1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN between RV042 and VPN Client behind NAT

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Jan_at_Linksysinfo, May 25, 2006.

  1. Jan_at_Linksysinfo

    Jan_at_Linksysinfo LI Guru Member

    Hello there,

    luckily I found this forum, because Linksys support unfortunately is no help at the moment.

    I have the following setup:

    Main office: RV042 with static WAN IP
    static LAN IP, DHCP switched off in LAN

    Remote Client: SafeNet VPN Client with dynamic LAN IP behind a
    NAT Router with dynamic WAN IP

    After a lot of testing I can establish a VPN connection between the SafeNet VPNClient and the Linksys RV042 router.

    This works much more reliable than with the QuickVPN Client Linksys supports.

    You just have to be careful with your PSK and FQDN: only use alpanumerical characters. It does not support special characters!! ... Took me 8 hours to figure this out...


    After this success story here comes the problem:

    As far as I noticed, RV042 has no NAT detection, which means it does not support NAT traversal VPNs.

    This is the log of the VPN Client when connecting to RV042:

    5-25: 10:58:18.155 My Connections\VPNLinksys - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
    5-25: 10:58:18.856 My Connections\VPNLinksys - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID)
    5-25: 10:58:19.868 My Connections\VPNLinksys - SENDING>>>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT)
    5-25: 10:58:19.868 My Connections\VPNLinksys - Established IKE SA


    When I connect to a Bintec Access 5 which supports NAT detection and therefore NAT traversal, the log looks like this:

    5-25: 15:31:53.794 My Connections\VPNBintec - Initiating IKE Phase 1 (Hostname=vpn-test.bintec.de) (IP ADDR=212.14.95.38 )
    5-25: 15:31:55.166 My Connections\VPNBintec - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
    5-25: 15:31:55.356 My Connections\VPNBintec - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID 7x, NAT-D 2x)
    5-25: 15:31:55.356 My Connections\VPNBintec - Peer is NAT-T draft-02 capable
    5-25: 15:31:55.356 My Connections\VPNBintec - Peer is NAT-T draft-01 capable
    5-25: 15:31:55.356 My Connections\VPNBintec - NAT is detected for Client
    5-25: 15:31:55.356 My Connections\VPNBintec - Floating to IKE non-500 port
    5-25: 15:31:56.408 My Connections\VPNBintec - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_INITIAL_CONTACT)
    5-25: 15:31:56.408 My Connections\VPNBintec - Established IKE SA


    As a result I can only establish a VPN connection when the VPNClient is behind a NAT which has NAT passthrough enabled.

    But it will not work, when the NAT router only supports VPN over NAT traversal, which is often the case when you are at hotels, public hotspots, etc.

    I asked Linksys support prior to buying the router and they confirmed that it supports NAT traversal.

    Does anybody has more insight on this?

    Thanks

    Jan
     
  2. Toxic

    Toxic Administrator Staff Member

    This is fixed in the next version of firmware afaik.

    RV042 Firmware v1.3.7.8 Release Note

    New Features:

    1. Support Paid Custom DNS for dyndns.org. A Custom DNS checkbox is displayed on Setup->DDNS->DynDNS.org page.
    2. Support IPSec NAT Traversal. This feature will allow multiple VPN clients behind a NAT device to establish
    IPSec tunnels with RV042.

    I am trying to get a date of when this will be released.
     

Share This Page