1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BEFSX41 and NAT-T

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Beritknight, Dec 29, 2005.

  1. Beritknight

    Beritknight Network Guru Member

    I'm trying to get a VPN tunnel going between a BEFSX41 and an RV042. At the office end the RV042 is connected to a DSL modem and the RV is doing the PPPoE and gets the real IP.

    At home the BEFSX41 is behind an AG241 (will be a WAG54Gv2 in production). The AG241 is doing the PPPoE and gets the real IP, IPSec VPN passthru is enabled and UTP 500 is forwarded to the BEF's IP address.

    The idea is that devices plugged into the BEF will get access to the VPN tunnel to the office, but devices plugged into the AG241/WAG54G will not be able to us the tunnel. I want there to be absolutely no situation where a wireless client could compromise the router and gain access to the tunnel.

    The problem is that the tunnel isn't surviving being NAT'd by the AG241. I can get a stable tunnel from the AG241 to the RV, which doesn't go thru NAT, but I can't get the BEF to talk to the RV. The logs on the RV show the request as coming from the BEF's WAN IP, which is a 192.168 IP given to it by the DHCP server on the AG241.

    I understand this is exactly the sort of situation NAT-T support was added to IPSec for, but I'm a little unclear on how it works. Do both the RV and the BEF need NAT-T support, or just the AG241 since it's the one doing the NAT?

    Assuming it's the BEF that's lacking and none of the beta firmware's I've tried add NAT-T support, is there anything else down the cheap end of the price range that will support NAT-T? I'm trying to find a cheaper alternative to another Cisco VPN3005 and a bunch of VPN3002 hardware clients at about US$500 each.
     
  2. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    How many clients behind the sx41?
     
  3. DocLarge

    DocLarge Super Moderator Staff Member Member

    You can try the SMCBR18VPN router (from SMC). This router is NAT-T capable, to include being a firewall router. Check at Newegg.com for it because I got mine from them for $78 bucks:

    http://ww.smc.com/files/AP/DS_BR18VPN_EN.pdf

    Doc
     
  4. Beritknight

    Beritknight Network Guru Member

    Just the one, it's an IP handset for the PABX system in the main office.

    [​IMG]
     
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    I think the solution for you may very well be getting another public Ip. For the separation you want, it doesn't seem possible, unless I'm missing something, which may very well be the case :)

    I'd go with putting a switch between both your routers and your modem and have the AG241 "and the BEFSX plugged in after that. This should give you the exact degree of separation you're looking for and you don't have to worry about mixing.


    Doc
     
  6. TazUk

    TazUk Network Guru Member

    Not really, NAT-T is for when you have a VPN client behind a normal NATed router connected to a remote VPN router/server with public IP.
     
  7. Beritknight

    Beritknight Network Guru Member

    That's basically what I've got.
    http://users.on.net/~ryan.trainor/VoIP_VPN.jpg
    My BEFSX41 is my VPN client, behind a WAG54G which is doing NAT. The BEF is trying to establish a tunnel thru the WAG to an RV042 on a public IP address.

    Yes I'm using the BEF instead of a software client, but that shouldn't make any difference.

    Can you tell me, as you undersdtand it, whether it's the WAG in this scenario (as the device doing the NAT) that needs to support NAT-T, or the BEF (as the device being NAT'd)? Or do both the BEF and the RV042 need to support NAT-T?
     
  8. DocLarge

    DocLarge Super Moderator Staff Member Member

    The WAG54G supports NAT-T (I own one). As long as you have it as your perimeter router, all vpn sessions going out will be AT'd.

    Doc
     
  9. Beritknight

    Beritknight Network Guru Member

    Sorted

    Interesting resolution.

    Amongst a bunch of other things, I finally tried the Username field in the advanced settings for the VPN tunnel on the BEF. On the RV I told it to authenticate the tunnel based not only on source IP, but on User & FQDN as well.

    Aparently the PSK, User & FQDN being correct made up for the fact that the IKE proposal was being received from the right IP, but claiming to be from 192.168.168.25.

    Strange, but working and reproducable, so I'm happy. =)

    Thanks for all your help guys!
     
  10. dgvandal

    dgvandal Network Guru Member

    Beritknight. Can you please post a screen capture of the Advanced settings screen. I'm not sure what exactly you filled in there?

    What firmware were you using on the Linksys BEFSX41?
     
  11. Beritknight

    Beritknight Network Guru Member

    Advanced screen on the BEF is here:
    http://users.on.net/~ryan.trainor/Advanced.JPG

    I'm using firmware 1.52.5_beta4.

    Edit: I just noticed that I couldn't get PPPoE to work using the beta4 firmware. Had to go back to the official 1.50.18.
     
  12. TazUk

    TazUk Network Guru Member

    I'm a bit confussed as to why in your setup your not using the WAG54G as the VPN end point router :unsure:

    Nice find on the other thing though :thumb:
     
  13. GSimpson

    GSimpson Network Guru Member

    "The idea is that devices plugged into the BEF will get access to the VPN tunnel to the office, but devices plugged into the AG241/WAG54G will not be able to us the tunnel. I want there to be absolutely no situation where a wireless client could compromise the router and gain access to the tunnel."
     

Share This Page