Cisco VPN no workie for a friend - asking for tips

[The Gorn]

A friend can work from home at his new job. His employer provided him with a VPN setup.

The problem he has is that the router that he is using seems to be incompatible with the VPN software. The connection fails or never gets made.

Here is the pertinent information:

Router: Linksys BEFSR41v4 (this is damned old, I know.)
VPN: Cisco VPN Client v5.00

I did find this:

http://www.cisco.com/en/U.../notes/vpnclient5006.pdf

In that PDF I found a section titled "Linksys Wireless AP Cable/DSL Router Version 1.44 or
Higher Firmware Requirement". (page 11 top.)

The router my friend has is probably the non wireless version of the BEFW11S4 they are talking about.

Cisco is basically saying you have to download newer firmware for that router to work with
their VPN client.

This is the only router that Cisco mentions a workaround for with their VPN client. So I am guessing that his model shares the same problem.

Anyway, my friend currently has to plug his computer straight into the modem. This means that he loses connection sharing and can't use his shared printers.

I am telling him to do one of the following:

1) Try a DMZ setup for his PC and try the VPN with that. (Then, he needs to have the Windows Firewall  enabled.)
2) Or, buy a modern router.

I see very little on message boards about that VPN having problems with consumer routers. I think his router is basically old junk (it's the big blue and grey box style Linksys.) I think he needs a new router.

Ideas?

[pxsant]

Fooling around with an old router is just not worth the aggravation.   Routers are dirt cheap these days so it makes much more sense to buy a new one and get rid of the problem.

I personally don't like the Linksys routers although, since they are owned by Cisco now, it might be the best bet to work with the Cisco VPN software.  Might be a good idea to check the Cisco site for VPN software/router compatibility first.

[The Gorn]

Fooling around with an old router is just not worth the aggravation.   Routers are dirt cheap these days so it makes much more sense to buy a new one and get rid of the problem.

I personally don't like the Linksys routers although, since they are owned by Cisco now, it might be the best bet to work with the Cisco VPN software.  Might be a good idea to check the Cisco site for VPN software/router compatibility first.

I am pushing this guy to do just this. Checking for compatibility first is a great idea, thanks!

However, this guy also tends to waste his time and tinker for hours with stupid crap in an effort to save a few dollars. Linksys's big older blue and charcoal grey routers are low end crap. Mine blew out a long time ago.

[TRexx]

Checking for compatibility first is a great idea, thanks!

I went through this exercise with my last client and the AT&T VPN system. It would work OK for a while then someone would reconfigure some of the the VPN servers and suddenly a portion of the country couldn't connect.   Eventually they got things straightened out, but we found that asking the vendor for a list of compatible routers was waste of time.

I'd suggest your friend talk to somone else in his company and see what they are using. Preferably someone who uses the same broadband provider as well.

[The Gorn]

I'd suggest your friend talk to somone else in his company and see what they are using. Preferably someone who uses the same broadband provider as well.

I found some guy's general compatibility list of routers that appear to be trouble free with commecial VPNs and sent it to my friend.

But I also told him to ask IT at his workplace what other users are working well with.

[Richardk]

It's not hard to setup. I'd suggest a new router instead of screwing around with something that isn't compatible.

I've used several VPN setups with varying degrees of 'lock down' or security to log in and they all work pretty well.

Anyway, my friend currently has to plug his computer straight into the modem. This means that he loses connection sharing and can't use his shared printers.

Connecting to a router instead of a modem is no guarantee that he'll have access to his local devices / system. One setup required me to disconnect from the VPN so I could print a document.

Also remind him to keep it strictly "business". Very often all your traffic will flow through your client's system via the VPN. If he wants to check his personal email or do something else it's best to get off the VPN first.

This can be deceiving to a non-technical person since sometimes it’s clear that you're on their system because some app kicks in and you go to work. Other jobs had me establish the VPN connection first and then you launched some web-based tool.

Yes, the two are more or less the same except in the bundled case; logging off the application also disconnected you from the VPN. In the ‘manual’ case, it seems like you're not logged in to the client because you're just sitting there at your Windows screen but the VPN is still active. So if you forget to log off the VPN, everything you do online is still being routed through your client’s computers.

The takeaway is making sure you're actually off the VPN before any non-work activity.

[TRexx]

Which is why I have 2 PCs. When I'm using the VPN, that's all that's running on that PC.  I use my other one for important stuff, like this 
 

[The Gorn]

Good points, thanks.

It seems to me that the ability to use your own shares and the leakage of traffic onto the VPN is a matter of network routing setup.

PS: my friend got the message and bought a new router.

[DarkHumour]

I got VPN to work... by accident !

When I was transitioning from DSL to cable I set up my Netgear router to accept VPN traffic with a bunch of parameters.  I configured a VPN client on my computer connected to the comcast side.  I fought a long time to get comcast to acknowledge that my Zoom modem was on their approved list.  Then one day while browsing the configuration pages of the router on the DSL side I noticed there was a single VPN client attached.  Wow.  That had NEVER worked before and hooray I could switch services (and cancel DSL).

I don't remember which VPN client I used.   I think it was one of them off of this site:

http://www.sprint.com/business/products/products/popup/popupVpnIndex.html

Trying to uninstall the software when it hiccuped was a nightmare though. I think it might have been another product like "SafeNet".

I guess it is just a matter of finding the right client, router, and careful configuration settings (firewall holes and compliant broadband providers).   Now that Win2K03 (and above) has IPSEC through NAT, I think I would use the routing and remote access option of a server rather than a soho router (small office/home office).  IPSEC is not required but for the hard core security heads...  If you don't have a server than obviously a dedicated box is the way to go...

I did see funky stuff happen when I VPN'd into a client while still on my own broadband, e.g. default gateways or DNS selections got wonky.

Heh. Could be worse though.  Could be trying to configure VPN for Mac OS 9 or below.  Shudder.

DarkHumour

[TRexx]

For a while the Comcast office in NJ that serviced most of my client's employees was blocking all VPN traffic. They said that VPNs were expressly prohibited for residential service, and told everyone to upgrade to "commercial" service. Someone in client's HQ called Comcast HQ and said "We have 50,000 employees nationwide who use Comcast. If they can't use our VPN over your service, we will stop reimbursing them for their ISP charges and suggest they switch to another provider"  Like magic the VPN block disappeared.

I'm currently using a really lousy system my client provides.  It's a Java app the sets up  a remote desktop session with the PC in my office. Aside from being incredibly slow, I have no access to my LAN, including local shares and my printer.  And  when something gets hung up,  I have to call someone in the office and ask them to reboot my PC.