Linksys BEFVP41 -- a first look

Discussion in 'Cisco' started by Walter Roberson, Apr 6, 2005.

  1. I purchased for testing
    - a Linksys BEFVP41 "Ethernet Cable/DSL VPN Router" and
    - a Linksys BEFSX41 "Broadband Firewall Router with 4-port Switch/VPN
    Endpoint"

    I was hoping that the VPN capabilities of the FVP were sufficient to
    allow me to connect to our several PIXes from my SOHO, and hoping
    that the FSX VPN would be "good enough" to be able to recommend
    to potential telecommuting employees who do not need as many
    tunnels as I do.

    I have now had a small amount of time to play with the FVP, but
    I have not had a chance to open the FSX as yet.

    I had some initial problems with getting a wired connection to the FVP,
    with rather inconsistant results. Either there was a conflict
    with my wireless network connection having been activated first, or
    (more likely) the cable was too short and I was having some kind
    of physical wiring problems. Replacing the cable with a spare one
    I had around appeared to solve the problem; the ability of one of the
    4 LAN ports to be crossed-over helped. The LAN ports are -not-
    auto- MDI-X though.

    Once I had a connection, the majority of the configuration screens
    on the FVP are immediately recognizable to users of a number
    of other Linksys products such as the BEFW11S4.

    There is no obvious way to SYSLOG anything; it appears that the logging
    function is the Linksys non-standard one. I have read that there is
    linux source available for the logger; I will have to check that out.

    One can, though, set SNMP community strings. I have not yet attempted
    to browse the tree.

    It appears that I have a "version 1" FVP; there is a "version 2"
    as well, whose firmware has been touched more recently. [Now I'm
    going to have to investigate to find out whether I should have been
    more specific about what I was buying...]


    There is a VPN configuration tab, with a choice of DES/3DES,
    HMAC/SHA, IKE auto or manual, PFS available, and key lifetime
    specifiable. On the Advanced tab, one has a bit of control
    over the proposal orders, and can configure groups of 768 or 1024 bits
    (i.e., group 1 or group 2, but given by size not number.)
    There are no Certificate Authority options on the FVP, just
    a shared key, which is limited to 24 bytes (which can be entered in
    ASCII or hex.)

    This revision of the FVP does NOT offer AES, VPN over SSL,
    or groups 5 or 7, and also does not offer any way to turn on AH.

    Each "tunnel" may be configured for source and destination and
    remote security gateway. The source may be specified as an IP,
    a subnet, or an IP range. The destination may be specified
    as an IP, subnet, IP range, 'any', or 'host'. When 'host' is
    chosen, the implied host is the remote security gateway. [Plausibly
    this connects in the other IPSec mode.] Selecting 'Any' produces
    a message that is not immediately clear: leads me to wonder about
    the ability to use the FVP as an IPSec server (i.e., destination
    endpoint)... something I had been thinking of at the time of
    the purchase, but which had slipped my mind since. The box outside
    documentation implies it is possible; I have not read the manual
    yet ;-)


    Notice in the description of tunnels that each tunnel corresponds
    what PIX would call a "security association", instead of corresponding
    to an IKE peer (as per the peer limits on the PIX 501.) That
    will not be a problem for me for the FVP, but it will certainly
    influence my use of the FSX if the configuration mechanism is the
    same. When I popped for the extra FSX I was certainly thinking
    in terms of IKE peers, not in terms of SA's.

    We have 4 different subnets that our employees could plausibly want
    to access, and as well we have a dozen or so systems at HQ that
    we would want to be able to relay traffic for. I will need to
    experiment with split ACLs, and with the 'any' destination, and
    I might end up needing to essentially go for a VPN concentrator
    solution, handling all user traffic and sending it onward through
    tunnels or not as appropriate. I'm not keen on relaying all user
    traffic, though -- I'm not interested in having their private
    non-work traffic ending up going through our equipment, so if I
    can't get split ACLs to work, users that want to telecommute will
    likely be told that the FSX is not an option. I might still be
    able to deploy the FSX within a small remote office, though.


    A note on the internal differences between the FVP and FSX: the
    FVP has a hardware VPN coprocessor, whereas the FSX does not.
    Sites such as tomsnetworking.com have some speed comparisons:
    the FVP is a fast device considering the low price (slightly
    over $US100), with the FSX being slower but still "fast enough"
    for typical DSL/cable subscribers.


    Ah, I nearly forgot to say how my VPN experiments came out:
    looking up our current crypto dynamic map shared secret took longer
    than configuring a simple tunnel. My first iteration, 3DES HMAC
    was rejected by our PIX (if I recall correctly, it said it was
    not supported), but after a simple modification to 3DES SHA,
    the connection went completely smoothly, and the VPN tunnel was
    up in seconds.

    Considering the firmware age, there is likely no NAT-T support
    in the firmware for the FVP revision 1 [but there plausibly is
    on the newer FSX firmware]: I will need to check.


    So... if you are looking for a VPN hardware endpoint with SPI,
    for SOHO use, and 24-byte preshared key 3DES Group 2 is acceptable,
    then indications so far are that the Linksys BEFVP41 has
    no difficulty talking to a PIX.
     
    Walter Roberson, Apr 6, 2005
    #1
    1. Advertisements

  2. Walter Roberson

    Digital Doug Guest

    I hope you don't depend on the Linksys to run a business.

    I have pulled all of them out and either used a Netgear FVS318 or a real
    Cisco.
    You get what you pay for........

    They are ok for a home user with minimal use, but not any serious use.
    IPSEC---3DES....you better buy a lot of spares.....

    Tech Support is also horrible.....

    Two months and you will through them out. I did.


    Digital Doug


     
    Digital Doug, Apr 7, 2005
    #2
    1. Advertisements

  3. :I hope you don't depend on the Linksys to run a business.

    :They are ok for a home user with minimal use, but not any serious use.

    Would you have a few minutes to describe some of the issues you
    encountered?

    :I have pulled all of them out and either used a Netgear FVS318 or a real
    :Cisco.
    :You get what you pay for........

    Before selecting the Linksys BEFVP41, I looked first at a number
    of commodity products that were wireless + SPI + (for the better
    ones) VPN. The -best- that I could find had a user satisfaction
    rating of 5.9 out of 10 -- people were even more unhappy with the
    others (doesn't stop the companies from selling tons of the things
    though...) D-Link, Netgear, Linksys... user review after user review
    said, in essence, "This is a junk product that I wouldn't recommend to
    an enemy."

    When I looked at the user reviews of the BEFVP41, there were some
    people who had had difficulties, but the postings were mostly
    review after review saying "This product has worked quite well,
    and I've been very happy with it." The FVS318 did not have as
    strong a user endorsement.


    :Tech Support is also horrible.....

    I have heard that about Linksys. I have heard much the same thing,
    only a bit more strongly, about Netgear. And the anecdotes about
    D-Link support are less flattering yet. :(
     
    Walter Roberson, Apr 7, 2005
    #3
  4. Walter Roberson

    Peter Guest

    -cnrc.gc.ca (Walter Roberson) wrote
    Linksys doesn't have tech support as such. Here in the UK, the calls
    are routed to the Phillipines and there, after a long wait, they are
    answered by useless staff reading prepared scripts. I've had a few
    hours of this.

    Very occassionally, the call gets connected to the UK office where
    somebody listens - but still nothing gets resolved.

    Support emails are never responded to.

    IME the stuff generally works well (never attempt using it without
    installing the latest firmware off their website!) but if it doesn't
    there is only one thing to do and that's to chuck it away and get
    something else.

    The above comments could be equally applied to most consumer IT
    products today, unfortunately. It's also true for HP - astonishingly
    for a one-time world leader.

    D-Link is bad, but not as bad as Belkin...


    Peter.
     
    Peter, Apr 8, 2005
    #4
  5. ;Linksys doesn't have tech support as such. Here in the UK, the calls
    ;are routed to the Phillipines and there, after a long wait, they are
    ;answered by useless staff reading prepared scripts. I've had a few
    ;hours of this.

