[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN through roter

Posted on 2006-05-17
13
Medium Priority
?
326 Views
Last Modified: 2012-06-27
Hi experts.

I have just installed a simple ADSL modem/router (Linksys WAG354G) for my brother-in-law in his home office.

He has a laptop on a docking station (work- XP pro) and another laptop for general family use.

He is on a dynamic IP from his ISP.

He uses SonicWall to VPN to his company intranet. However, since installing the router he cannot connect to it.

Rest of access to internet etc is fine.

If we reconnect back to the original USB ADSL modem, he gets back onto his company intranet just fine.

I have disabled the firewall in the router, statically assigned an IP to his laptop [work] and placed it in the DMZ and allowed all VPN passthroughs.

So we then phoned his company IT department and they gave us a "not possible from behind a router" answer.

I find this unnacceptable but as I have no experience with SonicWall - I didn't argue with them. But that implies that everyone who VPN's cannot be on a network!!

If it helps, the subnet at his home is 192.168.1.x and the work is 192.168.2.x - so should be no conflict there.
Also, in SonicWall the ports is set to "all" and UDP/TCP is set to "both".

As his company supplies his hardware (except this Linksys router) and software, using a different VPN etc is not a solution.

The obvious workaround is to switch between router and USB modem by just swapping out the telephone line from one to the other - this works but is not really acceptable long term.

Should I be looking for router configuration or changing some setings in SonicWall (not sure how his IT dept would like the latter option!!)?

Many thanks

Nick
0
Comment
Question by:Nick Denny
  • 6
  • 5
  • 2
13 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16701528
Nick, how does he connect to the Sonicwall VPN at the office ? Is he using a VPN router at home or the SonicWall VPN software client on the laptop?
Also are there any other devices between the modem and the laptop such as another router, Sonicwall or otherwise? If so, the new Linksys will have to be put in Bridge mode.
For the record some VPN's do not support NAT (network Address Translation) i.e. behind a router, but to the best of my knowledge you should be able to do this, if configured correctly.
--Rob
0
 
LVL 13

Author Comment

by:Nick Denny
ID: 16702072
Hi again Rob - thx for reply.

I'm not sure what's at HQ, he uses SonicWall client on his computer (not sure which version but it's NOT the pro).

The router is not a VPN router but allows passthrough.

The router is a combined ADSL modem and router so there's nothing between it and his computer.

i.e. ADSL line--> Linksys --->laptop

Would it help to know what hardware/software is at the office? I could maybe find this out but not sure how co-operative his IT dept would be.

Many thanks

Nick
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 16702179
>>"Would it help to know what hardware/software is at the office?"
No, but would help to know what encryption algorithms they use. SonicWall uses IPSec, but can be configured using ESP or AH protocol. From the WAG354G manual:
"VPNs that use IPSec with the ESP (Encapsulation Security Payload known as protocol 50) authentication
will work fine. At least one IPSec session will work through the Gateway; however, simultaneous IPSec
sessions may be possible, depending on the specifics of your VPNs.
• VPNs that use IPSec and AH (Authentication Header known as protocol 51) are incompatible with the
Gateway. AH has limitations due to occasional incompatibility with the NAT standard."

If using AH protocol you are behind a router = NAT. You may be out of luck.

One other thought, if you haven't done so try a wired connection rather than wireless. Wireless and VPN's can occasionally be an issue.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 5

Expert Comment

by:dutchclan
ID: 16702660
According to the linksys documentation it supports "VPN Passthrough" and if you are indeed using a "client" to setup a vpn connection to be treminated somewhere in the remote network it should work fine. If you are actually trying to setup a "tunnel" in a N2N vpn construction wich is obviously not supported by that type of router.

* All Linksys routers support VPN pass-through connections, and have this feature enabled by default (linksys docu)

* Linksys routers that support creating VPN tunnels as well as acting as VPN endpoints are listed below: (linksys docu)

BEFSX41
BEFVP41
WRV54G
RV042
RV082
RV016
WAG54G
USBVPN1

next to that the documentation on the sonic wall vpn client also names a "log viewer"
http://www.sonicwall.com/support/pdfs/Sonicwall_GVC_3.1_Administrators_Guide.pdf

Wich might be a big help if you could just hand out the "errors" named there...

