Home > Consumer Reviews > Linksys BEFVP41 EtherFast Cable/DSL VPN Router with 4-Port 10/100 Switch

The router/switch/NAT features of this little box work just like the other Linksys products in this line -- and just as well. What's new is the IPSec VPN support. You can set up secure tunnels over the Internet between two or more LANs using one of these boxes in front of each LAN. Alternatively (or in addition) you can set up a tunnel between a standalone remote PC and a LAN that has one of these routers *IF* the remote PC supports IPSec. Windows 2000 and XP support IPSec but Windows 9x/Me/NT do *NOT*. (If you want a Windows 9x/Me/NT PC to connect into an IPSec VPN, you will need a 3rd party IPSec driver, or just buy another one of these boxes to put in front of the PC.)

Configuring IPSec on a Windows 2000 or XP PC is not exactly easy either -- Linksys' how-to document is SIXTEEN PAGES long! But the difficulty is not Linksys' fault -- rather it's due to Microsoft's tortured GUI for the IPSec configuration.

But setting up a tunnel between two of these boxes is easy. It's only the standalone PC to LAN tunnel that is daunting.

I want to give this product 5 stars. It works very well, and the price is almost too good to be true -- it compares quite favorably with other products costing 5-10 times more. But I have to take a point off because Linksys does not give enough emphasis to the Windows 2000/XP limitation of the standalone PC VPN client in its marketing copy, and there is not one word about how to configure the standalone client in the manual that comes with the router -- you have to hunt for it on Linksys' Web site. From what I see on the discussion boards, there are a lot of people who are lost without better information on these points. So if you plan to use a standalone VPN client, be prepared for a struggle, but hang in there -- it DOES work!

I purchased a pair of Linksys BEFVP41 units to connect two office networks, and to provide for secure remote network access through VPNs to mobile users. While the units performed the former job adequately, the latter left a lot to be desired.

I should have known better when presented with Linksys' confusing marketing information. In one breath (from their web site) they say, "No IPSec VPN Client Software Needed," while in another say, "Mobile workers can also connect to a corporate network using an IPSec based VPN client software solution." As usual, there's a slight gulf between marketing spin and reality.

For PC-to-box connections, such as those with mobile users, it's true that no special client software is needed. Windows 2000 and XP users can, in fact, connect to the BEFVP41 without special software, but only if the computer has a static IP address. Whether on local networks or in a coffee shop hotspot, it's unlikely the typical desktop user will have a static IP address, which translated means that, in fact, VPN client software IS needed to make these units useful in that remote network access role.

That's because the BEFVP41 supports only IPSec. Commonly used Windows-based VPNs use PPTP or L2TP, both of which are built into Windows. But this unit (and most others) doesn't provide PPTP or L2TP support.

Back to the requirement, then, for aftermarket IPSec VPN software. The software is not inexpensive, and it adds considerably to the total cost of this Linksys solution. I tested the IPSec client from French company TheGreenBow, and it does work. The problem is that there is no DHCP or other types of dynamic addressing or DNS support; it's merely a "raw" network pipe. For most mobile users, this isn't going to be particularly functional, and that's especially true for users of networks that use Windows Active Directory. (Perhaps the other recommended option, the SoftRemote VPN client, addresses this, but either way, it's a costly add-on.)

All of this left me searching for ways to get PPTP support without buying other hardware. The suggestion widely made was to merely configure a Windows server behind the firewall to offer PPTP, and configure the Linksys BEFVP41 to pass PPTP through. Simply put, this doesn't work.

Linksys' web site features a tech note on how to configure this very scenario. However, had anyone at Linksys actually TESTED the tech note, they would have discovered it doesn't work. The tech note suggests port mapping ports 1723 (PPTP) and 47 (supposedly for GRE, a protocol necessary for PPTP to work properly). The problem is that "47" is NOT A PORT NUMBER, it is the PROTOCOL number of GRE. Mapping port 47 in the firewall has absolutely NO IMPACT WHATEVER on the GRE protocol. Whoever wrote the tech note clearly has very little understanding of the subject matter.

It is possible that some Linksys firewalls will work with PPTP pass-through, but the BEFVP41 clearly does not. Empirical evidence suggests that the GRE protocol is not properly handled internally to support the pass-through scenario. The connection can be made to port 1723 on a Windows server behind the firewall when passed through the Linksys, but without proper GRE handling, the VPN connection can't actually be established.

When you add to all of this a remarkably clunky web management interface, the Linksys BEFVP41 is a non-starter for me. Both units are on their way back to Amazon.com as I write this review. After a previous experience with the company where they took forever to update drivers to fix a compatibility issue; after seeing technically inaccurate tech notes on their support web site; and after adding-in this experience, I'll think twice before bothering with anything Linksys again.

My chosen replacement for the BEFVP41 (a pair of CyberGuard/SnapGear SG300 units) have already arrived, and have proven themselves to be far more flexible, more configurable, and more powerful than the BEFVP41. Along with their configurability, the SG300s provide PPTP and L2TP support directly (in addition to IPSec), making a total solution that (unlike the BEFVP41) TRULY doesn't require special software clients to offer a total office-to-office and mobile-to-office network solution.

I've been lookiing for a solid, inexpensive VPN solution for quite some time so I was pleased to find this little router. I had no problems configuring the unit to connect to a Watchguard Firebox II and a Nortel Networks Contivity 100S, both of which inhabit my equipment rack at the office. Configuring VPN's can be frustrating if you are unfamiliar with the technology but this product has a very simple interface and a bit of time spent educating yourself about IPSec will ease the setup.

Highly recommended.

I have 30 of these units at customer locations who connect to our head office to sell a service through the encrypted VPN tunnel. Easy to setup, connects to any standardized VPN box, remotely manageable, good throughput and the price is bar none the best out there. Go with Sonicwall and you have to buy licensing for every feature you want to use. No licensing on the LINKSYS. For the guy who was complaining about the port forwarding and the port triggering, you probably were doing something wrong as I have both port forwarding and port triggering enabled on my boxes and doing more than one address. It helps if people read instructions. The port forwarding info is in the help file on the router.

"Port Triggering
Some Internet applications or games use alternat ports to communicate between server and LAN host. When you want to use those applications, find out the ports used by them and fill the triggering(outgoing) port and alternat incoming port in this table. The router will forward the incoming packets to LAN host
"

So if you wanted to setup a VPN tunnel and use a application that you wanted going through port 5000, outbound on the Linksys and Inbound on another VPN router, that's what it's purpose is.

Highly recommended

The Linksys VPN Router gets the best results when you use one on each end, up to 40 tunnels. It took me 20 minutes per router to set up and make a permanent VPN connection. I did get one bad router. Each router must have exactly the same settings (That is what makes a VPN). On one router installation, I couldn't get a VPN connection. After checking the log, I found that there was a Crypto Sub-System error on that unit that prevented it from operating properly. I returned the defective unit and received a good one. With a properly configured VPN, there is no reason for IP forwarding or using the DMZ application. A Microsoft Domain controller, A Unix server, a main frame, 40 PCs, and several print servers are working together like they were in the same office. Linksys did a great job with this device. If you experience problems, it is likely to be your settings. Afterall, VPN is a rigid security application.