• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3219
  • Last Modified:

VPN - IPSEC Passthrough

I trying to connect to a smoothwall - VPN smoothtunnel via IPSEC, I'm using a netgear WNR834Bv2.
If I use a simple analogue dial up access to the net then connect to the VPN tunnel, everything works fine.

Joy of joys I cant seem to get the Netgear to allow access to the tunnel,  I've heard rumours I need to open ports 50, 51, 500, 1701, 1723 to access the VPN with the Router, I have attempted to open these ports using port forwarding, but still no joy.
Can anyone shed any light or give us a quick step by step walk through.
Thanks in advance
1 Solution
If you have client sitting behind Netgear going out to the internet to the IPSec server then you need not open any ports on the router. By default the router would allow outbound traffic and corresponding inbound traffic in. So, as long you can connect to the internet through the router you should also be able to establish VPN tunnel; also, using the same machine as you are able to connect when using dial-up this means that the mahcine settings are also good.

I would advice you to check with your ISP, it appears that they are deliberately blocking the VPN traffic.

The ports/protocols used for IPSec VPN are:
UDP 500 [IKE]
UDP 4500 [NAT-T]
Protocol 50/51 [ESP/AH; note protocol not port]

Please check and update.

Thank you.
thegiantsmurfAuthor Commented:
Thanks for your reply, but my ISP is not blocking anything, I used to have the earlier Rangemax router which worked fine, I'm also tryin to get this resolved with Netgear, their reply was :
 "The WNR834Bv2 Router is just a VPN Pass through, please open the Ports 50, 51, 500, 1701, 1723 to access the VPN with the Router. You must use only the feature "Port Forwarding" to open the ports in the router."

Their reply does not make much sense as I never had to do this on the old router.  Still confused and still no VPN even with the ports open.  I'll try again, but any more ideas would be greatly received.

They probably misunderstood you. It seems that they think you want to pass through an INCOMING connection, while it is actually an OUTGOING connection.
For most routers you have to enable VPN passthrough or NAT Traversal. This enables VPN outgoing. Mind you, lots of cheapo routers allow only one or a limited number of outgoing connection at a time.
The process for configuring VPN passthrough is usually explained in the reference manual, but I can not find a single reference to VPN except a pointer to a general explanation and something about changing the MTU. But the default MTU is large enough.
Which makes me think that this router either doesn't support VPN passthrough or is just flawed.
The release note of the latest firmware mentions a problem with VPN passthrough: http://kbserver.netgear.com/release_notes/d103205.asp
They only mention netgear .. gear, but who knows.
Which firmware version are you on?

If you want to test some more yourself: have a look at this troubleshooting guide: http://www.vpncasestudy.com/vpn_passthrough.html

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

BTW, the datasheet also does NOT mention VPN passthrough or NAT-T.

thegiantsmurfAuthor Commented:
The netgear was originally on version 1.0.22 which did not work, thus I installed/upgraded to version 1.0.30
It does seem strange that I need to open ports for inbound.
You don't. It's just wrong, so close them.
The only correct advice I can give: sell that router and buy one who is suited for the purpose. The keywords are VPN Passthrough and NAT Traversel.

thegiantsmurfAuthor Commented:
OK....plan B.
Can i just hang my old router onto the network BEFORE the netgear WNR834Bv2.
Therefore what I'll have is the cable connection going to my old router, (which worked) then the new WNR834Bv2, attached to one of the spare network ports, both on the same subnet, both on the same IP range.

It's a bit tacky but as long as I connect to my old router for VPN access (once a week or so) then will it work ?
You could do that, if you don't use the WAN part of the Netgear. Otherwise you would have the same problem.
So basically it would become an accesspoint and second switch.
- Disable DHCP on the Netgear.
- Connect the switch ports of the routers using a cross-cable.
- And configure the wireless access point in the router to be a bridge so that it hands out the DHCP addresses of your other router.
Where plan B could fail: I don't find any option on that router to use the wireless part as a generic Access Point. The only thing I can find is a 'Wireless Repeating' funtion in the advanced section of the main menu. I doubt if that will work. But you can give it a try.

Pfft. I feel your pain, thegiantsmurf. I had the same problem, but just upgraded to v1.0.32.

For me that resolved the issue.

I'm not impressed with Netgear anymore. This is pretty lame. VPN passthru functionality should be tested before the product ever sees the market, IMO. Ah well.
Indeed, that's the firmware I referenced above. Smurf, you mention that you are on 1.0.30, but did you try 1.0.32?

thegiantsmurfAuthor Commented:
I have upgraded to the latest version.
This still does not solve the problem.  Netgear support have kinda give up the ghost as I mentioned that it worked under XP, they have now closed the case due to this. (I knew I should have not mentioned that).

My only solution is to have a 2nd laptop running XP and connect that way (which works 100% OK) it's just Vista Business which wont connect.  I've modified the Vista firewall to allow VPN ports.
I've wiped the laptop 4 times and tried every time just incase it's an windows update causing the grief.
I do have the Microsoft diagnostics logs available if any one wants a look.  I dont understand them.

(Happy new year)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now