FSV318 + NATted VPN Clinet

Posted on 2004-10-15
Last Modified: 2010-05-18
Hi, I'm having trouble setting up Netgear ProSafe client <-> FVS318 connection.

When the client has a global ip address, VPN gets established and my life is great.
It starts causing when I try to VPN in from Natted condition.
VPN gets connected, (checked through client monitor, and the FVS318 also says it's connected) but
I can't access any of the private network resource.

Here's the situation
XP Client (sp1) -- > W2k3 router (dynamic ip) --> INTERNET --> FVS318 (static ip)

XP Client:
W2k3 router:, 24.198.x.x (dynamic)
FVS318: 24.245.x.x (static), (internal)

VPN connection is established properly because I've mapped the ports needed. (4500, 50 so on)
But, when I try to ping 192.168.0.x, time out occurs.
Also I noticed that no ESP packets are being forwarded, causing no encrypted packets from FVS318 side to reach the client. (checked w/ ethereal)

Basically, I want to be able to use to VPN client under any condition. (i.e. Hotel w/ private ip conenciton, airport, home)
Some research on the web gave me an insight of nat-t, but i couldn't quite figure out if it is applicable in this situation.
I'm stack on this issue for past 5hrs and any help is very much welcomed.
Question by:sunflowersh
  • 3
  • 2
LVL 23

Expert Comment

by:Tim Holman
ID: 12337738
If behind NAT, you need to configure IKE over IP, so UDP port 10000 also needs to be open.  The feature on Linksys that enables this (IKE over IP, ISAKMP over IP - not sure what it's called with Linksys) also needs to be turned on.
I would also upgrade your Linksys firmware to the latest release.  There are VPN-related bugs that could be causing other problems.

Author Comment

ID: 12359987
Thanks for the follow up, Tim.

Actually, the following ports has been setup on the W2k3 router side already:
UDP 500
UDP 4500
UDP 1701
TCP 1723
TCP 50
UDP 50
UDP 10000

So, say I am trying to VPN in from a hotel where only private IPs are distributed, I cannot use VPN unless they have the port forwarding for IKEoIP and ISAKMPoIP?
I am a bit confused about this part...
LVL 23

Accepted Solution

Tim Holman earned 500 total points
ID: 12368107
The key to getting IPSEC work through NAT is to allow IP protocol 50 through the NAT router without translating it.  This is called IPSEC or VPN passthrough.  If the hotel router doesn't support this, then look for a way to use IKE over TCP/IP instead.  Cisco use IKE over TCP/UDP and reserve port 10000 for that purpose, but I'm not sure what the NetGear Prosafe client does - is there any setting on your Netgear router that mentions IKE or IPSEC or VPN over TCP / UDP / TCP/IP ?
Another thing to consider is MTU sizes.  The hotel router may be using a different encapsulation method in its ADSL connection that actually shrinks the max packet size.  This can cause problems as the packets will fragment and could arrive out of sequence on the Netgear.  Look here to fix his -

Author Comment

ID: 12383437
Thanks for the reply again, Tim.

I'm looking into the stuff on vpn passthrough and it seems like such functionality exits in FVS318. (although i'm not seeing any user interface for it)
Nor do I see any mentioning of VPNoTCP/UDP....

But, hmm.... based on what I understand from your post, I need to turn on VPN passthrough feature on Win2003 server, which is
currently taking care of our natting on the client end.

Author Comment

ID: 12413782
hmm... I guess it was not as easy as I had expected.
I'll be posting the solution if I ever run into one, but I'll close the session for now.
Thank you very much for your advise Tim, and other EEs that spent some time to look at my question.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VOIP Setup through a Watchguard BOVPN 4 91
site to site tunnel not autostarting 5 70
How to setup 3 isps on a redundant mode? 3 34
VPN connection 7 23
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question