Cisco VPN port-forwarding...

Recently, I have installed the Cisco Systems VPN V4.0.4 (Virtual Private Network), and because I am running my system on a router, the connection with my remote University hard-drive cannot be established.

I have tried enabling the ports for that application in my Netgear router settings page for TCP/UDP communications, but still no joy.

Would anyone be able to help me solve this problem?

Sincerely,

`Mishima San`

 

IPSec VPNs make use of IP protocol number 50, for Encapsulating Security Payload (ESP), and 51, for Authentication Header (AH). Unfortunately these numbers are not just TCP/UDP port numbers, rather they are at the IP layer below that. For example, TCP itself is IP protocol number 6, UDP is protocol number 17. You will have to see if your router will allow you to define custom services not just based upon TCP/UDP ports, but also by actual IP protocol number as well.

 

I don't think that it does. Basically, I get the regular option of what service name, whether it is using TCP/UDP or both and what start port to finishing port it will use.

If I cannot enable lower layer application-specific paths... then is the only way to use the VPN client to remove the router totally?

p.s. here is my router: http://www.netgear.com/products/details/DG834.php (says nothing about ESP and AH VPN technology)

here is the router I might think about buying: http://www.netgear.com/products/details/FR114P.php (clearly supports VPN)

Do you have any opinons about the above routers and would you recommend a home router within a reasonable price margin? My preferences are a router that has a lot of functionality, perhaps not made with the best parts, but offers some good firewall protection and also the ability - as stated above - to support the communication with VPN's.

 

I'm not sure. Your router may provide a way to put certain workstations sort of in a psuedo-DMZ where it will not block any incoming traffic and will forward all packets to the workstation. But, the problem is I don't know how packet forwarding works in a NAT device when the IP protocol isn't TCP or UDP. Your best bet is to contact the router manufacturer's support personnel directly. They will have confronted this VPN issue before and will be able to provide the definitive answer for their equipment. It may be that they have a firmware upgrade or something that will allow it, even if their basic device does not. I would be surprised if there wasn't someway to get this to work, since I would have thought all recent devices would have VPN pass-through support as a checklist item.

 

Thanks a lot for your help Alec. Could I ask one favour of you please - I edited my last post that you replied to, after you replied to it. In the edition I have put forward some questions. Please could you offer your opinions?

Much appreciated.

 

I found this Netgear document comparing VPN support in their routers, which may be of some help. I had forgotten about things like L2TP and PPTP tunnels, which may or may not be relevant at all in your case. They probably are not, but you never know until you ask. The other thing about that document which is a little confusing is that they show port 500 by IPSec. I had also forgotten about that, IPSec VPNs make use of a key negotiation protocol called ISAKMP which does require UDP port 500 open... but you still have to have IP protocol 50 and 51 support built-in to truly support IPSec (which Netgear seems to gloss over if you ask me).

This How To: Getting VPN to work through NAT firewalls document might explain it a bit better. Here is some of the most relevant info:

As far as product recommendations go, I would have to agree with what they wrote and just make sure you can get your money back if the device doesn't work in your particular situation. However, that Netgear FR114P router that you show does seem like it would work. Netgear products are generally pretty good, so that might be a decent choice.

 

Thankyou very, very much. You've been extremely helpful. If I have any more networking problems, I think I know who to contact...

Sincerely,

`Mishima San`