Linksys Etherfast

This article is unfinished. Although it may contain useful information, it is incomplete and may be missing important details.

Platform Notes

The Linksys Etherfast Cable/DSL VPN Router model BEFVP41 is a Cable/DSL router that also supports IPsec VPN.

Version History

Backoff Patterns

Vendor IDs

Authentication Methods

The Linksys only supports the Pre-Shared Key authentication method.

ISAKMP SA Lifetime

Transform Attribute Ordering and Rewriting

Aggressive Mode

The Linksys router supports both Main Mode and Aggressive Mode.

Response to Noncompliant and Malformed Packets

NAT Traversal

IVEv2

Remote Access VPN Client

Linksys QuickVPN client.

Other Interesting Behaviour

Default Configuration

Discovered Vulnerabilities

Miscellaneous Notes

The Linksys Etherfast has a very simple IKE implementation. It does not perform any retransmission in the event of lost packets, and it will always respond to source port 500, irrespective of the actual source port value. This source port restriction means that only the default source port of 500 will work, which probably means that it won't work behind a NAT device.

Here is a tcpdump output showing what happens when ike-scan is used to send a request using a high source port. In this example, the ike-scan command line used was ike-scan -s 0 -r 1 82.34.234.111. You can see the outgoing ike request with source port 32928, followed by the Linksys reply back to port 500. As ike-scan is listening for replies on port 32928 and not 500, the kernel sends back an ICMP unreachable message.

18:07:23.046263 IP 194.164.84.178.32928 > 82.34.234.111.500: isakmp: phase 1 I ident
18:07:24.031649 IP 82.34.234.111.500 > 194.164.84.178.500: isakmp: phase 1 R ident
18:07:24.031705 IP 194.164.84.178 > 82.34.234.111: icmp 120: 194.164.84.178 udp port 500 unreachable