Solved

FSV318 + NATted VPN Clinet

Posted on 2004-10-15
5
442 Views
Last Modified: 2010-05-18
Hi, I'm having trouble setting up Netgear ProSafe client <-> FVS318 connection.

When the client has a global ip address, VPN gets established and my life is great.
It starts causing when I try to VPN in from Natted condition.
VPN gets connected, (checked through client monitor, and the FVS318 also says it's connected) but
I can't access any of the private network resource.

Here's the situation
XP Client (sp1) -- > W2k3 router (dynamic ip) --> INTERNET --> FVS318 (static ip)

XP Client: 192.168.1.25
W2k3 router: 192.168.1.1, 24.198.x.x (dynamic)
FVS318: 24.245.x.x (static), 192.168.0.1 (internal)

VPN connection is established properly because I've mapped the ports needed. (4500, 50 so on)
But, when I try to ping 192.168.0.x, time out occurs.
Also I noticed that no ESP packets are being forwarded, causing no encrypted packets from FVS318 side to reach the client. (checked w/ ethereal)

Basically, I want to be able to use to VPN client under any condition. (i.e. Hotel w/ private ip conenciton, airport, home)
Some research on the web gave me an insight of nat-t, but i couldn't quite figure out if it is applicable in this situation.
I'm stack on this issue for past 5hrs and any help is very much welcomed.
0
Comment
Question by:sunflowersh
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12337738
If behind NAT, you need to configure IKE over IP, so UDP port 10000 also needs to be open.  The feature on Linksys that enables this (IKE over IP, ISAKMP over IP - not sure what it's called with Linksys) also needs to be turned on.
I would also upgrade your Linksys firmware to the latest release.  There are VPN-related bugs that could be causing other problems.
0
 
LVL 2

Author Comment

by:sunflowersh
ID: 12359987
Thanks for the follow up, Tim.

Actually, the following ports has been setup on the W2k3 router side already:
UDP 500
UDP 4500
UDP 1701
TCP 1723
TCP 50
UDP 50
UDP 10000

So, say I am trying to VPN in from a hotel where only private IPs are distributed, I cannot use VPN unless they have the port forwarding for IKEoIP and ISAKMPoIP?
I am a bit confused about this part...
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12368107
The key to getting IPSEC work through NAT is to allow IP protocol 50 through the NAT router without translating it.  This is called IPSEC or VPN passthrough.  If the hotel router doesn't support this, then look for a way to use IKE over TCP/IP instead.  Cisco use IKE over TCP/UDP and reserve port 10000 for that purpose, but I'm not sure what the NetGear Prosafe client does - is there any setting on your Netgear router that mentions IKE or IPSEC or VPN over TCP / UDP / TCP/IP ?
Another thing to consider is MTU sizes.  The hotel router may be using a different encapsulation method in its ADSL connection that actually shrinks the max packet size.  This can cause problems as the packets will fragment and could arrive out of sequence on the Netgear.  Look here to fix his - http://www.dslreports.com/faq/695
0
 
LVL 2

Author Comment

by:sunflowersh
ID: 12383437
Thanks for the reply again, Tim.

I'm looking into the stuff on vpn passthrough and it seems like such functionality exits in FVS318. (although i'm not seeing any user interface for it)
Nor do I see any mentioning of VPNoTCP/UDP....

But, hmm.... based on what I understand from your post, I need to turn on VPN passthrough feature on Win2003 server, which is
currently taking care of our natting on the client end.
0
 
LVL 2

Author Comment

by:sunflowersh
ID: 12413782
hmm... I guess it was not as easy as I had expected.
I'll be posting the solution if I ever run into one, but I'll close the session for now.
Thank you very much for your advise Tim, and other EEs that spent some time to look at my question.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now