Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can connect using SecurRemote via dialup but not via ADSL using Vigor

Posted on 2004-09-07
5
Medium Priority
?
606 Views
Last Modified: 2008-01-09
We connect to a clients network using Dialup and VPN-1 SecureRemote NG. This works fine when we dial into the Internet then connect.

However it would be easier if we could use the ADSL connection to the Internet to connect.  

The SecuRemote lets us Update the Site via ADSL and seems to authenticate however when we ping the target computer 132.132.32.10 on the target network we get nothing back. However this does work when dialed up to the internet through an Analogue Modem.

If it is relevant we are using a Vigor 2600G router.

What can I do.
0
Comment
Question by:readjf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 336 total points
ID: 11998923
I'm guessing that the router is doing NAT and is not IPsec aware.

There's a famous quote from one of the authors of the IPsec standard that goes something like "NAT is exactly the type of attack IPsec is designed to defend against"
0
 
LVL 3

Assisted Solution

by:dschwartzer
dschwartzer earned 332 total points
ID: 12003690
There's a way to work around this. Check Point invented a mechanism, called UDP encapsulation, which adds a fake UDP header to each IPSec packet. Both source and destination ports are set to 2746 (if I'm not mistaken). This mechanism allows NAT devices on the way to forward the packet furhter.
To turn this feature on, open SecuRemote menu ->tools and look in there. I can't recall exactly where the checkbox is, but it's called 'UDP encapsulation'.

HTH,
Daniel
0
 

Assisted Solution

by:rjbrown99
rjbrown99 earned 332 total points
ID: 12003855
The first thing I would suggest is to visit the web site of the vendor that makes your Vigor router.  Download any new firmware updates and apply them to your router before doing anything else.  I can tell you for sure that certain routers (one of my Netgears had this issue) have shipped with firmware that prevented VPN tunnels from working.  Here's the URL:

http://www.draytek.co.uk/support/index.html

Next, update to the latest version of SecuRemote.  It doesn't matter if your firewall version is a bit older - the newer client will work with an older firewall.

Now the part that will probably be the biggest help.  In the configuration for your Vigor router, disable all VPN features (PPTP, IPSec, and L2TP) since it also supports site-to-site connectivity.  For testing purposes, you want to make sure there are no issues with passing the packets.  Vigor themselves suggest this.  Try it now and see if it works.

Still doens't work?  Okay, visit this FAQ, Question #7:
http://www.draytek.co.uk/support/router_faq.html

You are using IPSec.  You may have to fiddle with the Vigor's configuration a bit to either enable a VPN "passthrough" or else use the DMZ function to just pass packets straight through the router.

The only settings on the host that you can change are SecuRemote are to in settings, connections tab, properties of your connection, advanced.  Make sure "Connectivity Enhancements" is checked with "Use NAT traversal tunneling" and "IKE over TCP" and "Force UDP Encapsulation".

Still doesn't work?  Well, let us know after you perform those steps and we'll motor on from there.

-Rob
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question