- 1 Platform Notes
- 2 Version History
- 3 Backoff Patterns
- 4 Vendor IDs
- 5 Authentication Methods
- 6 ISAKMP SA Lifetime
- 7 Transform Attribute Ordering and Rewriting
- 8 Aggressive Mode
- 9 Response to Noncompliant and Malformed Packets
- 10 NAT Traversal
- 11 IVEv2
- 12 Remote Access VPN Client
- 13 Other Interesting Behaviour
- 14 Default Configuration
- 15 Discovered Vulnerabilities
- 16 Miscellaneous Notes
The Linksys Etherfast Cable/DSL VPN Router model BEFVP41 is a Cable/DSL router that also supports IPsec VPN.
The Linksys only supports the Pre-Shared Key authentication method.
ISAKMP SA Lifetime
Transform Attribute Ordering and Rewriting
The Linksys router supports both Main Mode and Aggressive Mode.
Response to Noncompliant and Malformed Packets
Remote Access VPN Client
Linksys QuickVPN client.
Other Interesting Behaviour
The Linksys Etherfast has a very simple IKE implementation. It does not perform any retransmission in the event of lost packets, and it will always respond to source port 500, irrespective of the actual source port value. This source port restriction means that only the default source port of 500 will work, which probably means that it won't work behind a NAT device.
Here is a tcpdump output showing what happens when ike-scan is used to send a request using a high source port. In this example, the ike-scan command line used was ike-scan -s 0 -r 1 220.127.116.11. You can see the outgoing ike request with source port 32928, followed by the Linksys reply back to port 500. As ike-scan is listening for replies on port 32928 and not 500, the kernel sends back an ICMP unreachable message.
18:07:23.046263 IP 18.104.22.168.32928 > 22.214.171.124.500: isakmp: phase 1 I ident 18:07:24.031649 IP 126.96.36.199.500 > 188.8.131.52.500: isakmp: phase 1 R ident 18:07:24.031705 IP 184.108.40.206 > 220.127.116.11: icmp 120: 18.104.22.168 udp port 500 unreachable