• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3234
  • Last Modified:

VPN tunnel established, but no traffic enters the tunnel

All,
  I have configured an ipsec vpn tunnel using a Netgear FVS 318 and the Netgear Prosafe vpn client software v.10.1.1.  I have tested the connection from my home using a cable/dsl modem and Linksys router using ipsec passthrough and all is good to go.  I am able to browse and ping the remote internal network.  The issue arises when I have the client's software developer attempt to connect remotely.  The developer is also using the Netgear Prosafe software with identical configurations (different IP's and connection name) as the working connection in my home.  When he attempts to connect, the vpn tunnel is established , but no traffic appears to be traversing the link once the connection is made.  He is connected via ISDN Modem (TA) directly connected to the ISP's Cisco Router/Pix which performs the NAT translation.  I have quickly tried static routes on his PC (WinXP Pro) in an attempt to force the traffic thru the tunnel. This was not successful, and now I am looking @ the possibility of ports being blocked by his ISDN provider.  According to the logs of the Netgear router, it seems to be accepting IKE traffic on port 500/UDP, but I am unable to see any other actiuvity.  What other ports need to be opened to pass ipsec traffic? and am I headed in the right direction on this as my client needs this up and running ASAP for application maintenance.  All replies are appreciated, and thanks in advance.  Please let me know if you need any additional information.

-Hedgie67
0
hedgie67
Asked:
hedgie67
  • 3
  • 2
1 Solution
 
grbladesCommented:
Hi hedgie67,
IKE is UDP port 500 and is used for authentication so as they can log in then this is oviously working.
gre is IP protocol number 50 (not a tcp or udp port) and is used to transfer the encrypted data itself so if this protocol is blocked you will get the sympton that you have of being able to authenticate but not transfer any data.
0
 
hedgie67Author Commented:
grblades,
 I might be mistaken, but I believe GRE is IP protocol 47 and 50 belongs to ESP (Encapsulating Securuity Payload). I am not sure if an ipsec connection uses the GRE protocol or not, but I know it is used for vpn's connecting via PPTP.  So I guess that is what I need to figure out is what protocol(s) are involved here and what port(s) need to be configured in order to allow traffic to pass thru the tunnel.  I recieved some additional info from the software developer, and he has the ability to open ports on his ISDN modem if need be, but there is no configuration present to allow ipsec passthrough.  Am I headed down the right path here or am I way off base?  Thanks again for the help and speedy replies.

-Hedgie67
0
 
grbladesCommented:
sorry you are correct in that gre (ip protocol 47) is used by pptp. IPSEC uses esp (ip protocol 50).
Yes I thing you are on the right path. If the modem has a firewall built in then you have to make sure ip protocol 50 is permitted. Sometimes this is never permitted, sometimes it is a setting (ipsec passthru) and sometimes the device sees traffic on udp port 500 and then automatically allows through esp aswell.
Often getting the make and model of the device and finding a manual to download helps so you know what its capabilities are.
0
 
hedgie67Author Commented:
Just wanted to update this issue, as it has not been resolved yet..I have been in constant communication w/the developer who is trying to connect to the vpn via ISDN.  The ISDN modem seems to be forwarding all traffic, yet we are still unable to pass traffic thru the vpn tunnel.  The ISDN provider is more than likely filtering IP protocol 50 or 51 on an upstream router, and I am unable to verify due to provider lack of support. Also, I have noticed that the WAN IP of the ISDN router (ISP) has been dynamically changing from time to time, and creates havoc w/the vpn's remote IPSec identifier as I can only get it to work w/IP addy's and not a Common Name.  The ISP's router interface is probably configured w/multi-nets, and thus the outgoing interface IP changes from time to time.  So,  what we have decided to pursue is try to establish a vpn connection from the software developer's corporate network to the client's network using the Netgear router and client.  Their corporate net outsources their NAT firewall, and we are currently looking into opening ports/services in order to complete the connection.  More info to follow..and will post w/the results.

-hedgie67
0
 
hedgie67Author Commented:
Finally was able to resolve this issue, and I am posting the results as promised so someone else will be able to benefit from it.  The developer finally was able to contact their firewall provider and open the ports/protocols needed for the ipsec traffic to pass thru the tunnel.  Once the firewall policy was configured properly he was able to connect and pass data thru the vpn tunnel and connect w/the client's server in order to perform  the necessary maintenance tasks on the application.   Issue is resolved. --:), many thanks to all experts who participated.  Points will be awarded accordingly.

-Hedgie67
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now