hedgie67
asked on
VPN tunnel established, but no traffic enters the tunnel
All,
I have configured an ipsec vpn tunnel using a Netgear FVS 318 and the Netgear Prosafe vpn client software v.10.1.1. I have tested the connection from my home using a cable/dsl modem and Linksys router using ipsec passthrough and all is good to go. I am able to browse and ping the remote internal network. The issue arises when I have the client's software developer attempt to connect remotely. The developer is also using the Netgear Prosafe software with identical configurations (different IP's and connection name) as the working connection in my home. When he attempts to connect, the vpn tunnel is established , but no traffic appears to be traversing the link once the connection is made. He is connected via ISDN Modem (TA) directly connected to the ISP's Cisco Router/Pix which performs the NAT translation. I have quickly tried static routes on his PC (WinXP Pro) in an attempt to force the traffic thru the tunnel. This was not successful, and now I am looking @ the possibility of ports being blocked by his ISDN provider. According to the logs of the Netgear router, it seems to be accepting IKE traffic on port 500/UDP, but I am unable to see any other actiuvity. What other ports need to be opened to pass ipsec traffic? and am I headed in the right direction on this as my client needs this up and running ASAP for application maintenance. All replies are appreciated, and thanks in advance. Please let me know if you need any additional information.
-Hedgie67
I have configured an ipsec vpn tunnel using a Netgear FVS 318 and the Netgear Prosafe vpn client software v.10.1.1. I have tested the connection from my home using a cable/dsl modem and Linksys router using ipsec passthrough and all is good to go. I am able to browse and ping the remote internal network. The issue arises when I have the client's software developer attempt to connect remotely. The developer is also using the Netgear Prosafe software with identical configurations (different IP's and connection name) as the working connection in my home. When he attempts to connect, the vpn tunnel is established , but no traffic appears to be traversing the link once the connection is made. He is connected via ISDN Modem (TA) directly connected to the ISP's Cisco Router/Pix which performs the NAT translation. I have quickly tried static routes on his PC (WinXP Pro) in an attempt to force the traffic thru the tunnel. This was not successful, and now I am looking @ the possibility of ports being blocked by his ISDN provider. According to the logs of the Netgear router, it seems to be accepting IKE traffic on port 500/UDP, but I am unable to see any other actiuvity. What other ports need to be opened to pass ipsec traffic? and am I headed in the right direction on this as my client needs this up and running ASAP for application maintenance. All replies are appreciated, and thanks in advance. Please let me know if you need any additional information.
-Hedgie67
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sorry you are correct in that gre (ip protocol 47) is used by pptp. IPSEC uses esp (ip protocol 50).
Yes I thing you are on the right path. If the modem has a firewall built in then you have to make sure ip protocol 50 is permitted. Sometimes this is never permitted, sometimes it is a setting (ipsec passthru) and sometimes the device sees traffic on udp port 500 and then automatically allows through esp aswell.
Often getting the make and model of the device and finding a manual to download helps so you know what its capabilities are.
Yes I thing you are on the right path. If the modem has a firewall built in then you have to make sure ip protocol 50 is permitted. Sometimes this is never permitted, sometimes it is a setting (ipsec passthru) and sometimes the device sees traffic on udp port 500 and then automatically allows through esp aswell.
Often getting the make and model of the device and finding a manual to download helps so you know what its capabilities are.
ASKER
Just wanted to update this issue, as it has not been resolved yet..I have been in constant communication w/the developer who is trying to connect to the vpn via ISDN. The ISDN modem seems to be forwarding all traffic, yet we are still unable to pass traffic thru the vpn tunnel. The ISDN provider is more than likely filtering IP protocol 50 or 51 on an upstream router, and I am unable to verify due to provider lack of support. Also, I have noticed that the WAN IP of the ISDN router (ISP) has been dynamically changing from time to time, and creates havoc w/the vpn's remote IPSec identifier as I can only get it to work w/IP addy's and not a Common Name. The ISP's router interface is probably configured w/multi-nets, and thus the outgoing interface IP changes from time to time. So, what we have decided to pursue is try to establish a vpn connection from the software developer's corporate network to the client's network using the Netgear router and client. Their corporate net outsources their NAT firewall, and we are currently looking into opening ports/services in order to complete the connection. More info to follow..and will post w/the results.
-hedgie67
-hedgie67
ASKER
Finally was able to resolve this issue, and I am posting the results as promised so someone else will be able to benefit from it. The developer finally was able to contact their firewall provider and open the ports/protocols needed for the ipsec traffic to pass thru the tunnel. Once the firewall policy was configured properly he was able to connect and pass data thru the vpn tunnel and connect w/the client's server in order to perform the necessary maintenance tasks on the application. Issue is resolved. --:), many thanks to all experts who participated. Points will be awarded accordingly.
-Hedgie67
-Hedgie67
ASKER
I might be mistaken, but I believe GRE is IP protocol 47 and 50 belongs to ESP (Encapsulating Securuity Payload). I am not sure if an ipsec connection uses the GRE protocol or not, but I know it is used for vpn's connecting via PPTP. So I guess that is what I need to figure out is what protocol(s) are involved here and what port(s) need to be configured in order to allow traffic to pass thru the tunnel. I recieved some additional info from the software developer, and he has the ability to open ports on his ISDN modem if need be, but there is no configuration present to allow ipsec passthrough. Am I headed down the right path here or am I way off base? Thanks again for the help and speedy replies.
-Hedgie67