• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 329
  • Last Modified:

VPN through roter

Hi experts.

I have just installed a simple ADSL modem/router (Linksys WAG354G) for my brother-in-law in his home office.

He has a laptop on a docking station (work- XP pro) and another laptop for general family use.

He is on a dynamic IP from his ISP.

He uses SonicWall to VPN to his company intranet. However, since installing the router he cannot connect to it.

Rest of access to internet etc is fine.

If we reconnect back to the original USB ADSL modem, he gets back onto his company intranet just fine.

I have disabled the firewall in the router, statically assigned an IP to his laptop [work] and placed it in the DMZ and allowed all VPN passthroughs.

So we then phoned his company IT department and they gave us a "not possible from behind a router" answer.

I find this unnacceptable but as I have no experience with SonicWall - I didn't argue with them. But that implies that everyone who VPN's cannot be on a network!!

If it helps, the subnet at his home is 192.168.1.x and the work is 192.168.2.x - so should be no conflict there.
Also, in SonicWall the ports is set to "all" and UDP/TCP is set to "both".

As his company supplies his hardware (except this Linksys router) and software, using a different VPN etc is not a solution.

The obvious workaround is to switch between router and USB modem by just swapping out the telephone line from one to the other - this works but is not really acceptable long term.

Should I be looking for router configuration or changing some setings in SonicWall (not sure how his IT dept would like the latter option!!)?

Many thanks

Nick
0
Nick Denny
Asked:
Nick Denny
  • 6
  • 5
  • 2
1 Solution
 
Rob WilliamsCommented:
Nick, how does he connect to the Sonicwall VPN at the office ? Is he using a VPN router at home or the SonicWall VPN software client on the laptop?
Also are there any other devices between the modem and the laptop such as another router, Sonicwall or otherwise? If so, the new Linksys will have to be put in Bridge mode.
For the record some VPN's do not support NAT (network Address Translation) i.e. behind a router, but to the best of my knowledge you should be able to do this, if configured correctly.
--Rob
0
 
Nick DennyAuthor Commented:
Hi again Rob - thx for reply.

I'm not sure what's at HQ, he uses SonicWall client on his computer (not sure which version but it's NOT the pro).

The router is not a VPN router but allows passthrough.

The router is a combined ADSL modem and router so there's nothing between it and his computer.

i.e. ADSL line--> Linksys --->laptop

Would it help to know what hardware/software is at the office? I could maybe find this out but not sure how co-operative his IT dept would be.

Many thanks

Nick
0
 
Rob WilliamsCommented:
>>"Would it help to know what hardware/software is at the office?"
No, but would help to know what encryption algorithms they use. SonicWall uses IPSec, but can be configured using ESP or AH protocol. From the WAG354G manual:
"VPNs that use IPSec with the ESP (Encapsulation Security Payload known as protocol 50) authentication
will work fine. At least one IPSec session will work through the Gateway; however, simultaneous IPSec
sessions may be possible, depending on the specifics of your VPNs.
• VPNs that use IPSec and AH (Authentication Header known as protocol 51) are incompatible with the
Gateway. AH has limitations due to occasional incompatibility with the NAT standard."

If using AH protocol you are behind a router = NAT. You may be out of luck.

One other thought, if you haven't done so try a wired connection rather than wireless. Wireless and VPN's can occasionally be an issue.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
dutchclanCommented:
According to the linksys documentation it supports "VPN Passthrough" and if you are indeed using a "client" to setup a vpn connection to be treminated somewhere in the remote network it should work fine. If you are actually trying to setup a "tunnel" in a N2N vpn construction wich is obviously not supported by that type of router.

* All Linksys routers support VPN pass-through connections, and have this feature enabled by default (linksys docu)

* Linksys routers that support creating VPN tunnels as well as acting as VPN endpoints are listed below: (linksys docu)

BEFSX41
BEFVP41
WRV54G
RV042
RV082
RV016
WAG54G
USBVPN1

next to that the documentation on the sonic wall vpn client also names a "log viewer"
http://www.sonicwall.com/support/pdfs/Sonicwall_GVC_3.1_Administrators_Guide.pdf

Wich might be a big help if you could just hand out the "errors" named there...

