The VPN Follies (Part 1) -- Terminating VPN Connections with Linux and other Stuff -- Introduction

It all started when Zoot (who asked to be identified by his nickname, in order to avoid further embarrassment) got his hands on a LinkSys BEFVP41 router that claimed to support "up to 70 IPSEC VPN tunnels." Not mere "VPN-pass-through," mind you, (even the el-cheapo Belkin routers do that) but terminating actual VPN connections.

Of course, any geek who has a toy like that is going to be like a little kid dragging a tin can on a string through the neighborhood, looking for someone to hold the can on the other end. Naturally, I volunteered.

Follow the "read more" link to read about bringing up IPSEC VPN tunnels between LinkSys routers, Linux, hacked-up LinkSys routers, and Cisco routers.

Zoot's New Toy -- The LinkSys BEFVP41

The BEFVP41 is LinkSys's top-of-the-line VPN router. It has a coprocessor which allows it to handle 50 simultaneous VPN tunnel connections (apparently you can have 70 tunnels configured, 50 of which can be in use at any time). This is the kind of router one would install at a main office or data center to handle VPN traffic from remote sites and/or a mobile sales force.

LinkSys also makes the BEFSX41 Wired router and the WRV54G Wireless router which are each capable of terminating 2 VPN tunnels, and are a good choice for branch offices and home offices that need to connect to a VPN hosted by a central site.

From the screenshots he sent me, it looks like the LinksSys router has a very straightforward GUI configuration interface -- one of the easiest-to-use VPN configuration tools that I have ever seen.

The router also has some very forgiving default settings. If the user selects 3DES encryption and MD5 authentication, the router will also accept 3DES/SHA1 and DES/MD5. This reduces the chance that a tunnel will not come up because of a mismatch in the encryption settings on each end.

Setting up a VPN connection between a pair of these routers should be a simple matter of configuring the routers on each end with identical settings and pointing them toward each other. But the beauty of IPSEC is that it is a widely-supported standard, and a wide variety of devices are (at least theoretically) able to talk to each other.

Road Warrior Configuration

Since I didn't (and still don't) have an identical VPN-supported-from-the-factory Linksys router like Zoot had, I decided to put this interoperability to the test. Zoot graciously configured a "road-warrior" tunnel (that allows connections from any IP address) with Pre-Shared-Key authentication for me to use. He also put a simple webserver running muLinux behind his router for me to use to test connectivity.

For future reference, here is the configuration we used on the LinkSys BEFVP41:

WAN IP address:  64.144.47.23 (Public IP address of the LinkSys*)
*names and IP addresses changed to protect the guilty.

Tunnel 1 (test_tunnel)
  Tunnel Name: test_tunnel
  Local Secure Group: 192.168.50.50   (this is the IP address of Zoot's server) 
  Remote Secure Group: Any
  Remote Security Gateway: Any
  Encryption: 3DES
  Authentication: MD5
  Key Management: Auto (IKE)
  PFS (Perfect Forward Secrecy): Enabled
  Pre-Shared-Key: "testVPN"
  Key Lifetime: 3600 seconds

Let the Fun Begin!

Over the next few months, I attempted to connect to his router with various VPN clients, including:

And it is about darn time I wrote down the results of our experiments and shared them with the world. Watch for more articles in the VPN Follies series for all the gory details.

P.S. I also made a half-hearted attempt to connect to the VPN using Windows XP. LinkSys has this Windows 2000/XP VPN HowTo on their support site. So far, I have been unsuccessful, either because Windows hates me, or because there is a work-related VPN client already installed on my XP machine that I am reluctant to remove.