1. Home
  2. Networking Firewalls
  3. Connecting to VPN Router That's Behind Another Router

Connecting to VPN Router That's Behind Another Router

Hi Folks,

Hope someone can help me with this:

Setup is this:

- An Actiontec (from Verizon FiOS) broadband wireless router, dynamic WAN IP, LAN IP 192.168.0.1. DHCP and wireless is enabled with minimal security. This is so guests can connect to the internet but not to the main LAN (see below); they're outsde the firewall.

- A Netgear fvs114 is connected via ethernet to the Actiontec, it has a WAN address of 192.168.0.2 and a LAN address of 192.168.1.1, so it's "WAN" is just the Actiontec router's LAN, firewall enabled.

I'm trying to get VPN working on the netgear. My setup on it seems ok since I can successfully establish a tunnel from the 192.168.0.x network into the 192.168.1.x network. But when I try from the internet (using dynamic DNS and yes I do see the Actiontec from the outside) I'm not getting a Phase 1 response. On the Actiontec, I have ports

1701, 500 forwarded to the Netgear as well as GRE.

I'm obviously missing something; any help would be appreciated. Also, if there's any other info that I should post about my setup (models, firmware, etc), let me know and I'll follow up.

Thanks much,

Jeff

Reply to
Jeff
Loading thread data ...

sounds like a NAT issue, try giving 192.168.0.2 an official IP adress on the Actiontec and do NAT in both directions.

so your endpoint of the tunnel (seen from the outside) is the not the Actiontec public adress, but a second public address.

M
Reply to
mak

Am Wed, 30 Jan 2008 17:24:08 +0100 schrieb mak:

Actiontec and do NAT in both directions.

Actiontec public adress, but a second public address.

You'll need NAT Tarversal (udp/4500) and forward these ports.

1701 is L2TP, it depends on your connection but I guess you don't need that.

cheers

Reply to
Burkhard Ott

Read my lips: You do *NOT* want to terminate an IPSec VPN on a private IP behind a NAT device. You *want* to terminate it on a public, routable IP.

Dump the 2 devices, get a serious firewalling/VPN device with at least

*three* physical interfaces (WAN, LAN1 (untrusted), LAN2 (trusted), deny all traffic from LAN1 to LAN2, build the VPN between the roaming clients and LAN2 and terminate it on the WAN interface (public IP).

The device with the three interfaces might be an old PC running Linux with 3 or more NICs if you want to use cheap hardware. OpenSWAN and iptables will do all what you want but you need some skills to get everything running.

OR: if you want to keep 2 routers: use a public routable network between the 2 routers, don't use NAT on the extermal router and terminate the VPN on the public IP of internal router.

For a serious thing get a serious device, netgear is mostly cheap crap.

Wolfgang

Reply to
Wolfgang Kueter

Am Thu, 31 Jan 2008 23:15:03 +0100 schrieb Wolfgang Kueter:

Why not, first you can control the traffic even on the first device, the bad thing is you can only say it is an encrypted esp packet. If i use my roadwarrior access via openswan I do the sam thing only the direction is turned around (IPSec pass through).

also openbsd does a good job :).

yes I totally agree with you, espacially in the described environment.

cheers

Reply to
Burkhard Ott

Because NAT kills IPSec. OK, The esp part will work through NAT, the ah part will be killed.

Wolfgang

Reply to
Wolfgang Kueter

I think [1] illustrates the problem rather well (section "AH and NAT - Not Gonna Happen").

[1]
formatting link
cu 59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Thanks for that link. Should be bookmarked as a good explanation for the answer to this FAQ ...

Wolfgang

Reply to
Wolfgang Kueter

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.