IPsec issue between wireless Lan and wire Lan connection.

Discussion in 'Networking Issues' started by fde1410, Aug 17, 2005.

  1. fde1410

    fde1410 Guest

    Here is my initial setting:
    Router is a Wrt54g with the Sveasoft Alchimy firmware.
    Wlan connection is connected to a DSL modem and use PPOE.
    Lan router IP is

    PC1 (Windows XP systems) is connected to the router on Ethernet port 1 and have IP
    PC2 (Windows XP systems) is connected to the router via a wireless connection and have IP
    PC3 (Windows XP systems) is connected to the router on Ethernet port 2 and have IP

    At this time, 3 systems are able to ping itch other and shares located on PC2 and PC3 are accessible from PC1.

    I try to deploy IPSec in “Transport mode†on the 3 computers. I create the same policies on the 3 boxes: Data integrity and encryption is required for all traffic from/to This rule does not specify an IPsec tunnel. Pre-shared key is used for authentication.

    At this time, connectivity between PC1 and PC3 still working, but every connection to PC2 fails. Into the PC2 security log event, I see IKE negotiation occurs but fails. And more important, source IP is not IP of PC1 or PC3 but the router Lan IP!!!!

    It seems the router use NAT between Ethernet Lan and wireless Lan, even if the connected PCs are all into the same subnet, and IPsec in transport mode is not usable with NAT !!!

    Could you confirm me NAT is active between these two interfaces? In this case, is it possible to use a command or an alternate firmware to disable the NAT between these 2 interfaces?
  2. 4Access

    4Access Network Guru Member

    On the Administration page try disabling the "Loopback" setting. I bet that will fix your problem.

    Good luck.
  3. jaldaro

    jaldaro Guest

    Thanks a lot.

    With this settings, IPSec is now usable between wired and wireless hosts!!!
  4. trostc

    trostc LI Guru Member

    hey this is an old thread, but i have a question relating to this.
    would this issue also be relevant to a wireless user trying to connect to a remote ipsec vpn ? (cisco w/checkpoint integrity client)
  5. ifican

    ifican Network Guru Member

    What router are you using and you are running the client on your machine inside your network and trying to connect via vpn back say, work?
  6. trostc

    trostc LI Guru Member

    well here's the low-down

    our company has recently upgraded our laptop fleet, now using cisco, with checkpoint's integrity client. all users connecting from home offices, etc. all users that are using wired connection, weather direct to isp modem or through router can connect fine. some of our users that use wireless are fine also. however, we have some users trying to use wireless connection, and cannot completely get into the system. cisco connects ok, at least initially, but the checkpoint client does not recieve the 'protected' status.

    I suspect that there is a NAT issue between the wired ports(and wan connection) and the wireless port.

  7. ifican

    ifican Network Guru Member

    Could that be an issue, yes. However without more input its really hard to say. I personally rarely have an issue that i cant figure out, sometimes its a matter of the device i am using cannot support what i am trying to do but thats another thread. Sometimes nating can be an issue but most of the time it is when you try to connect two vpn's from behind a PAT device, (which will not work until the first one times out). Now back to the question, are you noticing this is happening on particular devices? Does the user that has the problem have the same problem consistently everywhere or just under certain circumstances? The more info the better one can hypothesize at an answer.
  8. trostc

    trostc LI Guru Member

    i am looking into seeing if any users with this issue have a router other than a linksys. i also am wondering if the windows SID plays a part in this, but so far it does not seem to. also wondering if cisco/checkpoint sees duplicate ip addresses from the laptops as a problem, but it doesnt seem to either.
  9. ifican

    ifican Network Guru Member

    Well from my exp the sid is for local and remote authentication, cisco does not seem to care as it builds the client connection dynamically.

    The best questions are which router model and firmware are being used, and are they connecting just the one laptop as a vpn client of do they have potentially several different machines they use? All i can think of at the moment, i have to run out in the field and take care of something real quick something else might come to me.
  10. trostc

    trostc LI Guru Member

    so far, it seems that there are wrt54g's with v5/6 in both categories, i.e. working and not working. there also may be some older firmwares as well.

    these should be the only vpn connection for these people.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice