Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 608
  • Last Modified:

Can connect using SecurRemote via dialup but not via ADSL using Vigor

We connect to a clients network using Dialup and VPN-1 SecureRemote NG. This works fine when we dial into the Internet then connect.

However it would be easier if we could use the ADSL connection to the Internet to connect.  

The SecuRemote lets us Update the Site via ADSL and seems to authenticate however when we ping the target computer 132.132.32.10 on the target network we get nothing back. However this does work when dialed up to the internet through an Analogue Modem.

If it is relevant we are using a Vigor 2600G router.

What can I do.
0
readjf
Asked:
readjf
3 Solutions
 
chris_calabreseCommented:
I'm guessing that the router is doing NAT and is not IPsec aware.

There's a famous quote from one of the authors of the IPsec standard that goes something like "NAT is exactly the type of attack IPsec is designed to defend against"
0
 
dschwartzerCommented:
There's a way to work around this. Check Point invented a mechanism, called UDP encapsulation, which adds a fake UDP header to each IPSec packet. Both source and destination ports are set to 2746 (if I'm not mistaken). This mechanism allows NAT devices on the way to forward the packet furhter.
To turn this feature on, open SecuRemote menu ->tools and look in there. I can't recall exactly where the checkbox is, but it's called 'UDP encapsulation'.

HTH,
Daniel
0
 
rjbrown99Commented:
The first thing I would suggest is to visit the web site of the vendor that makes your Vigor router.  Download any new firmware updates and apply them to your router before doing anything else.  I can tell you for sure that certain routers (one of my Netgears had this issue) have shipped with firmware that prevented VPN tunnels from working.  Here's the URL:

http://www.draytek.co.uk/support/index.html

Next, update to the latest version of SecuRemote.  It doesn't matter if your firewall version is a bit older - the newer client will work with an older firewall.

Now the part that will probably be the biggest help.  In the configuration for your Vigor router, disable all VPN features (PPTP, IPSec, and L2TP) since it also supports site-to-site connectivity.  For testing purposes, you want to make sure there are no issues with passing the packets.  Vigor themselves suggest this.  Try it now and see if it works.

Still doens't work?  Okay, visit this FAQ, Question #7:
http://www.draytek.co.uk/support/router_faq.html

You are using IPSec.  You may have to fiddle with the Vigor's configuration a bit to either enable a VPN "passthrough" or else use the DMZ function to just pass packets straight through the router.

The only settings on the host that you can change are SecuRemote are to in settings, connections tab, properties of your connection, advanced.  Make sure "Connectivity Enhancements" is checked with "Use NAT traversal tunneling" and "IKE over TCP" and "Force UDP Encapsulation".

Still doesn't work?  Well, let us know after you perform those steps and we'll motor on from there.

-Rob
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now