192.168.100.0
Mask: 255.255.255.0
Remote Security Gateway: Any
Encryption: 3DES
Authentication: MD5
Key Management: Auto. (IKE)
PFS: Enabled
Pre-shared Key: abcdef
Key Lifetime: 30000000 seconds
ADVANCED SETTINGS:
Phase 1:
Operation mode : Main mode
Username: <blank>
Proposal:
Encryption: 3DES
Authentication :MD5
Group: 768-bit
Key Lifetime: 30000000 seconds
Phase 2:
Proposal :
Encryption: 3DES
Authentication: MD5
PFS: ON
Group: 768-bit
Key Lifetime: 30000000 seconds
The second tunnel is the same as the first except for the remote
subnet:
Tunnel Name: VP2
Remote Secure Group: Subnet
IP: 192.168.101.0
Mask: 255.255.255.0

R2's and R3's VPN setting are *exactly* the same, except that they have
different Local Secure Group subnets.

R2 SETTINGS
-----------
VPN Tunnel: Enabled
Tunnel Name: VP1
Local Secure Group: (Subnet)
IP: 192.168.100.0
Mask: 255.255.255.0
Remote Secure Group: IP Addr
IP: 192.168.200.0
Mask: 255.255.255.0
Remote Security Gateway: FQDN
mydomain.net
Encryption: 3DES
Authentication: MD5
Key Management: Auto. (IKE)
PFS: Enabled
Pre-shared Key: abcdef
Key Lifetime: 30000000 seconds
ADVANCED SETTINGS:
Phase 1:
Operation mode : Main mode
Username: <blank>
Proposal:
Encryption: 3DES
Authentication :MD5
Group: 768-bit
Key Lifetime: 30000000 seconds
Phase 2:
Proposal :
Encryption: 3DES
Authentication: MD5
PFS: ON
Group: 768-bit
Key Lifetime: 30000000 seconds
Other Settings:
Keep-Alive: <checked>

R3 SETTINGS are the same as R2 EXCEPT for the subnet:
---------------------
Tunnel Name: VP2
Local Secure Group: (Subnet)
IP: 192.168.101.0
Mask: 255.255.255.0

[ Post a follow-up to this message ]

Re: Linksys BEFVP41 with concurrent tunnels

Claeton

06-08-06 12:12 PM

Claeton wrote:
> I am using three BEFVP41 routers for site-to-site LAN connections over
> VPN.  Two routers connect remote sites with dynamic IP addresses to a
> main site with a static IP address.  The connections are initiated by ....

Though the tunnels have different subnets, all the other parameters are
the same.  Making the Pre-Shared Keys different for each tunnel, caused
the router to match the incoming connection request to the tunnel on
the correct subnet.  This solved the problem and I am now able to get
several VPN tunnels connected concurrently.

Claeton

[ Post a follow-up to this message ]

Re: Linksys BEFVP41 with concurrent tunnels

Simon

06-10-06 12:13 AM

Claeton wrote:
> I am using three BEFVP41 routers for site-to-site LAN connections over
> VPN.  Two routers connect remote sites with dynamic IP addresses to a
> main site with a static IP address.  The connections are initiated by
> traffic originating at the remote sites.  With one site connected, the
> tunnel comes up (and stays up) automatically.  But the second site does
> not connect.  The main router's tunnels are configured to accept
> connections from ANY Remote Security Gateway.  When main router's
> tunnels are changed to only accept connections from a specific
> domainname or a specific IP address, the VPN connections come right up.
>  But since these remote sites are on dynamic IP addresses, that is not
> a permanent solution.  My guess is that since the only difference
> between the two tunnels is the subnet, that once a connection is made,
> the main router does not know how match the second connection request
> to a tunnel definition.  Any ideas on how to change this configuration
> to solve this problem?  Details are below.  Thanks in advance, Claeton
>
> Name, IP Address, Location
> --------------------------------------------------
> R1, static, main site
> R2, dynamic, remote site
> R3, dynamic, remote site
>
> R1 SETTINGS
> -----------
> VPN Tunnel: Enabled
> Tunnel Name: VP1
> Local Secure Group: (Subnet)
>          IP: 192.168.200.0
>          Mask: 255.255.255.0
> Remote Secure Group: Subnet
>          IP: 192.168.100.0
>          Mask: 255.255.255.0
> Remote Security Gateway: Any
> Encryption: 3DES
> Authentication: MD5
> Key Management: Auto. (IKE)
>          PFS: Enabled
>          Pre-shared Key: abcdef
>          Key Lifetime: 30000000 seconds
> ADVANCED SETTINGS:
>   Phase 1:
>     Operation mode : Main mode
>          Username: <blank>
>     Proposal:
>          Encryption: 3DES
>          Authentication :MD5
>          Group: 768-bit
>          Key Lifetime: 30000000 seconds
>   Phase 2:
>     Proposal :
>          Encryption: 3DES
>          Authentication: MD5
>          PFS: ON
>          Group: 768-bit
>          Key Lifetime: 30000000 seconds
> The second tunnel is the same as the first except for the remote
> subnet:
> Tunnel Name: VP2
> Remote Secure Group: Subnet
>          IP: 192.168.101.0
>          Mask: 255.255.255.0
>
> R2's and R3's VPN setting are *exactly* the same, except that they have
> different Local Secure Group subnets.
>
> R2 SETTINGS
> -----------
> VPN Tunnel: Enabled
> Tunnel Name: VP1
> Local Secure Group: (Subnet)
>          IP: 192.168.100.0
>          Mask: 255.255.255.0
> Remote Secure Group: IP Addr
>          IP: 192.168.200.0
>          Mask: 255.255.255.0
> Remote Security Gateway: FQDN
>          mydomain.net
> Encryption: 3DES
> Authentication: MD5
> Key Management: Auto. (IKE)
>          PFS: Enabled
>          Pre-shared Key: abcdef
>          Key Lifetime: 30000000 seconds
> ADVANCED SETTINGS:
>   Phase 1:
>     Operation mode : Main mode
>          Username: <blank>
>     Proposal:
>          Encryption: 3DES
>          Authentication :MD5
>          Group: 768-bit
>          Key Lifetime: 30000000 seconds
>   Phase 2:
>     Proposal :
>          Encryption: 3DES
>          Authentication: MD5
>          PFS: ON
>          Group: 768-bit
>          Key Lifetime: 30000000 seconds
>   Other Settings:
>     Keep-Alive: <checked>
>
> R3 SETTINGS are the same as R2 EXCEPT for the subnet:
> ---------------------
> Tunnel Name: VP2
> Local Secure Group: (Subnet)
>          IP: 192.168.101.0
>          Mask: 255.255.255.0
>
Hi,
As a horrid bodge how about dynamic dns names ?
simon

[ Post a follow-up to this message ]

Re: Linksys BEFVP41 with concurrent tunnels

Claeton

06-14-06 06:13 AM


Good thought.  The configuration already uses dynamic DNS names.  The
router can't distinguish between tunnels soley by subnet in this case
when trying to decide which tunnel matches the incoming request.  So,
by making the pre-shared keys different, that rules out all but the one
(the correct one) that has the same key.
> Hi,
> As a horrid bodge how about dynamic dns names ?
> simon

[ Post a follow-up to this message ]