This is all incredibly frustrating. I guess I will be returning the Linksys BEFVP41 that I just bought. Here is my situation, which I cannot believe is so unusual. My wife and I work from home. We have two work computers and one home computer. We access the internet via cable modem and our Lotus Notes and Main frame applications at work via Checkpoint VPN-1 SecuRemote Client version 4.1 (latest built). I had originally bought the Linksys BEFSR41 but could never get it to work with the VPN (I can get it to work now but it only allows one VPN connection at a time. I then bought a Linksys EZXS55W switch and extra IP addresses from Mediacom and everything worked perfectly. We could simultaneously and constantly be connected to the internet and our VPN connections to the work applications.

Then I saw the ads for the Linksys BEFVP41 and its promotion of "70 simultaneous tunnels." I thought this would be the answer since the most I wanted was two measly VPN tunnels to work, one for me and one for my wife. I thought I could eliminate the expense of the three IP addresses. After getting everything connected, I read this Linksys article (KB10934235) which states (I think) that only one computer can be connected to the VPN at one time, not simultaneously no matter how many "simultaneous" tunnels have been created. I don't see why our arrangement is so unusual. The 4-port cable router is used to share an internet connection between multiple computers. Why would you buy a 4 port VPN router that only allows one user to access a VPN connection at one time? Why do they allow you to set up a IP range or subnet setting for computers behind the router if you cannot have more than one VPN connection going at a time?

If there is a way using this router and Checkpoint VPN-1 SecuRemote client to allow us to do a very simple task that a cheap switch and extra IP addresses allow, please let me know. If there is another router that will accomplish this--recommend it.

There's bad news and good news.

The bad news is, there's no way to use your Checkpoint client software on more than one system on your LAN with this router -- or most any other inexpensive router, for that matter.

The good news is, you probably don't need to use the Checkpoint software for what you want to do.

I'm assuming you're set up something like this:
You have three computers at home, named something like WORK1, WORK2, PORNO (kidding!). Right now, each home system has a static IP address from the range you got from Mediacom. WORK1 and WORK2 are running the Checkpoint VPN client software, and each one is configured to connect to a VPN server at your employer. I'm going to assume for right now that both WORK1 and WORK2 connect to the same VPN server (same destination IP address). Are my assumptions correct so far?

Now, what I think you want to do is connect the Linksys router at your home, stop paying for the extra IP addresses from Mediacom, and use only one public IP address on the router, with your PCs (or Macs, whatever) getting private IP addresses from the router. This setup is called Network Address Translation, a.k.a. NAT.

You want to use your Checkpoint clients from WORK1 and WORK2, but you can't use more than one VPN client on your LAN. It's not because the Linksys is defective, it's because the Checkpoint VPN software probably runs over IPSec, and IPSec can't be used through a NAT router for more than one client using private IP addresses.

However, the good news is that the Linksys router can probably take the place of the Checkpoint software, if your employer's VPN server is using a standard IPSec setup. When the router is configured to connect to the VPN server, all the systems on your home LAN will be able to access the network at work. If your network support staff at work is at all competent, they will insist at a minimum that you have up-to-date antivirus software on all your home systems before they allow you to connect like this.

What if WORK1 and WORK2 are connecting to two different VPN servers, for example at two different employers? Well, that's where the Linksys's "70 simultaneous tunnels" comes in. You can add a second tunnel to another destination network, and the Linksys routes traffic to the proper destination network thru the respective tunnel. You could add tunnels to a third, fourth, etc destination network (up to 70, of course :).

--MiCroStoogE--

I am forwarding your post to the VPN administrator I am working with on this. So far we have not been able to get the router to connect with the VPN server, but we have just started trying. Even without a tunnel created, I am able to use the SecuRemote client to access my LotusNotes and Mainframe Applications at work. I am sure this is because the router has IPSec pass-through enabled. But when I am using the client, my wife cannot authenticate or access these programs that we want and need simultaneously to do our job. You are correct that we work for the same employer and use the same VPN server to access the network. We both have up-to-date virus software, which is a department requirement. So you think that if we are able to create a tunnel to the server at work and the server is the same, that both Work1 computer and Work2 computer can simultaneously and constantly be connected without the switching back and forth that we are required to do now? Thanks for the advice. Maybe I will wait alittle while before returning the router.
By the way, this what Article KB10934235 says:
QUESTION: Will my router support multiple IPSec connections?
ANSWER: The following routers will only support one IPSec connection at any given time:

BEFSR11
BEFSR41
BEFSR81
BEFSRU31
BEFN2PS4
BEFW11S4
BEFW11P1
HPRO200

The BEFVP41 (MY ROUTER) allows upto 70 IPSec tunnels, but still only supports one connection (Meaning a client using software to dial into a VPN server) behind the router.

"So you think that if we are able to create a tunnel to the server at work and the server is the same, that both Work1 computer and Work2 computer can simultaneously and constantly be connected without the switching back and forth that we are required to do now?"

Yes, one of my customers is doing something like that between three (soon to be four or five) sites using a NetGear FVS-318 at each site. One site has three PCs, the main site has six plus the server, and he has two or three at home. A PC at any site can ping any other PC, even though they're all using private IP addresses in the 192.168.0.0 network (I segmented the address space, for no good reason really other than to keep all the addresses in the default range for NetGear private LAN addresses). It's as if they're on the same LAN, which is the whole point of a VPN after all. I can connect my laptop to a LAN port at any site, get a private IP address via DHCP, and ping any other PC on their WAN.

These cheap VPN routers like the BEFVP41 or the FVS-318 are really easy to set up for VPNs when you're using the same box at each site. It's when you start trying to connect, say, a BEFVP41 at home to your employer's Cisco (or whatever) that things start to get really interesting. The more so since you seem to be the first employee wanting to connect a home LAN instead of a home PC -- but you probably won't be the last.

At least you and your wife are connecting to the same network. That makes things a lot easier than they might be. If you were connecting to two different businesses and both were using NAT with the same private IP address range on their LAN, you'd have to stay with the multiple public leased IP addresses and Checkpoint clients, rather than going through a single public IP address on your router. As it is, IF your BEFVP41 can create a tunnel with your employer's VPN gateway, you're good to go. Granted, that's a pretty big IF :)