Solved

VPN tunnel established, but no traffic enters the tunnel

Posted on 2004-08-18
5
3,216 Views
Last Modified: 2011-04-14
All,
  I have configured an ipsec vpn tunnel using a Netgear FVS 318 and the Netgear Prosafe vpn client software v.10.1.1.  I have tested the connection from my home using a cable/dsl modem and Linksys router using ipsec passthrough and all is good to go.  I am able to browse and ping the remote internal network.  The issue arises when I have the client's software developer attempt to connect remotely.  The developer is also using the Netgear Prosafe software with identical configurations (different IP's and connection name) as the working connection in my home.  When he attempts to connect, the vpn tunnel is established , but no traffic appears to be traversing the link once the connection is made.  He is connected via ISDN Modem (TA) directly connected to the ISP's Cisco Router/Pix which performs the NAT translation.  I have quickly tried static routes on his PC (WinXP Pro) in an attempt to force the traffic thru the tunnel. This was not successful, and now I am looking @ the possibility of ports being blocked by his ISDN provider.  According to the logs of the Netgear router, it seems to be accepting IKE traffic on port 500/UDP, but I am unable to see any other actiuvity.  What other ports need to be opened to pass ipsec traffic? and am I headed in the right direction on this as my client needs this up and running ASAP for application maintenance.  All replies are appreciated, and thanks in advance.  Please let me know if you need any additional information.

-Hedgie67
0
Comment
Question by:hedgie67
  • 3
  • 2
5 Comments
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11834461
Hi hedgie67,
IKE is UDP port 500 and is used for authentication so as they can log in then this is oviously working.
gre is IP protocol number 50 (not a tcp or udp port) and is used to transfer the encrypted data itself so if this protocol is blocked you will get the sympton that you have of being able to authenticate but not transfer any data.
0
 
LVL 1

Author Comment

by:hedgie67
ID: 11837877
grblades,
 I might be mistaken, but I believe GRE is IP protocol 47 and 50 belongs to ESP (Encapsulating Securuity Payload). I am not sure if an ipsec connection uses the GRE protocol or not, but I know it is used for vpn's connecting via PPTP.  So I guess that is what I need to figure out is what protocol(s) are involved here and what port(s) need to be configured in order to allow traffic to pass thru the tunnel.  I recieved some additional info from the software developer, and he has the ability to open ports on his ISDN modem if need be, but there is no configuration present to allow ipsec passthrough.  Am I headed down the right path here or am I way off base?  Thanks again for the help and speedy replies.

-Hedgie67
0
 
LVL 36

Expert Comment

by:grblades
ID: 11838788
sorry you are correct in that gre (ip protocol 47) is used by pptp. IPSEC uses esp (ip protocol 50).
Yes I thing you are on the right path. If the modem has a firewall built in then you have to make sure ip protocol 50 is permitted. Sometimes this is never permitted, sometimes it is a setting (ipsec passthru) and sometimes the device sees traffic on udp port 500 and then automatically allows through esp aswell.
Often getting the make and model of the device and finding a manual to download helps so you know what its capabilities are.
0
 
LVL 1

Author Comment

by:hedgie67
ID: 11883266
Just wanted to update this issue, as it has not been resolved yet..I have been in constant communication w/the developer who is trying to connect to the vpn via ISDN.  The ISDN modem seems to be forwarding all traffic, yet we are still unable to pass traffic thru the vpn tunnel.  The ISDN provider is more than likely filtering IP protocol 50 or 51 on an upstream router, and I am unable to verify due to provider lack of support. Also, I have noticed that the WAN IP of the ISDN router (ISP) has been dynamically changing from time to time, and creates havoc w/the vpn's remote IPSec identifier as I can only get it to work w/IP addy's and not a Common Name.  The ISP's router interface is probably configured w/multi-nets, and thus the outgoing interface IP changes from time to time.  So,  what we have decided to pursue is try to establish a vpn connection from the software developer's corporate network to the client's network using the Netgear router and client.  Their corporate net outsources their NAT firewall, and we are currently looking into opening ports/services in order to complete the connection.  More info to follow..and will post w/the results.

-hedgie67
0
 
LVL 1

Author Comment

by:hedgie67
ID: 12102207
Finally was able to resolve this issue, and I am posting the results as promised so someone else will be able to benefit from it.  The developer finally was able to contact their firewall provider and open the ports/protocols needed for the ipsec traffic to pass thru the tunnel.  Once the firewall policy was configured properly he was able to connect and pass data thru the vpn tunnel and connect w/the client's server in order to perform  the necessary maintenance tasks on the application.   Issue is resolved. --:), many thanks to all experts who participated.  Points will be awarded accordingly.

-Hedgie67
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now