FSV318 + NATted VPN Clinet

Hi, I'm having trouble setting up Netgear ProSafe client <-> FVS318 connection.

When the client has a global ip address, VPN gets established and my life is great.
It starts causing when I try to VPN in from Natted condition.
VPN gets connected, (checked through client monitor, and the FVS318 also says it's connected) but
I can't access any of the private network resource.

Here's the situation
XP Client (sp1) -- > W2k3 router (dynamic ip) --> INTERNET --> FVS318 (static ip)

XP Client:
W2k3 router:, 24.198.x.x (dynamic)
FVS318: 24.245.x.x (static), (internal)

VPN connection is established properly because I've mapped the ports needed. (4500, 50 so on)
But, when I try to ping 192.168.0.x, time out occurs.
Also I noticed that no ESP packets are being forwarded, causing no encrypted packets from FVS318 side to reach the client. (checked w/ ethereal)

Basically, I want to be able to use to VPN client under any condition. (i.e. Hotel w/ private ip conenciton, airport, home)
Some research on the web gave me an insight of nat-t, but i couldn't quite figure out if it is applicable in this situation.
I'm stack on this issue for past 5hrs and any help is very much welcomed.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Tim HolmanConnect With a Mentor Commented:
The key to getting IPSEC work through NAT is to allow IP protocol 50 through the NAT router without translating it.  This is called IPSEC or VPN passthrough.  If the hotel router doesn't support this, then look for a way to use IKE over TCP/IP instead.  Cisco use IKE over TCP/UDP and reserve port 10000 for that purpose, but I'm not sure what the NetGear Prosafe client does - is there any setting on your Netgear router that mentions IKE or IPSEC or VPN over TCP / UDP / TCP/IP ?
Another thing to consider is MTU sizes.  The hotel router may be using a different encapsulation method in its ADSL connection that actually shrinks the max packet size.  This can cause problems as the packets will fragment and could arrive out of sequence on the Netgear.  Look here to fix his - http://www.dslreports.com/faq/695
Tim HolmanCommented:
If behind NAT, you need to configure IKE over IP, so UDP port 10000 also needs to be open.  The feature on Linksys that enables this (IKE over IP, ISAKMP over IP - not sure what it's called with Linksys) also needs to be turned on.
I would also upgrade your Linksys firmware to the latest release.  There are VPN-related bugs that could be causing other problems.
sunflowershAuthor Commented:
Thanks for the follow up, Tim.

Actually, the following ports has been setup on the W2k3 router side already:
UDP 500
UDP 4500
UDP 1701
TCP 1723
TCP 50
UDP 50
UDP 10000

So, say I am trying to VPN in from a hotel where only private IPs are distributed, I cannot use VPN unless they have the port forwarding for IKEoIP and ISAKMPoIP?
I am a bit confused about this part...
sunflowershAuthor Commented:
Thanks for the reply again, Tim.

I'm looking into the stuff on vpn passthrough and it seems like such functionality exits in FVS318. (although i'm not seeing any user interface for it)
Nor do I see any mentioning of VPNoTCP/UDP....

But, hmm.... based on what I understand from your post, I need to turn on VPN passthrough feature on Win2003 server, which is
currently taking care of our natting on the client end.
sunflowershAuthor Commented:
hmm... I guess it was not as easy as I had expected.
I'll be posting the solution if I ever run into one, but I'll close the session for now.
Thank you very much for your advise Tim, and other EEs that spent some time to look at my question.
All Courses

From novice to tech pro — start learning today.