    Netgear outsources their front line tech support -- to India, I think
    it might be. The front line pretty quickly passed me up the chain to
    the second line support in the USA... which listened to my description
    and said that it sounded like I got a defective device and that I should
    return it. But Netgear company policy is No Return For Refunds, only
    exchange, and it was obvious to me that the problem was firmware problems
    that would not be repairable by simply exchanging the item.

    The reseller wouldn't take the product back without an RMA number from
    the wholesaler, the wholesaler wouldn't issue an RMA without an RMA
    from Netgear, and Netgear wouldn't issue an RMA except for exchange.
    Catch-22.

    Netgear gets points for -having- a second-line product support, and
    gets points for the front line answering the phone fairly quickly,
    and gets points for the front line passing me along fairly quickly.
    But I couldn't say that in that particular incident that the support
    was "useful".


    [with regards to the Linksys products]

    :IME the stuff generally works well (never attempt using it without
    :installing the latest firmware off their website!) but if it doesn't
    :there is only one thing to do and that's to chuck it away and get
    :something else.

    I hear ya. I ran into a bug on the FVP the other day -- after the DHCP
    lease expired on the PC, the FVP would not renew the lease until I rebooted
    the FVP. I could imagine that in some situations that could be a serious
    problem; my potential uses happen to be such that fixed IP addresses are
    better anyhow, so I might be able to use the FVP successfully.
     
    Walter Roberson, Apr 8, 2005
    #5
  6. Walter Roberson

    Peter Guest

    -cnrc.gc.ca (Walter Roberson) wrote
    Funny you mention fixed IPs. I tried to config a Linksys wifi router
    (can't recall the type but it was the common one from ~ 1 year ago)
    for a fixed IP.

    As soon as I disabled DHCP the thing basically stopped working, in all
    sorts of bizzare ways.

    I don't think they ever tested it with DHCP disabled!

    So now I just use it as a wifi access point. At the price, that's OK.
    There is works just fine with Linksys wifi adaptors like the WPC54G
    using WPA/PSK :) Not with a lot else though.

    I can see why corporates go for Cisco gear. I used to run a couple of
    803 ISDN routers. After getting the config right (which is a huge job
    creation scheme!!) they just run for years. The extra cost is trivial
    if one's time is worth anything at all.

    I'd rather buy a Cisco product from Ebay than buy a new one from one
    of the "consumer" players. Recently I gave away my 803 routers; in
    1999 they cost about US$1600 plus $500 for a flash upgrade and they
    now fetch about $30 on Ebay.


    Peter.
     
    Peter, Apr 9, 2005
    #6
  7. :I can see why corporates go for Cisco gear. I used to run a couple of
    :803 ISDN routers. After getting the config right (which is a huge job
    :creation scheme!!) they just run for years. The extra cost is trivial
    :if one's time is worth anything at all.

    Oddly, some sales reps came in to talk to me the other day, and
    were talking about Fortinet firewalls. They were from a bit of
    an amorphous consulting-type organization that also does sales
    (i.e., a VAR -- they'll sell you the equipment and sell you
    service in setting it up or helping configure it or helping out
    in emergencies.) They said that they pretty much used
    Cisco and Fortinet exclusively.

    When they were talking to me about the Fortinet product, they
    were talking about it's reliability, which they compared to being
    similar to that of Cisco's. The way they put it was that
    Fortinet was similar to Cisco, in they knew that once they
    had made a sale and configured the product, that they
    could drive away saying to themselves, "Well, that's one place
    we'll never have to back to again" -- because [in their
    experience] once the Cisco [or Fortinet] was set up, it would
    just keep working away for years without needing attention.


    I didn't have the heart to discuss hardware failures, design
    for redundancy, regular preventative maintenance testing of emergency
    procedures, or the need to upgrade IOS because of security problems
    discovered. [I do not mean to imply that Cisco "has a problem"
    in any of these areas: these issues are simply facts of life
    in non-trivial networks.]
     
    Walter Roberson, Apr 9, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.