VPN - IPSEC Passthrough

Posted on 2007-12-05
Medium Priority
Last Modified: 2011-04-14
I trying to connect to a smoothwall - VPN smoothtunnel via IPSEC, I'm using a netgear WNR834Bv2.
If I use a simple analogue dial up access to the net then connect to the VPN tunnel, everything works fine.

Joy of joys I cant seem to get the Netgear to allow access to the tunnel,  I've heard rumours I need to open ports 50, 51, 500, 1701, 1723 to access the VPN with the Router, I have attempted to open these ports using port forwarding, but still no joy.
Can anyone shed any light or give us a quick step by step walk through.
Thanks in advance
Question by:thegiantsmurf
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 32

Expert Comment

ID: 20416269
If you have client sitting behind Netgear going out to the internet to the IPSec server then you need not open any ports on the router. By default the router would allow outbound traffic and corresponding inbound traffic in. So, as long you can connect to the internet through the router you should also be able to establish VPN tunnel; also, using the same machine as you are able to connect when using dial-up this means that the mahcine settings are also good.

I would advice you to check with your ISP, it appears that they are deliberately blocking the VPN traffic.

The ports/protocols used for IPSec VPN are:
UDP 500 [IKE]
UDP 4500 [NAT-T]
Protocol 50/51 [ESP/AH; note protocol not port]

Please check and update.

Thank you.

Author Comment

ID: 20418055
Thanks for your reply, but my ISP is not blocking anything, I used to have the earlier Rangemax router which worked fine, I'm also tryin to get this resolved with Netgear, their reply was :
 "The WNR834Bv2 Router is just a VPN Pass through, please open the Ports 50, 51, 500, 1701, 1723 to access the VPN with the Router. You must use only the feature "Port Forwarding" to open the ports in the router."

Their reply does not make much sense as I never had to do this on the old router.  Still confused and still no VPN even with the ports open.  I'll try again, but any more ideas would be greatly received.

LVL 18

Expert Comment

ID: 20418300
They probably misunderstood you. It seems that they think you want to pass through an INCOMING connection, while it is actually an OUTGOING connection.
For most routers you have to enable VPN passthrough or NAT Traversal. This enables VPN outgoing. Mind you, lots of cheapo routers allow only one or a limited number of outgoing connection at a time.
The process for configuring VPN passthrough is usually explained in the reference manual, but I can not find a single reference to VPN except a pointer to a general explanation and something about changing the MTU. But the default MTU is large enough.
Which makes me think that this router either doesn't support VPN passthrough or is just flawed.
The release note of the latest firmware mentions a problem with VPN passthrough: http://kbserver.netgear.com/release_notes/d103205.asp
They only mention netgear .. gear, but who knows.
Which firmware version are you on?

If you want to test some more yourself: have a look at this troubleshooting guide: http://www.vpncasestudy.com/vpn_passthrough.html

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 18

Expert Comment

ID: 20418308
BTW, the datasheet also does NOT mention VPN passthrough or NAT-T.


Author Comment

ID: 20418424
The netgear was originally on version 1.0.22 which did not work, thus I installed/upgraded to version 1.0.30
It does seem strange that I need to open ports for inbound.
LVL 18

Expert Comment

ID: 20418502
You don't. It's just wrong, so close them.
The only correct advice I can give: sell that router and buy one who is suited for the purpose. The keywords are VPN Passthrough and NAT Traversel.


Author Comment

ID: 20418540
OK....plan B.
Can i just hang my old router onto the network BEFORE the netgear WNR834Bv2.
Therefore what I'll have is the cable connection going to my old router, (which worked) then the new WNR834Bv2, attached to one of the spare network ports, both on the same subnet, both on the same IP range.

It's a bit tacky but as long as I connect to my old router for VPN access (once a week or so) then will it work ?
LVL 18

Expert Comment

ID: 20418654
You could do that, if you don't use the WAN part of the Netgear. Otherwise you would have the same problem.
So basically it would become an accesspoint and second switch.
- Disable DHCP on the Netgear.
- Connect the switch ports of the routers using a cross-cable.
- And configure the wireless access point in the router to be a bridge so that it hands out the DHCP addresses of your other router.
Where plan B could fail: I don't find any option on that router to use the wireless part as a generic Access Point. The only thing I can find is a 'Wireless Repeating' funtion in the advanced section of the main menu. I doubt if that will work. But you can give it a try.


Expert Comment

ID: 20454616
Pfft. I feel your pain, thegiantsmurf. I had the same problem, but just upgraded to v1.0.32.

For me that resolved the issue.

I'm not impressed with Netgear anymore. This is pretty lame. VPN passthru functionality should be tested before the product ever sees the market, IMO. Ah well.
LVL 18

Accepted Solution

PowerIT earned 1000 total points
ID: 20455623
Indeed, that's the firmware I referenced above. Smurf, you mention that you are on 1.0.30, but did you try 1.0.32?


Author Comment

ID: 20563276
I have upgraded to the latest version.
This still does not solve the problem.  Netgear support have kinda give up the ghost as I mentioned that it worked under XP, they have now closed the case due to this. (I knew I should have not mentioned that).

My only solution is to have a 2nd laptop running XP and connect that way (which works 100% OK) it's just Vista Business which wont connect.  I've modified the Vista firewall to allow VPN ports.
I've wiped the laptop 4 times and tried every time just incase it's an windows update causing the grief.
I do have the Microsoft diagnostics logs available if any one wants a look.  I dont understand them.

(Happy new year)


Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question