Solved

FSV318 + NATted VPN Clinet

Posted on 2004-10-15
5
450 Views
Last Modified: 2010-05-18
Hi, I'm having trouble setting up Netgear ProSafe client <-> FVS318 connection.

When the client has a global ip address, VPN gets established and my life is great.
It starts causing when I try to VPN in from Natted condition.
VPN gets connected, (checked through client monitor, and the FVS318 also says it's connected) but
I can't access any of the private network resource.

Here's the situation
XP Client (sp1) -- > W2k3 router (dynamic ip) --> INTERNET --> FVS318 (static ip)

XP Client: 192.168.1.25
W2k3 router: 192.168.1.1, 24.198.x.x (dynamic)
FVS318: 24.245.x.x (static), 192.168.0.1 (internal)

VPN connection is established properly because I've mapped the ports needed. (4500, 50 so on)
But, when I try to ping 192.168.0.x, time out occurs.
Also I noticed that no ESP packets are being forwarded, causing no encrypted packets from FVS318 side to reach the client. (checked w/ ethereal)

Basically, I want to be able to use to VPN client under any condition. (i.e. Hotel w/ private ip conenciton, airport, home)
Some research on the web gave me an insight of nat-t, but i couldn't quite figure out if it is applicable in this situation.
I'm stack on this issue for past 5hrs and any help is very much welcomed.
0
Comment
Question by:sunflowersh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12337738
If behind NAT, you need to configure IKE over IP, so UDP port 10000 also needs to be open.  The feature on Linksys that enables this (IKE over IP, ISAKMP over IP - not sure what it's called with Linksys) also needs to be turned on.
I would also upgrade your Linksys firmware to the latest release.  There are VPN-related bugs that could be causing other problems.
0
 
LVL 2

Author Comment

by:sunflowersh
ID: 12359987
Thanks for the follow up, Tim.

Actually, the following ports has been setup on the W2k3 router side already:
UDP 500
UDP 4500
UDP 1701
TCP 1723
TCP 50
UDP 50
UDP 10000

So, say I am trying to VPN in from a hotel where only private IPs are distributed, I cannot use VPN unless they have the port forwarding for IKEoIP and ISAKMPoIP?
I am a bit confused about this part...
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12368107
The key to getting IPSEC work through NAT is to allow IP protocol 50 through the NAT router without translating it.  This is called IPSEC or VPN passthrough.  If the hotel router doesn't support this, then look for a way to use IKE over TCP/IP instead.  Cisco use IKE over TCP/UDP and reserve port 10000 for that purpose, but I'm not sure what the NetGear Prosafe client does - is there any setting on your Netgear router that mentions IKE or IPSEC or VPN over TCP / UDP / TCP/IP ?
Another thing to consider is MTU sizes.  The hotel router may be using a different encapsulation method in its ADSL connection that actually shrinks the max packet size.  This can cause problems as the packets will fragment and could arrive out of sequence on the Netgear.  Look here to fix his - http://www.dslreports.com/faq/695
0
 
LVL 2

Author Comment

by:sunflowersh
ID: 12383437
Thanks for the reply again, Tim.

I'm looking into the stuff on vpn passthrough and it seems like such functionality exits in FVS318. (although i'm not seeing any user interface for it)
Nor do I see any mentioning of VPNoTCP/UDP....

But, hmm.... based on what I understand from your post, I need to turn on VPN passthrough feature on Win2003 server, which is
currently taking care of our natting on the client end.
0
 
LVL 2

Author Comment

by:sunflowersh
ID: 12413782
hmm... I guess it was not as easy as I had expected.
I'll be posting the solution if I ever run into one, but I'll close the session for now.
Thank you very much for your advise Tim, and other EEs that spent some time to look at my question.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DMVPN Spoke Connectivity Issue 1 82
CISCO Router 1 46
SSIS with VPN COnnection 2 144
RRAS computer has too many IP addresses 24 57
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question