Incoming IPsec passthrough possible?

Discussion in 'Cisco/Linksys Wireless Routers' started by DevilStick, May 21, 2005.

  1. DevilStick

    DevilStick Network Guru Member

    Hi there!

    Since I plan to buy a WRT54GS and a WAP54G to build up a PtP-Wireless-Bridge, I have some questions concerning IPsec.

    Will the IPsec-passthrough work for both directions? Incoming and outgoing? Some documents explaining the IPSec passthrough option only tell that this options supports internal pcs opening an outgoing vpn connection.

    I plan to connect a cisco pix 501 behind the access point and forward IPsec to it. Does the WRT54GS know that, when port 500/udp is forwarded to the pix, all IPsec traffic concerning this connection has to be forwarded to the pix, too? Or will I have to set up the pix as DMZ-IP, so that it gets all traffic?

    Here a picture of the network layout:

    DSL --> WRT54GS --> WAP54G --> PIX 501 -- PC

    The router should assign a DDNS entry which can be used to open an IPsec vpn connection to the pix.

    I assume there will be some firmeware hack that allows to put a WRT54G into PtP-Bridge-Mode, since the original firmeware only allows AP-Mode for it.

    Would be nice, if you could give me a short feedback whether my planed network configuration will work, like I expect it to do.
  2. rdhw

    rdhw Network Guru Member

    I have succesfully used incoming L2TP over IPSec to a client of a WRT54G router.

    Because you will be doing NAT-traversal, you might need to port-forward UDP port 4500 as well as 500 for IPSec.

    If you are using L2TP, you will need to port-forward UDP port 1701.

    Using NAT-T to or from a Windows end-point requires a registry patch in Windows XP.
  3. DevilStick

    DevilStick Network Guru Member

    Thanx for your reply.

    Will I need this registry patch only when using windows built-in vpn client (add new dial-in connection via vpn) or also when using the additional cisco vpn client?

    I guess you mean the L2TP/IPsec NAT-T update. This update should already be included in WinXP SP2.

    I wonder whether this update only applies to L2TP and PPTP or also works for cisco vpn. Well, I give it try.

  4. rdhw

    rdhw Network Guru Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice