FSV318 + NATted VPN Clinet

Posted on 2004-10-15
Last Modified: 2010-05-18
Hi, I'm having trouble setting up Netgear ProSafe client <-> FVS318 connection.

When the client has a global ip address, VPN gets established and my life is great.
It starts causing when I try to VPN in from Natted condition.
VPN gets connected, (checked through client monitor, and the FVS318 also says it's connected) but
I can't access any of the private network resource.

Here's the situation
XP Client (sp1) -- > W2k3 router (dynamic ip) --> INTERNET --> FVS318 (static ip)

XP Client:
W2k3 router:, 24.198.x.x (dynamic)
FVS318: 24.245.x.x (static), (internal)

VPN connection is established properly because I've mapped the ports needed. (4500, 50 so on)
But, when I try to ping 192.168.0.x, time out occurs.
Also I noticed that no ESP packets are being forwarded, causing no encrypted packets from FVS318 side to reach the client. (checked w/ ethereal)

Basically, I want to be able to use to VPN client under any condition. (i.e. Hotel w/ private ip conenciton, airport, home)
Some research on the web gave me an insight of nat-t, but i couldn't quite figure out if it is applicable in this situation.
I'm stack on this issue for past 5hrs and any help is very much welcomed.
Question by:sunflowersh
  • 3
  • 2
LVL 23

Expert Comment

by:Tim Holman
ID: 12337738
If behind NAT, you need to configure IKE over IP, so UDP port 10000 also needs to be open.  The feature on Linksys that enables this (IKE over IP, ISAKMP over IP - not sure what it's called with Linksys) also needs to be turned on.
I would also upgrade your Linksys firmware to the latest release.  There are VPN-related bugs that could be causing other problems.

Author Comment

ID: 12359987
Thanks for the follow up, Tim.

Actually, the following ports has been setup on the W2k3 router side already:
UDP 500
UDP 4500
UDP 1701
TCP 1723
TCP 50
UDP 50
UDP 10000

So, say I am trying to VPN in from a hotel where only private IPs are distributed, I cannot use VPN unless they have the port forwarding for IKEoIP and ISAKMPoIP?
I am a bit confused about this part...
LVL 23

Accepted Solution

Tim Holman earned 500 total points
ID: 12368107
The key to getting IPSEC work through NAT is to allow IP protocol 50 through the NAT router without translating it.  This is called IPSEC or VPN passthrough.  If the hotel router doesn't support this, then look for a way to use IKE over TCP/IP instead.  Cisco use IKE over TCP/UDP and reserve port 10000 for that purpose, but I'm not sure what the NetGear Prosafe client does - is there any setting on your Netgear router that mentions IKE or IPSEC or VPN over TCP / UDP / TCP/IP ?
Another thing to consider is MTU sizes.  The hotel router may be using a different encapsulation method in its ADSL connection that actually shrinks the max packet size.  This can cause problems as the packets will fragment and could arrive out of sequence on the Netgear.  Look here to fix his -

Author Comment

ID: 12383437
Thanks for the reply again, Tim.

I'm looking into the stuff on vpn passthrough and it seems like such functionality exits in FVS318. (although i'm not seeing any user interface for it)
Nor do I see any mentioning of VPNoTCP/UDP....

But, hmm.... based on what I understand from your post, I need to turn on VPN passthrough feature on Win2003 server, which is
currently taking care of our natting on the client end.

Author Comment

ID: 12413782
hmm... I guess it was not as easy as I had expected.
I'll be posting the solution if I ever run into one, but I'll close the session for now.
Thank you very much for your advise Tim, and other EEs that spent some time to look at my question.

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now