VPN IPSec not working with Linksys WRV54G, but worked with BEFSR41

Posted on 2004-11-09
Last Modified: 2012-06-27
I've been using a Linksys BEFSR41 router to connect multiple computers to my cablemodem.  One computer connects to my office network through a NetScreen VPN (Computer->NetScreen->Linksys->...).  This has been working fine.  However, my wife needs to connect her work laptop to her office network through a software (SonicWall) VPN.  

With my Linksys BEFSR41 router, EITHER my computer or her computer can connect to our respective office networks, but if both of us try at the same time, we both suffer very bad packet loss (making the network effectively unusable).  I also tried the Linksys BEFW11S4V4, and got the same result.

I saw an answer to a related question here:
and from the Linksys knowledge base here:
that the BEFSR41 and BEFW11S4V4 can only handle one IPSec passthrough at once.

So, I bought the WRV54G and replaced the BEFSR41.  Everything non-VPN related is working fine.  I tried to connect one of the VPN computers at a time, but NEITHER of them worked (even separately).  I confirmed that the IPSec was enabled on the WRV54G setup.  I just can't get any VPN connection working.  

I realize that the WRV54G has lots of advanced features to actually do the VPN authentication/tunnelling.  I don't need this or want this (I don't think), since the one computer has the Netscreen hardware box, and the other computer has the SonicWall software, both already configured by our companies.  

First, I just wanted the WRV54G to do the VPN IPSec passthrough like the other router did (which I didn't think would be a problem), and second, I want to have both of them working at once.

Is it possible for the WRV54G to allow two IGSec passthrough connections at once?  Is there some type of configuration of the WRV54G that I'm missing?  Besides making sure IPsec passthrough was on, I didn't see any other relevant parameters.

By the way, on all the Linksys routers, I upgraded to the most recent firmware versions before doing any of this.  

Any suggestions?

Question by:notnevel
    LVL 79

    Accepted Solution

    The WRV54G will allow you multiple VPN tunnels to different locations, just not multiple tunnels to the same location.

    However, the end-points should also be "nat aware" or permit nat-transparency. I know that with Cisco products as end-points, you must explicitly allow for this on the end points (VPN server devices).
    Both your Netscreen end and your wife's SonicWall end would have to be configured to permit nat-traversal or nat-transparency (not sure their respective terminology)..

    If both your clients worked independently with the original BEFSR41, either should certainly work with the new WRV54G with just IPSEC passthrough enabled.. If either one worked, then they should both work at the same time.

    I've had my WRV54G for several months with absolutely no problems. I have several LAN-LAN tunnels, and can open a sofware client VPN connection to yet another location, and open yet another client vpn connection from my wireless laptop, all humming along at the same time.  The only thing different is that I use the Cisco VPN client exclusively...or the Linksys QuickVPN client to get back into my network from the road...


    Author Comment

    Thanks for the info.  I didn't get a chance to play with this the last few days, but plan to take another crack at it over the weekend.

    I found out from my company that their VPN does support NAT-T, so I agree it should work.  (I think the NAT-T enabled it to work with the BEFSR41, right?)

    It's strange that (one at a time) either my computer or my wife's computer was able to connect to the VPN with the BEFSR41, but now neither are able to with the WRV54G.  I've looked through every page of the admin configuration, and I can't think of what could be the problem.  Besides having IPSec turned on, are there any other configuration options that could affect this?

    On the VPN page (where you can turn on/off IPSec), there's a whole bunch of options below that to _create_ VPN tunnels.  I don't need to do this, do I?
    I thought the IPsec should take care of this, and that the VPN tunnelling was something else.

    I'll try doing a hard reset of the WRV54G and then again try connecting to just one of our VPNs.
    LVL 79

    Assisted Solution

    No need to setup anything underneath the on/off IPSEC section...

    Good luck!

    Author Comment

    I made a bit of progress here.  I noticed that with my old router (the BEFSR41) that when I had both VPN connections "on" that both my company's server and my wife's company's server were sending packets to my router at port 500/UDP.  With one on at a time, the router was smart enough to know where to route the port 500 packets, but with both on, it got confused, and we both had the 50% packet loss.

    It seems that with the WRV54G, by default, the IPsec will not automatically forward port 500/UDP packets anywhere.  That's why I couldn't get either to work.  The WRV54G manual under troubleshooting says "Your VPN may require port 500/UDP packets to be passed to the computer that is connecting to the IPsec server...." and then tells you how to forward the packets (under the "Internet Applications" section).  When I do this to one of the computers, I can now get one VPN (at a time) to work with the WRV54G.

    However it's not clear to me how/if I can use both VPNs simultaneously if both IPSec servers required port 500/UDP packets to be forwarded to the (appropriate) VPN client.  Any ideas here?  Have you heard of IPSec servers requiring this port 500 open?  It would be great if I could use them both.

    There's one other thing I might try:  My VPN uses the NetScreen hardware box, so I think I have to forward port 500/UDP to that box for it to work.  My wife's SonicWall software VPN has a configuration page that looks a lot like the VPN tunnelling config page on the WRV54G (phase 1, phase 2, aggressive mode, proposal, etc..).  I might try to bypass the SonicWall VPN software and instead set up a VPN tunnel though the WRV54G.  Unfortunately, I have to wait until Monday because I don't know what the "PreShared Key" is for the SonicWall (it was set up by the company).

    Author Comment

    Well, I resoved this problem by getting my ISP to give me another dynamic IP address for $4.95 per month, and no longer trying to tunnel two VPNs through the same router.  This turned out to be the easiest solution.

    I think that it might have worked to use the WRV54G instead of the SonicWall software to do the tunnelling for one of the VPNs (and IPsec via port 500/UDP for the other), but the company wouldn't give me the PreShared Key that they used to set up SonicWall on the laptop.

    llmoore, thanks very much for your help.  I think I learned a few things about VPNs through this process.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
    I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now