WRV200 IPSec NAT traversal limitations.

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Sfor, Jun 13, 2008.

  1. Sfor

    Sfor Network Guru Member

    Well, I had an opportunity to make a connection between a NATed WRV200 and another WRV200 and yet another RV042. The nated WRV200 does have the NAT Traversal function disabled, but the NAT router it is connected through does support IPSec passthrough and it does redirect ports 500 and 4500 to the NATed WRV200. The good side of this set is it possible to construct a VPN tunnel from both the NATed router and the remote one. And the remote WRV200 is able to accept multiple tunnels from other NATed the same way WRV200.

    But, here is a different situation. I have a WRV200 on a ADSL line with dynamic public IP. And, there are two other NATed WRV200 routers. Unluckily the NAT router they are hidden behind does not have the IPSec passthrough function, and does not have the ports 500 and 4500 redirected. As the result I can not construct a VPN tunnel without turning the NAT Traversal on in the WRV200 connected through ADSL. It is possible to turn the NAT Traversal function in just one tunnel, only. So, I can not construct two tunnels with NATed WRV200 routers in the same time. Another downside is, the NAT traversal function does accept the tunnels with the security group set as the whole local LAN range. So, it is not possible to construct a tunnel for just a subset of the local LAN IP range.

    In other words, I found impossible to:
    - construct two tunnels from NATed WRV200 devices to one WRV200 with NAT traversal function turned on.
    - construct a tunnel with a security group set to be just a subset of the LAN IP range of a WRV200 with the NAT traversal function turned on.
  2. Sfor

    Sfor Network Guru Member

    Well. I sent the question to the Linksys support about how to construct two tunnels using the WRV200 NAT traversal function, more than a month ago. So far I received no answer, except for the information, my question was sent to the engineers.

    The temporary work around is is sharing the same IPS VPN tunnel definition from both NATed locations. But, in order to make a connection it is necesary to enable a tunnel, and to disable it when it is no longer necesary. Also, both locations are unable to use the tunnel in the same time.

    A good side is I was able to make the tunnel connect through the NAT. As, I failed to do so with RV042. So, WRV200 does have some advantage over RV042 in the NAT traversal, apparently.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice