1. Home
  2. Virtual Private Networks
  3. Linksys BEFVP41 with concurrent tunnels

Linksys BEFVP41 with concurrent tunnels

I am using three BEFVP41 routers for site-to-site LAN connections over VPN. Two routers connect remote sites with dynamic IP addresses to a main site with a static IP address. The connections are initiated by traffic originating at the remote sites. With one site connected, the tunnel comes up (and stays up) automatically. But the second site does not connect. The main router's tunnels are configured to accept connections from ANY Remote Security Gateway. When main router's tunnels are changed to only accept connections from a specific domainname or a specific IP address, the VPN connections come right up. But since these remote sites are on dynamic IP addresses, that is not a permanent solution. My guess is that since the only difference between the two tunnels is the subnet, that once a connection is made, the main router does not know how match the second connection request to a tunnel definition. Any ideas on how to change this configuration to solve this problem? Details are below. Thanks in advance, Claeton

Name, IP Address, Location

-------------------------------------------------- R1, static, main site R2, dynamic, remote site R3, dynamic, remote site

R1 SETTINGS

----------- VPN Tunnel: Enabled Tunnel Name: VP1 Local Secure Group: (Subnet) IP: 192.168.200.0 Mask: 255.255.255.0 Remote Secure Group: Subnet IP: 192.168.100.0 Mask: 255.255.255.0 Remote Security Gateway: Any Encryption: 3DES Authentication: MD5 Key Management: Auto. (IKE) PFS: Enabled Pre-shared Key: abcdef Key Lifetime: 30000000 seconds ADVANCED SETTINGS: Phase 1: Operation mode : Main mode Username: Proposal: Encryption: 3DES Authentication :MD5 Group: 768-bit Key Lifetime: 30000000 seconds Phase 2: Proposal : Encryption: 3DES Authentication: MD5 PFS: ON Group: 768-bit Key Lifetime: 30000000 seconds The second tunnel is the same as the first except for the remote subnet: Tunnel Name: VP2 Remote Secure Group: Subnet IP: 192.168.101.0 Mask: 255.255.255.0

R2's and R3's VPN setting are *exactly* the same, except that they have different Local Secure Group subnets.

R2 SETTINGS

----------- VPN Tunnel: Enabled Tunnel Name: VP1 Local Secure Group: (Subnet) IP: 192.168.100.0 Mask: 255.255.255.0 Remote Secure Group: IP Addr IP: 192.168.200.0 Mask: 255.255.255.0 Remote Security Gateway: FQDN mydomain.net Encryption: 3DES Authentication: MD5 Key Management: Auto. (IKE) PFS: Enabled Pre-shared Key: abcdef Key Lifetime: 30000000 seconds ADVANCED SETTINGS: Phase 1: Operation mode : Main mode Username: Proposal: Encryption: 3DES Authentication :MD5 Group: 768-bit Key Lifetime: 30000000 seconds Phase 2: Proposal : Encryption: 3DES Authentication: MD5 PFS: ON Group: 768-bit Key Lifetime: 30000000 seconds Other Settings: Keep-Alive:

R3 SETTINGS are the same as R2 EXCEPT for the subnet:

--------------------- Tunnel Name: VP2 Local Secure Group: (Subnet) IP: 192.168.101.0 Mask: 255.255.255.0

Reply to
Claeton
Loading thread data ...

Though the tunnels have different subnets, all the other parameters are the same. Making the Pre-Shared Keys different for each tunnel, caused the router to match the incoming connection request to the tunnel on the correct subnet. This solved the problem and I am now able to get several VPN tunnels connected concurrently.

Claeton

Reply to
Claeton

Hi, As a horrid bodge how about dynamic dns names ? simon

Reply to
Simon

Good thought. The configuration already uses dynamic DNS names. The router can't distinguish between tunnels soley by subnet in this case when trying to decide which tunnel matches the incoming request. So, by making the pre-shared keys different, that rules out all but the one (the correct one) that has the same key.

Reply to
Claeton

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.