Regards,

Chris Gralike
0
 
Nick DennyAuthor Commented:
@ Rob - thanks again.
I will have to check with him hopefully tomorrow to see which encryption they are using.

@ Chris - thanks for help.
All passthroughs are set to "enabled" - as we should only need a passthrough.
I already got that pdf guide, i'll look through it some more.

But to double check  - even before the IT dept knew what type of router he had - they immediately told him it was not going to be possible.
Awkward dept?
Or have they called this one correctly?
I still can't believe that all their field techs, sales guys etc (they are an international company), cannot connected when behind domestic type routers....
I will ask my brother-in-law to do some more digging...
0
 
Rob WilliamsCommented:
>>even before the IT dept knew what type of router he had - they immediately told him it was not going to be possible.
.....Or have they called this one correctly? "
Very possible they are right on this one. NAT is a standard feature of every small office or home router today, and the compatibility of a given VPN configuration with NAT is a very common parameter. I must say most VPN's will work behind a router as this is necessary for traveling sale staff, but not all VPN's work with NAT, or it may  be it is not configured to work with NAT, and some routers themselves are the problem. Your router manual specifically states VPN's using protocol 51 will not work. Many other routers do not seem to have this limitation.
0
 
dutchclanCommented:
>> Awkward dept?
>> Or have they called this one correctly?

Well im on "that" kind of an department too, And must say that we are limitted to the "SLA`s" internally as well as customers related. If we where to also support every problem that might occur at home or some remote office our employees are working at we wouldnt have any time to concern ourselfs with our own backend / network.

If i would have gotten this question allready stating it "doesnt" work the chance is 80% that the router doesnt support that feature. For this case we have a list of "home routers" for our employees of wich we know it will work with our VPN sollution, and the SLA states that if it`s not a router of that list we just dont support it even though we could..

So as many questions this one also has two sides, and thus i just ask you to respect these people to, even though they didnt help you out ;-)

Regards Chris
0
 
Nick DennyAuthor Commented:
@Rob - I have aksed my bro-in-law to ask his IT dept the type of protocols used.

I spoke to him earlier and he has not had a chance to speak to his IT dept yet, although he says they are usually very helpful.

So if you could bear with me until next week hopefully we will have more information.

@ Chris - thanks for your comments, although I think you are missing the point.

When I say "awkward dept" - i am referring to the technical issues here, insofar as
(a) is it a case of they don't have the time or the inclincation to help an employee who is paid to work from home and thus needs to be assisted, or
(b) is it reasonable to suggest that on some systems there is no way to access the company intranet through a VPN when behind ANY type of router? (I say any type of router - as the question of make/model was never even raised).

(On a side note, I too fall into the category of "these people" and understand where you're coming from).

Thanks again.








0
 
Rob WilliamsCommented:
seriousnick, no rush on my part, I'm always more curious as to the ultimate solution.
Have a great weekend !
--Rob
0
 
Nick DennyAuthor Commented:
I'm sorry that I have not replied. My bro-in-law cannot seem to get the information, but from what I have read, I think you are right Rob.
It seems they must be using the AH protocol.
I will try him again and hopefully post back next few days.
Thanks

0
 
Rob WilliamsCommented:
No problem seriousnick. Appreciate the update. Let us know how it goes.
--Rob
0
 
Nick DennyAuthor Commented:
I'm really sorry guys but I'm not getting any feedback so it seems my bro-in-law isn't that bothered anymore.

I think you have hit the nail on the head tho Rob insofar as it really does seems like incompatible protocols (although I would have liked to prove this for future reference).

I think its fair to award you the points.

Thanks again.
0
 
Rob WilliamsCommented:
Thanks seriousnick, to bad, I know it's always nice to know what the ultimate resolution is for any problem.
Cheers,
--Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now