|
VPN Setup - LinkSys BEFSX41 Configuration
|
The following steps have worked reliably for me to configure both a host-to-network and a network-to-network VPN connection between a laptop running Mac OS X 10.3.3 and a LinkSys BEFSX41 running firmware version 1.44.7 dated Jan 09, 2003. The following screenshots detail the LinkSys-side . There is another page that details the corresponding Mac OS X setup using IPSecuritas.
Where applicable, clicking on the graphics below will traverse to the corresponding IPSecuritas configuration section.
If you have additional information or comments let me know and I'll update this information, as appropriate. FYI, the IP and MAC addresses in the following graphics have been altered, for security reasons.
In our case the LinkSys is attached to a broadband connection device and receives it's address via DHCP ... 'though the Main Office connection is always delivered a static address.
|
The following graphic details the firmware version we are using. In writing this material, I see that version 1.50.18, dated 30-Apr-2004, is now available. I have not had time to try this version. After the complete failure of VPN when I attempted to use version 1.45.3, I'm not too anxious to try any new versions until I hear of some other successes.
|
|
The following two graphics detail the setup that supports a dial-in connection. This setting is both the most flexible and the least secure because it allows a VPN connection to be established from any IP address and to connect to a subnet of any address. However, this flexibility allows connections from varied dial-up addresses.
Obviously it is important that the "Pre-shared Key:" entry be the same as the one entered for the "Preshared Secret" via the IPSecuritas Id/Auth panel.
Note that there are performance implications for different "Encryption:" and "Authentication:" settings. Prior to putting our first pair of LinkSys units into service, I ran some LinkSys VPN performance measurements to determine which settings I would use.
|
|
The following settings are accessed via the "Advanced Setting" button (see above graphic). If you don't require NetBIOS across the VPN connection, you might want to turn off the "NetBIOS broadcast" option.
Also, if the LinkSys is the unit that's responsible for initiating the connection and you want the connection to be constantly available, you should turn on the "Keep-Alive" option. We use this feature to keep a branch office connected to the main office (using 2 LinkSys units). In addition to the "Keep-Alive" setting, we have a cron entry that regularly pings a system on the main office's network. We find that without this prodding, the keep-alive doesn't always do the job.
|
|
The following graphic just shows the other tunnel's settings that we use for our purposes ... i.e., we have one tunnel [Tunnel 2 (From Dial-Up)] used for dial-in connections from "anywhere" and one tunnel [Tunnel 1(From Dev Office)] used constantly to connect a branch office to the main office. Since the main office has a fixed IP address and the branch office has a varying IP address, the branch office is the side to initiate the connection and comes in as a specific fixed (private) subnet address. This works relatively reliably, as long as you don't invoke any of the multiple LinkSys problems/bugs.
|
|
For completeness, the following screen details the VPN setup of the branch office's unit.
|
|
When both tunnels are active, this is how the connections are reported via the LinkSys.
|
|
|
|
|
