Need help establishing VPN Tunnel with Linksys, can't ping nor see remote computers

Have you tried establishing a two-way VPN tunnel?  Basically establish a VPN tunnel from RouterA to RouterB, and another one from RouterB to RouterA?

I am thinking that perhaps your request did go through, but it cannot find the proper route to come back to you.  If you cannot create a two-way VPN tunnel, perhaps you should try to find out what virtual IP address that the RouterB is assigning to routerA, and add a static route to route all traffics going to the 192.168.1.0 subnet to the virtual IP address of RouterA.

- Info

I set up a two way tunnel just as described in the following Linksys KB article:

http://www.linksys.com/support/top10faqs/BEFSX41/Setting%20up%20a%20VPN%20tunnel%20between%20two%20BEFSX41%20routers.asp

Once I did that, I clicked on the connect button and got indication that both were connected.
As I understand it, that's all I should have to do. At that point, I should be able to see the computers on the remote network, but I can't. And I can't ping the opposite router or computers connected to it.

As an aside, I'm remotely controlling one of the remote computerw with pcanywhere so I can view and control both networks from one location, so I know I'm getting thru the internet on the pcanywhere.

Don't understand the question about the virtual ip address.

So connected appears on both routers? Can you do an ipconfig from the computer and post the results here?

Here are the results of my ipconfig:

C:\>ipconfig

Windows IP Configuration
Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : dsl-verizon.net
        IP Address. . . . . . . . . . . . : 192.168.2.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.1

C:\>

Can you still get to the internet? I.E. ping www.cisco.com ? If you followed the directions on the link to the letter then only 192.168.2.7 will be able to use the tunnel. I do not know if you changed it to the whole subnet or just followed the directions. You might want to check that or post the config from router2

I'm on the internet without problem. I've tried configuring the routers in both configurations: (1) set 192.168.x.0 so all computers on the workgroup should be able to use the tunnel and (2) 192.168.x.xx, where xx is a specific computer, so that only one computer on each end could access the tunnel. Cannot connect in either configuration.

Am I correct in my assumption that I should not have to configure anything on the individual computers?

BTW, Linksys has given me no help on this one, even though I've talked to four different techs.

Not surprising with them. No this should be a simple router to router tunnel. The routers will handle all the authentication routing etc. It should be set 192.168.2.x so that all the subnet can enter not 192.168.x.0 was this a typo?

Here's what I was trying to say:

Local group:  Linksys IP 192.168.2.1

VPN Settings:  Local Secure Group:  192.168.2.0
Remote Secure Group:   192.168.1.0


Remote group:  Linksys IP:  192.168.1.1

VPN Settings:  Local Secure Group: 192.168.1.0
Remote secure group: 192.168.2.0

I show connected on the Linksys VPN page.

Do me a favor and do a router print from the workstation and post the results.

Trying to figure out how to do that. If I do an Alt-PrintScrn, I can't paste the result here. If I highlight and paste, it does not paste the data contained within the boxes. I have jpgs of both router pages, but don't know how to get them to you.

Thanks for bearing with me.

No problem, for the route print you can route print >file.txt this will pipe it to the test file from there you can use notepad to copy and paste.

Hopes this is ok, didn't set it up too nice, though. It doesn't show status of radio buttons, but they're all Enabled.
                                                               Firmware Versi

                                                  Broadband Firewall Router  
                            Security                         Restrict Applications                      Setup    Security                        Administration                                           Access    & Gaming
                   Firewall   VPN

               VPN                                                    Passthrough
                     IPSec Pass-Through:      Enabled   Disabled  (Enabled)
                     PPPoE Pass-Through:      Enabled   Disabled (Enabled)
                     PPTP Pass-Through:       Enabled   Disabled  (Enabled)
                   
        VPN Tunnel                          
                                              Tunnel 1   (Ruffoni)                     Select Tunnel Entry:  
                                               Delete       Summary                                                        
                     VPN Tunnel:             Enabled      Disabled   (Enabled)
                                              Ruffoni                     Tunnel Name:          
                   
             Local                            Subnet            Secure                                       Group:
                                              192  168  2    0                     IP:                       .    .    .
                                              255  255  255  0                     Mask:                     .    .    .
                   
            Remote                            Subnet            Secure                                       Group:
                                              192  168  1    0                     IP:                       .    .    .
                     Mask:                   255  255  255  0                                                 .    .    .
                   
            Remote                            FQDN          Security                                     Gateway:    Fully-Qualified        ruffmaytag.dyndns.or                                                                   Domain:
                   
                                              Disable                      Encryption:            
                                              Disable                      Authentication:        
                   
               Key                            Auto. (IKE)                                                     Management
                     PFS:                    Enabled      Disabled  (Enablee)
                                              1235                      Pre-shared Key:        
                                              3600                      Key Lifetime:                          Sec.
                   
            Status    Connected              
                     


                           Disconnect      View Log      Advanced Setting                      
       
                         
                                                  Save      Cancel                                                                                                                        Settings    Changes

firmware needs to be 1.45.3 or later, I could not make out which version you are running. This setup all looks good.

What is the actual error message on the ping does it just time out or do you get an error message?

