1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

QuickVPN Ports (noob questions...)

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by WubboZ, May 8, 2007.

  1. WubboZ

    WubboZ LI Guru Member

    [WRV200] QuickVPN: Which Ports?

    For a couple of days now i'm trying to get the quickvpn feature of my WRV200 to work. I think it does, actually. I have connected it to my router/modem (Zyxell Prestige 2602HW), with one pc behind the linksys router (PC2) and another pc on the Zyxell (the WAN side of the linksys, PC1). Most settings on the linksys are standard, so one pc has as ip adress (PC2).
    When i try to connect to PC2's RDP service connection fails (duh, other subnet, router between :rolleyes:), but when i connect PC1 to the router with QuickVPN i can connect to the RDP service. So that's all fine for now (i still ca'nt browse windows/samba network, but who gives a damn).
    My main issue is that i don't know which ports i need to open on my zyxell modem/router. I cant assign the linksys as default for all incomming connections because i have more servers running.

    The guy from the linksys support desk couldnt help me out (i think the call was transfered to asia, because his dutch was very poor for a supportline). So google is men's best friend, NOT. I have seen all ports which have something to do with vpn come by, but thats a lot.
    I now have: 443, 4500, 500, 1723, 1701, 60443.
    I assume their not all nescessairy, and i missed a few which are.

    Does anyone have a list with the specific ports i need to forward to my linksys router to use QuickVPN?
    Maybe i missed something, and i overlooked something. I think not, but if i am, i am very sorry for the stupid questions :blush:
  2. WubboZ

    WubboZ LI Guru Member

    [WRV200] QuickVPN: Which Ports?

    come on, this can't be so hard...

    yesterday i ran a portscan on the router and found out that it has ports 21 443 and 60443 open. So i need 443 or 60443 for the initial connection, but do i need other ports?
  3. WubboZ

    WubboZ LI Guru Member

    Today i've contacted linksys again. This time i've got an answer worth trying. He said i only had to forward UDP 500 and TCP 443, so i'll check that out.
  4. aviegas

    aviegas Network Guru Member

    You need TCP 443 and/or 60443 for authentication

    You need UDP 500 for IKE

    You need to allow ESP (protocol 50) to reach the router, so your "first level router" (the one doing the forwarding) needs to support IPSec passthru and NAT. This is by far the most common problem with IPSec: either the client or server are behind a router that cannot hadle IPSec passthru/NAT
  5. ifican

    ifican Network Guru Member

    aviegas is correct just this one statement is a little misleading. Passthru for most folks is going to be the setting on the firewall page. This setting however is not going to do anything for incomming traffic. I know he meant this but just for clarification the first router needs to be able to recognize and pass protocol 50 traffic. And because the way nat works (not even sure your first router is doing nat) generally the packet gets dropped. The only way i have been able to get quickvpn to work from behind a nat device is to create a one-to-one nat or put the quickvpn router in the dmz.
  6. aviegas

    aviegas Network Guru Member

    You are right: passthru will indeed handle the "outbound" mode traffic. The situation described here is for supporting an "inbound" connection.
    Why: because NAT is triggered by the connection initiation direction.

    There is however yet another way to do it, if the "first level" router supports forwarding all inbound traffic to a specific internal IP (and that includes also ESP). I've used that on a SpeedStream DSL modem router with a RV042 behind it and it worked like a charm.

    Again, it will always depend on the features of the router ahead of the RV0xx. This is true for "all forwarding" and for one-2-one NAT.
  7. WubboZ

    WubboZ LI Guru Member

    Well, don't ask me how, but it is working!
    I have set open ports 433, 500, and 4500, 60443, and 50 (did i allready say i am a VPN noob :biggrin:). I'll close 50, 443 and 4500 tomorrow.
    About the protocol 50 and 51 (ISAKMP, AH, ESP, whatever), i have configured my firewall to passthrough AH and ISAKMP, and it didn't mention a portnumber (instead of all the other preconfigured services). In the NAT setup i have only configured the ports 433, 500 etc. Nothing special for protocol 50...

Share This Page