VPN - IPSEC Passthrough

I trying to connect to a smoothwall - VPN smoothtunnel via IPSEC, I'm using a netgear WNR834Bv2.
If I use a simple analogue dial up access to the net then connect to the VPN tunnel, everything works fine.

Joy of joys I cant seem to get the Netgear to allow access to the tunnel,  I've heard rumours I need to open ports 50, 51, 500, 1701, 1723 to access the VPN with the Router, I have attempted to open these ports using port forwarding, but still no joy.
Can anyone shed any light or give us a quick step by step walk through.
Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you have client sitting behind Netgear going out to the internet to the IPSec server then you need not open any ports on the router. By default the router would allow outbound traffic and corresponding inbound traffic in. So, as long you can connect to the internet through the router you should also be able to establish VPN tunnel; also, using the same machine as you are able to connect when using dial-up this means that the mahcine settings are also good.

I would advice you to check with your ISP, it appears that they are deliberately blocking the VPN traffic.

The ports/protocols used for IPSec VPN are:
UDP 500 [IKE]
UDP 4500 [NAT-T]
Protocol 50/51 [ESP/AH; note protocol not port]

Please check and update.

Thank you.
thegiantsmurfAuthor Commented:
Thanks for your reply, but my ISP is not blocking anything, I used to have the earlier Rangemax router which worked fine, I'm also tryin to get this resolved with Netgear, their reply was :
 "The WNR834Bv2 Router is just a VPN Pass through, please open the Ports 50, 51, 500, 1701, 1723 to access the VPN with the Router. You must use only the feature "Port Forwarding" to open the ports in the router."

Their reply does not make much sense as I never had to do this on the old router.  Still confused and still no VPN even with the ports open.  I'll try again, but any more ideas would be greatly received.

They probably misunderstood you. It seems that they think you want to pass through an INCOMING connection, while it is actually an OUTGOING connection.
For most routers you have to enable VPN passthrough or NAT Traversal. This enables VPN outgoing. Mind you, lots of cheapo routers allow only one or a limited number of outgoing connection at a time.
The process for configuring VPN passthrough is usually explained in the reference manual, but I can not find a single reference to VPN except a pointer to a general explanation and something about changing the MTU. But the default MTU is large enough.
Which makes me think that this router either doesn't support VPN passthrough or is just flawed.
The release note of the latest firmware mentions a problem with VPN passthrough: http://kbserver.netgear.com/release_notes/d103205.asp
They only mention netgear .. gear, but who knows.
Which firmware version are you on?

If you want to test some more yourself: have a look at this troubleshooting guide: http://www.vpncasestudy.com/vpn_passthrough.html

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

BTW, the datasheet also does NOT mention VPN passthrough or NAT-T.

thegiantsmurfAuthor Commented:
The netgear was originally on version 1.0.22 which did not work, thus I installed/upgraded to version 1.0.30
It does seem strange that I need to open ports for inbound.
You don't. It's just wrong, so close them.
The only correct advice I can give: sell that router and buy one who is suited for the purpose. The keywords are VPN Passthrough and NAT Traversel.

thegiantsmurfAuthor Commented:
OK....plan B.
Can i just hang my old router onto the network BEFORE the netgear WNR834Bv2.
Therefore what I'll have is the cable connection going to my old router, (which worked) then the new WNR834Bv2, attached to one of the spare network ports, both on the same subnet, both on the same IP range.

It's a bit tacky but as long as I connect to my old router for VPN access (once a week or so) then will it work ?
You could do that, if you don't use the WAN part of the Netgear. Otherwise you would have the same problem.
So basically it would become an accesspoint and second switch.
- Disable DHCP on the Netgear.
- Connect the switch ports of the routers using a cross-cable.
- And configure the wireless access point in the router to be a bridge so that it hands out the DHCP addresses of your other router.
Where plan B could fail: I don't find any option on that router to use the wireless part as a generic Access Point. The only thing I can find is a 'Wireless Repeating' funtion in the advanced section of the main menu. I doubt if that will work. But you can give it a try.

Pfft. I feel your pain, thegiantsmurf. I had the same problem, but just upgraded to v1.0.32.

For me that resolved the issue.

I'm not impressed with Netgear anymore. This is pretty lame. VPN passthru functionality should be tested before the product ever sees the market, IMO. Ah well.
Indeed, that's the firmware I referenced above. Smurf, you mention that you are on 1.0.30, but did you try 1.0.32?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
thegiantsmurfAuthor Commented:
I have upgraded to the latest version.
This still does not solve the problem.  Netgear support have kinda give up the ghost as I mentioned that it worked under XP, they have now closed the case due to this. (I knew I should have not mentioned that).

My only solution is to have a 2nd laptop running XP and connect that way (which works 100% OK) it's just Vista Business which wont connect.  I've modified the Vista firewall to allow VPN ports.
I've wiped the laptop 4 times and tried every time just incase it's an windows update causing the grief.
I do have the Microsoft diagnostics logs available if any one wants a look.  I dont understand them.

(Happy new year)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.