The BEFSX41 (here) has firmware 1.50.9
The BEFVP41 V2 (remote) has firmware 1.00.12
According to Linksys support site, both are the latest.

When I try a ping, either through Linksys Diagnostic screen or from my computer in a command window, I just get time out.
Tried pinging both the remote router and the computers on the other end.

Don't remember if I mentioned it or not, but I can set up both routers to pass through, then set up a VPN server on a computer on the other end and a client on this end and get through ok. But I need the routers for multiples, as well as for security. (I'm also accessing the remote computer with pcanywhere, so I know it's possible to communicate, just cant do it through the Linksys tunnel

Well after eliminating all the obvious let's look at some of the more obscure things. Did you manage to get a route print? Though if the router is not able to ping then I do not think it is with the individual workstations. Any manual routes added to the router? What kind of dsl modems are you using?

If you do a tracrt to 192.168.2.1 where does it hang?

Didn't understand your route print before. Here are the results of it:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 07 e9 64 e9 a2 ...... Intel(R) PRO/1000 CT Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.100        20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.2.0    255.255.255.0    192.168.2.100   192.168.2.100        20
    192.168.2.100  255.255.255.255        127.0.0.1       127.0.0.1        20
    192.168.2.255  255.255.255.255    192.168.2.100   192.168.2.100        20
        224.0.0.0        240.0.0.0    192.168.2.100   192.168.2.100        20
  255.255.255.255  255.255.255.255    192.168.2.100   192.168.2.100        1
Default Gateway:       192.168.2.1
===========================================================================
Persistent Routes:
  None


If I do a tracrt I get "tracrt is not recognized as internal or external command.

Locally I have a Fujitsu modem with 768/128 service thru Verizon
The remote has a Westel modem with 384/384 service thru verizon.

try tracert instead of "tracrt" :-)

- Info

Here's the results of the tracert. 192.168.2.1 is my local router, 192.168.1.1 is the remote router
C:\DOCUME~1\EDJONE~1>tracert 192.168.2.1
Tracing route to 192.168.2.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.2.1
Trace complete.
C:\>tracert 192.168.1.1
Tracing route to 192.168.1.1 over a maximum of 30 hops
  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *     ^C
C:\>

I think you need to get rid of the befvp41 router and replace it with another befsx41 router
 http://kb.linksys.com/cgi-bin/om_isapi.dll?clientID=652305&QuestionText=how%20to%20setup%20a%20router%20to%20router%20vpn%20tunnel&SelectName1=&advquery=%5bs%5d%5bRank%2c%2050%3a%5bSum%3a%20how%20to%20setup%20a%20router%20to%20router%20vpn%20tunnel%5d%5bMerge%3a%20%5bThesaurus%3a%20how%20to%20setup%20a%20router%20to%20router%20vpn%20tunnel%5d%5d%5d&infobase=linksysrev.nfo&record={3F2}&softpage=IKW_ENU_JDocView

And several emails, telephone calls and online conversations with numerous Linksys support personnel did not get me there!

I'll get to the remote location, change the BEFVP41 and let you know the results.

Thanks, it seems the linksys support has gone downhill

I replaced the BEFVP41 with another BEFSX41. Same result. Called Linksys tech support. Said that that document was out of date and the BEFVP41 does work ok. Didn't have an answer for not being able to ping other than "it may be taking too much time to get all the way through". Said that since I was connected, "Linksys is providing the tunnel and that's all I can do".He recommended disabling the firewall on the routers (already done), allowing annon. internet requests (already done), and setting mtu to 1403. I did that and it did not help.

 He did say unofficially that I needed both to have "NetBIOS over TCP/IP" enabled which I had already done and that I should install UPNP through Control Panel, Add remove programs, windows setup, networking services. I did that but it din't help.

Right now, I'm at my wits end!!!!

Ok, you have encryption disabled on the routers? No vpn client software on the computers and no personal firewalls on the computers? How familiar are you with perfmon? There is an icmp monitoring counter you can add and watch to see if it sends receives ping replies.

I have encryption and authentication disabled. Using a preshared key with PFS enabled under "Key management". No vpn client software on any computer, no personal firewalls.
I'm not familiar with perfmon and don't have an icmp monitoring counter that I know of.

(It seemed to need the PFS enabled in order to connect. I disabled it and couldn't connect, when I reenabled it it connected immediately)

Try adding this with a

route -p 192.168.1.0    255.255.255.0    192.168.2.191   192.168.2.100  
let me know if this works

When I did it, it just returned the instructions for route. Should it be "route add -p ..........."? What's the purpose of the 192.168.2.191?

Yes route add -p it is giving it a route to the other network.

I get a "bad argument 192.168.2.191"

Sorry one more time it should read
route -p add 192.168.1.0 255.255.255.0 192.168.2.1 192.168.2.100

have not had my morning coffee yet :(

C:\DOCUME~1\EDJONE~1>route add 192.168.1.0 255.255.255.0 192.168.2.1 192.168.2.100
ROUTE: bad argument 192.168.2.1

You still with me?

been really busy with some other stuff. will get back to you soon. Thanks for bearing with me

EW, could you contact me directly at central.city-at-gte.net? I'd appreciate it. Thanks

If you click on my name it gives you my email address in my profile.