Regards,

Chris Gralike
0
 
LVL 13

Author Comment

by:Nick Denny
ID: 16704592
@ Rob - thanks again.
I will have to check with him hopefully tomorrow to see which encryption they are using.

@ Chris - thanks for help.
All passthroughs are set to "enabled" - as we should only need a passthrough.
I already got that pdf guide, i'll look through it some more.

But to double check  - even before the IT dept knew what type of router he had - they immediately told him it was not going to be possible.
Awkward dept?
Or have they called this one correctly?
I still can't believe that all their field techs, sales guys etc (they are an international company), cannot connected when behind domestic type routers....
I will ask my brother-in-law to do some more digging...
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16704709
>>even before the IT dept knew what type of router he had - they immediately told him it was not going to be possible.
.....Or have they called this one correctly? "
Very possible they are right on this one. NAT is a standard feature of every small office or home router today, and the compatibility of a given VPN configuration with NAT is a very common parameter. I must say most VPN's will work behind a router as this is necessary for traveling sale staff, but not all VPN's work with NAT, or it may  be it is not configured to work with NAT, and some routers themselves are the problem. Your router manual specifically states VPN's using protocol 51 will not work. Many other routers do not seem to have this limitation.
0
 
LVL 5

Expert Comment

by:dutchclan
ID: 16716651
>> Awkward dept?
>> Or have they called this one correctly?

Well im on "that" kind of an department too, And must say that we are limitted to the "SLA`s" internally as well as customers related. If we where to also support every problem that might occur at home or some remote office our employees are working at we wouldnt have any time to concern ourselfs with our own backend / network.

If i would have gotten this question allready stating it "doesnt" work the chance is 80% that the router doesnt support that feature. For this case we have a list of "home routers" for our employees of wich we know it will work with our VPN sollution, and the SLA states that if it`s not a router of that list we just dont support it even though we could..

So as many questions this one also has two sides, and thus i just ask you to respect these people to, even though they didnt help you out ;-)

Regards Chris
0
 
LVL 13

Author Comment

by:Nick Denny
ID: 16721490
@Rob - I have aksed my bro-in-law to ask his IT dept the type of protocols used.

I spoke to him earlier and he has not had a chance to speak to his IT dept yet, although he says they are usually very helpful.

So if you could bear with me until next week hopefully we will have more information.

@ Chris - thanks for your comments, although I think you are missing the point.

When I say "awkward dept" - i am referring to the technical issues here, insofar as
(a) is it a case of they don't have the time or the inclincation to help an employee who is paid to work from home and thus needs to be assisted, or
(b) is it reasonable to suggest that on some systems there is no way to access the company intranet through a VPN when behind ANY type of router? (I say any type of router - as the question of make/model was never even raised).

(On a side note, I too fall into the category of "these people" and understand where you're coming from).

Thanks again.








0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16721637
seriousnick, no rush on my part, I'm always more curious as to the ultimate solution.
Have a great weekend !
--Rob
0
 
LVL 13

Author Comment

by:Nick Denny
ID: 16864305
I'm sorry that I have not replied. My bro-in-law cannot seem to get the information, but from what I have read, I think you are right Rob.
It seems they must be using the AH protocol.
I will try him again and hopefully post back next few days.
Thanks

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16864930
No problem seriousnick. Appreciate the update. Let us know how it goes.
--Rob
0
 
LVL 13

Author Comment

by:Nick Denny
ID: 17006582
I'm really sorry guys but I'm not getting any feedback so it seems my bro-in-law isn't that bothered anymore.

I think you have hit the nail on the head tho Rob insofar as it really does seems like incompatible protocols (although I would have liked to prove this for future reference).

I think its fair to award you the points.

Thanks again.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 17006593
Thanks seriousnick, to bad, I know it's always nice to know what the ultimate resolution is for any problem.
Cheers,
--Rob
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question