Prev: New '80s Show
Next: From Network World: Win the Cisco Press book 'Firewall Fundamentals'
From: Jeff on 29 Jan 2008 20:06
Hi Folks,

Hope someone can help me with this:

Setup is this:

- An Actiontec (from Verizon FiOS) broadband wireless router, dynamic
WAN IP, LAN IP 192.168.0.1. DHCP and wireless is enabled with minimal
security. This is so guests can connect to the internet but not to
the main LAN (see below); they're outsde the firewall.

- A Netgear fvs114 is connected via ethernet to the Actiontec, it has
a WAN address of 192.168.0.2 and a LAN address of 192.168.1.1, so
it's "WAN" is just the Actiontec router's LAN, firewall enabled.

I'm trying to get VPN working on the netgear. My setup on it seems ok
since I can successfully establish a tunnel from the 192.168.0.x
network into the 192.168.1.x network. But when I try from the internet
(using dynamic DNS and yes I do see the Actiontec from the outside)
I'm not getting a Phase 1 response. On the Actiontec, I have ports
1701, 500 forwarded to the Netgear as well as GRE.

I'm obviously missing something; any help would be appreciated. Also,
if there's any other info that I should post about my setup (models,
firmware, etc), let me know and I'll follow up.

Thanks much,

Jeff
From: mak on 31 Jan 2008 11:24
Jeff wrote:
> Hi Folks,
>
> Hope someone can help me with this:
>
> Setup is this:
>
> - An Actiontec (from Verizon FiOS) broadband wireless router, dynamic
> WAN IP, LAN IP 192.168.0.1. DHCP and wireless is enabled with minimal
> security. This is so guests can connect to the internet but not to
> the main LAN (see below); they're outsde the firewall.
>
> - A Netgear fvs114 is connected via ethernet to the Actiontec, it has
> a WAN address of 192.168.0.2 and a LAN address of 192.168.1.1, so
> it's "WAN" is just the Actiontec router's LAN, firewall enabled.
>
> I'm trying to get VPN working on the netgear. My setup on it seems ok
> since I can successfully establish a tunnel from the 192.168.0.x
> network into the 192.168.1.x network. But when I try from the internet
> (using dynamic DNS and yes I do see the Actiontec from the outside)
> I'm not getting a Phase 1 response. On the Actiontec, I have ports
> 1701, 500 forwarded to the Netgear as well as GRE.

sounds like a NAT issue, try giving 192.168.0.2 an official IP adress on the Actiontec and do NAT in both directions.

so your endpoint of the tunnel (seen from the outside) is the not the Actiontec public adress, but a second public address.

M
From: Burkhard Ott on 31 Jan 2008 14:24
Am Wed, 30 Jan 2008 17:24:08 +0100 schrieb mak:


>> I'm trying to get VPN working on the netgear. My setup on it seems ok
>> since I can successfully establish a tunnel from the 192.168.0.x
>> network into the 192.168.1.x network. But when I try from the internet
>> (using dynamic DNS and yes I do see the Actiontec from the outside)
>> I'm not getting a Phase 1 response. On the Actiontec, I have ports
>> 1701, 500 forwarded to the Netgear as well as GRE.
>
> sounds like a NAT issue, try giving 192.168.0.2 an official IP adress on the Actiontec and do NAT in both directions.
>
> so your endpoint of the tunnel (seen from the outside) is the not the Actiontec public adress, but a second public address.
>
> M

You'll need NAT Tarversal (udp/4500) and forward these ports.
1701 is L2TP, it depends on your connection but I guess you don't need
that.

cheers
From: Wolfgang Kueter on 1 Feb 2008 05:09
Burkhard Ott wrote:

> Am Thu, 31 Jan 2008 23:15:03 +0100 schrieb Wolfgang Kueter:
>
>
>> Read my lips: You do *NOT* want to terminate an IPSec VPN on a private
>> IP behind a NAT device. You *want* to terminate it on a public, routable
>> IP.
>
> Why not,

Because NAT kills IPSec. OK, The esp part will work through NAT, the ah part
will be killed.

Wolfgang
From: Ansgar -59cobalt- Wiechers on 1 Feb 2008 08:47
Wolfgang Kueter <wolfgang(a)shconnect.de> wrote:
> Burkhard Ott wrote:
>> Am Thu, 31 Jan 2008 23:15:03 +0100 schrieb Wolfgang Kueter:
>>> Read my lips: You do *NOT* want to terminate an IPSec VPN on a
>>> private IP behind a NAT device. You *want* to terminate it on a
>>> public, routable IP.
>>
>> Why not,
>
> Because NAT kills IPSec. OK, The esp part will work through NAT, the
> ah part will be killed.

I think [1] illustrates the problem rather well (section "AH and NAT -
Not Gonna Happen").

[1] http://www.unixwiz.net/techtips/iguide-ipsec.html

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
 |  Next  |  Last
Pages: 1 2
Prev: New '80s Show
Next: From Network World: Win the Cisco Press book 'Firewall Fundamentals'