VPN IPSec not working with Linksys WRV54G, but worked with BEFSR41

I've been using a Linksys BEFSR41 router to connect multiple computers to my cablemodem.  One computer connects to my office network through a NetScreen VPN (Computer->NetScreen->Linksys->...).  This has been working fine.  However, my wife needs to connect her work laptop to her office network through a software (SonicWall) VPN.  

With my Linksys BEFSR41 router, EITHER my computer or her computer can connect to our respective office networks, but if both of us try at the same time, we both suffer very bad packet loss (making the network effectively unusable).  I also tried the Linksys BEFW11S4V4, and got the same result.

I saw an answer to a related question here:
and from the Linksys knowledge base here:
that the BEFSR41 and BEFW11S4V4 can only handle one IPSec passthrough at once.

So, I bought the WRV54G and replaced the BEFSR41.  Everything non-VPN related is working fine.  I tried to connect one of the VPN computers at a time, but NEITHER of them worked (even separately).  I confirmed that the IPSec was enabled on the WRV54G setup.  I just can't get any VPN connection working.  

I realize that the WRV54G has lots of advanced features to actually do the VPN authentication/tunnelling.  I don't need this or want this (I don't think), since the one computer has the Netscreen hardware box, and the other computer has the SonicWall software, both already configured by our companies.  

First, I just wanted the WRV54G to do the VPN IPSec passthrough like the other router did (which I didn't think would be a problem), and second, I want to have both of them working at once.

Is it possible for the WRV54G to allow two IGSec passthrough connections at once?  Is there some type of configuration of the WRV54G that I'm missing?  Besides making sure IPsec passthrough was on, I didn't see any other relevant parameters.

By the way, on all the Linksys routers, I upgraded to the most recent firmware versions before doing any of this.  

Any suggestions?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The WRV54G will allow you multiple VPN tunnels to different locations, just not multiple tunnels to the same location.

However, the end-points should also be "nat aware" or permit nat-transparency. I know that with Cisco products as end-points, you must explicitly allow for this on the end points (VPN server devices).
Both your Netscreen end and your wife's SonicWall end would have to be configured to permit nat-traversal or nat-transparency (not sure their respective terminology)..

If both your clients worked independently with the original BEFSR41, either should certainly work with the new WRV54G with just IPSEC passthrough enabled.. If either one worked, then they should both work at the same time.

I've had my WRV54G for several months with absolutely no problems. I have several LAN-LAN tunnels, and can open a sofware client VPN connection to yet another location, and open yet another client vpn connection from my wireless laptop, all humming along at the same time.  The only thing different is that I use the Cisco VPN client exclusively...or the Linksys QuickVPN client to get back into my network from the road...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
notnevelAuthor Commented:
Thanks for the info.  I didn't get a chance to play with this the last few days, but plan to take another crack at it over the weekend.

I found out from my company that their VPN does support NAT-T, so I agree it should work.  (I think the NAT-T enabled it to work with the BEFSR41, right?)

It's strange that (one at a time) either my computer or my wife's computer was able to connect to the VPN with the BEFSR41, but now neither are able to with the WRV54G.  I've looked through every page of the admin configuration, and I can't think of what could be the problem.  Besides having IPSec turned on, are there any other configuration options that could affect this?

On the VPN page (where you can turn on/off IPSec), there's a whole bunch of options below that to _create_ VPN tunnels.  I don't need to do this, do I?
I thought the IPsec should take care of this, and that the VPN tunnelling was something else.

I'll try doing a hard reset of the WRV54G and then again try connecting to just one of our VPNs.
No need to setup anything underneath the on/off IPSEC section...

Good luck!
notnevelAuthor Commented:
I made a bit of progress here.  I noticed that with my old router (the BEFSR41) that when I had both VPN connections "on" that both my company's server and my wife's company's server were sending packets to my router at port 500/UDP.  With one on at a time, the router was smart enough to know where to route the port 500 packets, but with both on, it got confused, and we both had the 50% packet loss.

It seems that with the WRV54G, by default, the IPsec will not automatically forward port 500/UDP packets anywhere.  That's why I couldn't get either to work.  The WRV54G manual under troubleshooting says "Your VPN may require port 500/UDP packets to be passed to the computer that is connecting to the IPsec server...." and then tells you how to forward the packets (under the "Internet Applications" section).  When I do this to one of the computers, I can now get one VPN (at a time) to work with the WRV54G.

However it's not clear to me how/if I can use both VPNs simultaneously if both IPSec servers required port 500/UDP packets to be forwarded to the (appropriate) VPN client.  Any ideas here?  Have you heard of IPSec servers requiring this port 500 open?  It would be great if I could use them both.

There's one other thing I might try:  My VPN uses the NetScreen hardware box, so I think I have to forward port 500/UDP to that box for it to work.  My wife's SonicWall software VPN has a configuration page that looks a lot like the VPN tunnelling config page on the WRV54G (phase 1, phase 2, aggressive mode, proposal, etc..).  I might try to bypass the SonicWall VPN software and instead set up a VPN tunnel though the WRV54G.  Unfortunately, I have to wait until Monday because I don't know what the "PreShared Key" is for the SonicWall (it was set up by the company).
notnevelAuthor Commented:
Well, I resoved this problem by getting my ISP to give me another dynamic IP address for $4.95 per month, and no longer trying to tunnel two VPNs through the same router.  This turned out to be the easiest solution.

I think that it might have worked to use the WRV54G instead of the SonicWall software to do the tunnelling for one of the VPNs (and IPsec via port 500/UDP for the other), but the company wouldn't give me the PreShared Key that they used to set up SonicWall on the laptop.

llmoore, thanks very much for your help.  I think I learned a few things about VPNs through this process.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.