VPN tunnel established, but no traffic enters the tunnel

Posted on 2004-08-18
Medium Priority
Last Modified: 2011-04-14
  I have configured an ipsec vpn tunnel using a Netgear FVS 318 and the Netgear Prosafe vpn client software v.10.1.1.  I have tested the connection from my home using a cable/dsl modem and Linksys router using ipsec passthrough and all is good to go.  I am able to browse and ping the remote internal network.  The issue arises when I have the client's software developer attempt to connect remotely.  The developer is also using the Netgear Prosafe software with identical configurations (different IP's and connection name) as the working connection in my home.  When he attempts to connect, the vpn tunnel is established , but no traffic appears to be traversing the link once the connection is made.  He is connected via ISDN Modem (TA) directly connected to the ISP's Cisco Router/Pix which performs the NAT translation.  I have quickly tried static routes on his PC (WinXP Pro) in an attempt to force the traffic thru the tunnel. This was not successful, and now I am looking @ the possibility of ports being blocked by his ISDN provider.  According to the logs of the Netgear router, it seems to be accepting IKE traffic on port 500/UDP, but I am unable to see any other actiuvity.  What other ports need to be opened to pass ipsec traffic? and am I headed in the right direction on this as my client needs this up and running ASAP for application maintenance.  All replies are appreciated, and thanks in advance.  Please let me know if you need any additional information.

Question by:hedgie67
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 36

Accepted Solution

grblades earned 2000 total points
ID: 11834461
Hi hedgie67,
IKE is UDP port 500 and is used for authentication so as they can log in then this is oviously working.
gre is IP protocol number 50 (not a tcp or udp port) and is used to transfer the encrypted data itself so if this protocol is blocked you will get the sympton that you have of being able to authenticate but not transfer any data.

Author Comment

ID: 11837877
 I might be mistaken, but I believe GRE is IP protocol 47 and 50 belongs to ESP (Encapsulating Securuity Payload). I am not sure if an ipsec connection uses the GRE protocol or not, but I know it is used for vpn's connecting via PPTP.  So I guess that is what I need to figure out is what protocol(s) are involved here and what port(s) need to be configured in order to allow traffic to pass thru the tunnel.  I recieved some additional info from the software developer, and he has the ability to open ports on his ISDN modem if need be, but there is no configuration present to allow ipsec passthrough.  Am I headed down the right path here or am I way off base?  Thanks again for the help and speedy replies.

LVL 36

Expert Comment

ID: 11838788
sorry you are correct in that gre (ip protocol 47) is used by pptp. IPSEC uses esp (ip protocol 50).
Yes I thing you are on the right path. If the modem has a firewall built in then you have to make sure ip protocol 50 is permitted. Sometimes this is never permitted, sometimes it is a setting (ipsec passthru) and sometimes the device sees traffic on udp port 500 and then automatically allows through esp aswell.
Often getting the make and model of the device and finding a manual to download helps so you know what its capabilities are.

Author Comment

ID: 11883266
Just wanted to update this issue, as it has not been resolved yet..I have been in constant communication w/the developer who is trying to connect to the vpn via ISDN.  The ISDN modem seems to be forwarding all traffic, yet we are still unable to pass traffic thru the vpn tunnel.  The ISDN provider is more than likely filtering IP protocol 50 or 51 on an upstream router, and I am unable to verify due to provider lack of support. Also, I have noticed that the WAN IP of the ISDN router (ISP) has been dynamically changing from time to time, and creates havoc w/the vpn's remote IPSec identifier as I can only get it to work w/IP addy's and not a Common Name.  The ISP's router interface is probably configured w/multi-nets, and thus the outgoing interface IP changes from time to time.  So,  what we have decided to pursue is try to establish a vpn connection from the software developer's corporate network to the client's network using the Netgear router and client.  Their corporate net outsources their NAT firewall, and we are currently looking into opening ports/services in order to complete the connection.  More info to follow..and will post w/the results.


Author Comment

ID: 12102207
Finally was able to resolve this issue, and I am posting the results as promised so someone else will be able to benefit from it.  The developer finally was able to contact their firewall provider and open the ports/protocols needed for the ipsec traffic to pass thru the tunnel.  Once the firewall policy was configured properly he was able to connect and pass data thru the vpn tunnel and connect w/the client's server in order to perform  the necessary maintenance tasks on the application.   Issue is resolved. --:), many thanks to all experts who participated.  Points will be awarded accordingly.


Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question