Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


VPN Through Router

Posted on 2004-03-29
Medium Priority
Last Modified: 2013-11-29
Well, it's a little more complicated than the above description.

I have a hotel that wants broadband access to all their rooms for guests.  Unfortunately, most business guests connect to their office using VPN.  Well, SOHO equipment isn't going to cut it because each one of these "guests" uses something different (checkpoint, mschap, pptp, blah, blah, blah).  It would also be impossible for me to get a hotel guest to give me the number to their company's IT department so I could try and convince them to let me know what ports their VPN operates over so that I could open a port tunnel for them.  Sheeesh...

Past my small office networking experience, I'm fairly clueless.  What equipment, if any, would allow me to circumvent manual port tunneling and let these people use their VPN across broadband behind a router issuing DHCP addresses? layer 2, layer 3, VLAN (what is all this stuff?)

If someone could point me in the right direction then I can "bone up" on the self education.
Question by:carlajasminelewis
LVL 11

Accepted Solution

infotrader earned 1500 total points
ID: 10707363
Actually, it is probably not as complicated as you think.

Although not all companies implement the same VPN schemes or use different software to handle this, it is actually pretty common practices that they use the same protocols and/or ports to do this.

If the companies really want their clients to access their internal resources through VPN, they'd get a clue by now that it is best that you stick by the rules.  So here's the low-down:

1.  Do not settle with a cheap router/firewall.  Most firewall only allows for 1 to 5 simultaneous VPN connection.  This means that, depending on the limitation of the router, you might actually "rob peter to pay paul", which disconnects someone's VPN to allow it for others.

2.  Get a router that allows "VPN passthrough", which allows your computer to be able to establish outbound VPN connection.  If you ask your vendor, they'd be able to provide you with lots of different models.

3.  Just bear in mind that if after performing the above steps, they still have a proprietary setup on their network that requires special configuration, just politely ask them to ask their IT department to change their settings.  It is not your fault that they are making it difficult for everybody else.  Let's say if they have 100 traveling users, each users stays at 10 hotels per year, then that means 10000 hotels would have to modify their settings.... Why can't they just perform the change on their end ONCE, and get it over with?

4.  Most likely, if you are having problems with one particular site/office/client, but have no problem with others, then it is not your network setting but the user/clients' computer setting.  They need to take it up with their IT support people, not you.

5.  If you ABSOLUTLEY need to make one particular client happy, you can put a switch in FRONT of your router, and allow them to connect to the switch and use a public IP address.  That would at least prove that the problem isn't with your firewall but their computer setting.

- Info

Expert Comment

ID: 10707507

Most new vpn clients are capable of NAT Transveral...this should eliminate your need to micromanage port tunneling.  You will just need to choose a router based on the number of client that are likely to be using the connection at any particular time.  Netopia R910 is a good SOHO router with NAT that will serve a good number of clients.  I have used this device with up to 75 simultaneous VPN connections (Cisco and Nortel Clients).

If the users VPN is not capable of NAT transversal...it will have to be done with port forwarding.  However...this is unlikey as most companies that have traveling users will have already switched to the newer VPN.

If this is a large or high traffic hotel...you should look into some type of AAA (Authentication,Authorization,and Accounting) server to keep your system from being abused.
LVL 27

Expert Comment

ID: 10707623
Most of the users will have a client, so you don't have to worry about doing any kind of vpn device to vpn device connection.  

On your firewall, make sure you have protocol 17 UDP port 500 source and destination open for ISAKMP IPSec Key Mangement.  Make sure protocol 50 (ESP) and 51 (AH) for IPSec Tunnel Encapsulation is open.

If they're doing PPTP then you'd need Protocol 8 (TCP) Source >1023 Destination 1723 for PPTP Control Connection
Protocol 47 (GRE) Source and Destination n/a for PPTP Tunnel Encapsulation.

If they're doing L2TP (they need to upgrade) but that would be Protocol 17 (UDP) Source >1023 and Destination 1701.

Reservation Control - Protocol 46 (RSVP) source and destination n/a.


Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question