VPN tunnel established, but no traffic enters the tunnel

Posted on 2004-08-18
Last Modified: 2011-04-14
  I have configured an ipsec vpn tunnel using a Netgear FVS 318 and the Netgear Prosafe vpn client software v.10.1.1.  I have tested the connection from my home using a cable/dsl modem and Linksys router using ipsec passthrough and all is good to go.  I am able to browse and ping the remote internal network.  The issue arises when I have the client's software developer attempt to connect remotely.  The developer is also using the Netgear Prosafe software with identical configurations (different IP's and connection name) as the working connection in my home.  When he attempts to connect, the vpn tunnel is established , but no traffic appears to be traversing the link once the connection is made.  He is connected via ISDN Modem (TA) directly connected to the ISP's Cisco Router/Pix which performs the NAT translation.  I have quickly tried static routes on his PC (WinXP Pro) in an attempt to force the traffic thru the tunnel. This was not successful, and now I am looking @ the possibility of ports being blocked by his ISDN provider.  According to the logs of the Netgear router, it seems to be accepting IKE traffic on port 500/UDP, but I am unable to see any other actiuvity.  What other ports need to be opened to pass ipsec traffic? and am I headed in the right direction on this as my client needs this up and running ASAP for application maintenance.  All replies are appreciated, and thanks in advance.  Please let me know if you need any additional information.

Question by:hedgie67
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 36

Accepted Solution

grblades earned 500 total points
ID: 11834461
Hi hedgie67,
IKE is UDP port 500 and is used for authentication so as they can log in then this is oviously working.
gre is IP protocol number 50 (not a tcp or udp port) and is used to transfer the encrypted data itself so if this protocol is blocked you will get the sympton that you have of being able to authenticate but not transfer any data.

Author Comment

ID: 11837877
 I might be mistaken, but I believe GRE is IP protocol 47 and 50 belongs to ESP (Encapsulating Securuity Payload). I am not sure if an ipsec connection uses the GRE protocol or not, but I know it is used for vpn's connecting via PPTP.  So I guess that is what I need to figure out is what protocol(s) are involved here and what port(s) need to be configured in order to allow traffic to pass thru the tunnel.  I recieved some additional info from the software developer, and he has the ability to open ports on his ISDN modem if need be, but there is no configuration present to allow ipsec passthrough.  Am I headed down the right path here or am I way off base?  Thanks again for the help and speedy replies.

LVL 36

Expert Comment

ID: 11838788
sorry you are correct in that gre (ip protocol 47) is used by pptp. IPSEC uses esp (ip protocol 50).
Yes I thing you are on the right path. If the modem has a firewall built in then you have to make sure ip protocol 50 is permitted. Sometimes this is never permitted, sometimes it is a setting (ipsec passthru) and sometimes the device sees traffic on udp port 500 and then automatically allows through esp aswell.
Often getting the make and model of the device and finding a manual to download helps so you know what its capabilities are.

Author Comment

ID: 11883266
Just wanted to update this issue, as it has not been resolved yet..I have been in constant communication w/the developer who is trying to connect to the vpn via ISDN.  The ISDN modem seems to be forwarding all traffic, yet we are still unable to pass traffic thru the vpn tunnel.  The ISDN provider is more than likely filtering IP protocol 50 or 51 on an upstream router, and I am unable to verify due to provider lack of support. Also, I have noticed that the WAN IP of the ISDN router (ISP) has been dynamically changing from time to time, and creates havoc w/the vpn's remote IPSec identifier as I can only get it to work w/IP addy's and not a Common Name.  The ISP's router interface is probably configured w/multi-nets, and thus the outgoing interface IP changes from time to time.  So,  what we have decided to pursue is try to establish a vpn connection from the software developer's corporate network to the client's network using the Netgear router and client.  Their corporate net outsources their NAT firewall, and we are currently looking into opening ports/services in order to complete the connection.  More info to follow..and will post w/the results.


Author Comment

ID: 12102207
Finally was able to resolve this issue, and I am posting the results as promised so someone else will be able to benefit from it.  The developer finally was able to contact their firewall provider and open the ports/protocols needed for the ipsec traffic to pass thru the tunnel.  Once the firewall policy was configured properly he was able to connect and pass data thru the vpn tunnel and connect w/the client's server in order to perform  the necessary maintenance tasks on the application.   Issue is resolved. --:), many thanks to all experts who participated.  Points will be awarded accordingly.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question