1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can't connect from home to office VPN when router is installed

Discussion in 'Networking Issues' started by illlogic, Sep 28, 2009.

  1. illlogic

    illlogic Addicted to LI Member

    I'm not very familiar with how VPN is set up, and in searching for help, it seems that there are many things involved. I suspect my problem is much more vanilla, so much so that people don't bother asking about it. Most responses I get are for running VPN servers behind or even on their router, so I haven't found an answer yet.

    The story is, I'm on a computer at home, running vpnc on Ubuntu Linux (Intrepid), connecting to a VPN server at my work office. I connect my computer directly to my DSL modem with an ethernet cable, and the vpn connects. I then installed my new Linksys WRT54GL v 1.1 running Tomato 1.25, and tried sticking that between my DSL modem and my computer, and vpnc does not get a response from the server.

    I looked at the traffic using Wireshark with and without the router to see what seemed to be missing. It seems to get stuck on some ISAKMP packets. My computer is sending it out in both cases, but only getting a response without the router involved.

    I don't see anything about ISAKMP in port forwarding. From picking up bits and pieces online, I tried turning on DMZ (which, as I understand, connects my computer directly to the Internet, so really everything should work, however insecurely, so perhaps there's some user error on another level), I tried fwding UDP port 4500, I tried turning on NAT-PMP. All are on at the same time, still no response.

    Any idea what I can do? Thanks.
     
  2. ifican

    ifican Network Guru Member

    You need to get your work to utilized NAT-T for your connection. In some cases dmz will work but in most not. You can fix the isakmp issue by forwarding udp 500 but thats not going to fix your issue because ipsec is going to be broken because there is no way to identify and forward ipsec. Interestingly enough port 4500 is the port used for NAT-T but it has to be configured on both sides to be effective.
     
  3. illlogic

    illlogic Addicted to LI Member

    Thanks for the response.

    Just to make sure we're on the same page: I can connect to the work VPN fine from home with no router. Are you sure I need to change settings at work (which is not practical because it's a huge company)? The router I installed is at home, not the office. Seems a bit strange to me that they would care whether or not I'm behind a router.

    Anyway, I'll add udp 500 in the meantime and see what it gives me.

    Thanks!
     
  4. ifican

    ifican Network Guru Member

    They dont care if you are behind a router. Most companies have already set up NAT-T because most home users use routers. The technical reason is ipsec is passed via a protocol 50 or 51 not a port number. When you sit on an inside nat network you have to receive those ipsec packets or your tunnel will never work (as you have discovered). When you are directly connected your computer is a publicly routable ip. When you are behind a nat device your wan (public IP) receive the ipsec traffic and since there is no session created for the data ( ie source ip, port - destination ip, port) mapping the router just drops the data and hence no communication. If you fix your isakmp forwarding and put your machine in the "dmz" perhaps you can get it to work. Outside of that nat-t will have to be configured on both end. I could go into how nat-t works but there is plenty on the internet that is already written.
     

Share This Page