VPN past RVS4000 ?

s_t_allan · ‎11-30-2009

How do I connect to VPN server behind RVS4000 ?

Situation - Have two routers with static IP's on WAN side - one is RVS4000 ( V1.3.0.5 ) I want to use to access VPN server.

Lan side of routers - 192.168.0.1 on gateway (DHCP server) and 192.168.0.2 on RVS4000, VPN server is 192.168.0.8.

As currently set up I can connect with QuickVPN client to the RVS4000, but cannot ping Lan from external XP Pro SP3 clients.

Any assistance appreciated.

Alejandro Gallego · ‎11-30-2009

s_t_allan@hotmail.com wrote:
How do I connect to VPN server behind RVS4000 ?
Situation - Have two routers with static IP's  on WAN side - one is RVS4000 (             V1.3.0.5 ) I want to use to access VPN server.
Lan side of routers - 192.168.0.1 on gateway (DHCP server) and 192.168.0.2 on RVS4000, VPN server is 192.168.0.8.
As currently set up I can connect with QuickVPN client to the RVS4000, but cannot ping Lan from external XP Pro SP3 clients.
Any assistance appreciated.

Are you saying that you have two routers connecting to the cloud each with a public IP, but both are serving one LAN (192.168.0.0)?

Are you trying to connect to a Windows PPTP VPN server?

The main problem I see with what you have is that your clients are using the other router as a the gateway. Since it (the other router) is serving DHCP and DNS (I would assume) the RVS never has a chance to learn who is attached to it, which is the reason you cant ping anything when connected via QVPN. More acurately is not that you cant ping anything is that your echos are heading out the Gateway. I would also guess that you may be connecting with a public IP when you connect using QVPN.

If you want to just access the Server behind the RVS you will need to portforward some ports:

PPTP: 1723 TCP and make sure VPN passthrough is enabled; allows Protocol 47 (GRE) to pass. Sometimes tricky.

L2TP: 1701 TCP, sometimes 500 UDP as well.

IPSEC: 500 UDP and 4500 UDP, and Protocol 50 (ESP). Note that this is a protocol not a port. But same as with PPTP, enabling VPN passthrough should be enough for this router.

Gerald Vogt · ‎12-01-2009

If you want to just access the Server behind the RVS you will need to portforward some ports:

PPTP: 1723 TCP and make sure VPN passthrough is enabled; allows Protocol 47 (GRE) to pass. Sometimes tricky.

L2TP: 1701 TCP, sometimes 500 UDP as well.

IPSEC: 500 UDP and 4500 UDP, and Protocol 50 (ESP). Note that this is a protocol not a port. But same as with PPTP, enabling VPN passthrough should be enough for this router.

1. L2TP uses UDP port 1701. Not TCP.

2. L2TP is not used alone for VPN. The general use in VPN clients like that in Windows is L2TP over IPSec. L2TP does not provide encryption. The L2TP server should never made accessible from the internet. You should never forward port 1701 to your VPN/L2TP server. You have to forward IPSec to the VPN server, i.e. UDP port 500 for ISAKMP and TCP/UDP port 4500 for NAT traversal of IPSec/ESP. All the router will ever see is IPSec traffic. The L2TP traffic is supposed to be tunneled and protected by IPSec.

Alejandro Gallego · ‎12-03-2009

Gerald thank you for the correction on port 1701. I did not pay attention as I wrote the post and I hope it did not cause any confusion or problems.

One thing to note is that my post was to inform ports needed for the different VPN applications. Also NAT-T is a UDP port and TCP does not need to be specified. It is good to know that 1701 does not need to be forwarded, but in most consumer and Small Business routers not doing so will not allow the tunnel to connect.

Again thank you for the correction and I hope we were able to get the Original Poster up and running.

Gerald Vogt · ‎12-03-2009

1. Cisco VPNs allow you to tunnel IPSec over arbitrary TCP ports. Some people use TCP 4500 for that.

2. Through which routers you have to forward UDP port 1701 to get a L2TP over IPSec connection? I don't know of any. Again: for standard L2TP over IPSec VPN connections the router will never see any traffic on UDP 1701. If it does, there is a serious problem. Standard L2TP on UDP 1701 is not secured. It is not encrypted. All a transient router will ever see is the IPSec traffic but not what is inside. Forwarding UDP 1701 can be a serious risk if the L2TP server will accept connections which are not protected by IPSec. You will have a "VPN connection" with no encryption and no protection. For example, read this.