In article , Leythos wrote: :Get a router that does IPSec tunnels, the Linksys BEFVP41 and the BEFSX41 :does site-to-site VPN, even with dynamic addresses on one end.
Data points:
I recently started testing both BEFVP41 and BEFSX41. The BEFSX41 user interface has more layers and makes it harder to find important settings than the BEFVP41; the BEFSX41 also has the option to view the IPSec negotiation log greyed out, so it's not a good choice until the connection is already debugged.
The BEFSX41 is aggressive about making the IPSec connections -- it connects as soon as you save the settings, and it automatically reconnects if power is lost. And under the PPPoE setting, there is a timeout available, implying that it will do "demand connections" upon seeing traffic. This is good for unattended lan-to-lan use.
The BEFVP41 has explicit 'Connect' buttons; I haven't tested it enough yet to see if it will automatically reconnect; I think I observed that it did not in some cases, but that night was a pretty late night and I should retest with possibilities such as telling it to save the settings -while- the link is connected.
With the BEFSX41, I observed a few times that my active TCP connection (i.e., one I was typing into at the time) would hang and not come back, but existing connections in my other windows were entirely unaffected. I had a look at my PIX logs and notice that at the time of the freeze, the relevant Security Associations were deleted; I haven't checked into this in detail. It is something that I -never- observed in a few years of using a PIX in the same position. And I can't think of any good reason why an individual TCP connection would be affected.
With the BEFVP41 I have not observed the same freezing behaviour, but I have not tested the BEFVP41 for the same length of time.
Whether the BEFSX41 freeze is a minor annoyance or something unacceptable would depend on individual preference and on the application.
Both the BEFVP41 and BEFSX41 had no difficulties in connecting to a remote PIX configured with an appropriate "isakmp key" and "crypto dynamic map" -- i.e., a standard fully-specified pre-shared-key IPSec connection. I have not made any attempt to connect to a PIX set up to expect Cisco's EzVPN negotiations, and I did not happen to look at the connection logs to see whether either device would be recognized by the PIX as a "Unity client".