Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Linksys BEFSR41

Can anyone explain this, i have a 3725 router ( IOS12.3 ) acting as a VPN server with remote users running VPN Client 4.0 connecting in no problem ( all have their P.C's directly connected to their DSL modems and have transparent tunneling enabled in the VPN client 4.0). I am now trying to setup a client who wants to share their DSL link between a home P.C and a laptop that they occasionally use to connect to our network using the VPN client 4.0 .

I first set it up with all the default settings on the linksys (which has IPSEC pass through enabled) and on the VPN client with transparent tunneling enabled, it worked fine. It then after a day suddenly stopped working, i couldn't get it to work again, i tried everything on the linksys site such as port forwarding port 500 and port 10000 etc to no avail, then just by chance i disabled transparent tunneling on the client and it worked, i then tried disabling port forwarding and disabling ipsec pass through on the linksys and it still worked and it seems to work with the transparent tunneling disabled, regardless of any setting on the linksys, i'm not that familiar with NAT-T etc which i understood was auto detected by the client and router but this doesn't make sense i thought the client required transparent tunneling to get past a NAT device which the linksys router is.

Can anyone shed some light on this, it has me baffled!

TIA

Mike

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Linksys BEFSR41

The Transparent Tunnelling feature on the client won't actually be doing anything when you connect to a router. This feature allows the VPN client to encapsulate all the IPSec packets into either UDP or TCP packets so, as you said, they'll be able to go through a PAT device. This feature only works when connecting to a VPN concentrator and also has to be enabled on the concentrator. The default TCP/UDP ports this feature uses is 10000.

This feature was in the VPN3000 product before the introduction of NAT-T, the IETF standard way of doing IPSec encapsulation. NAT-T basically does the same thing as the Transparent Tunnelling feature, however there is no configuration required in the client or in the router for this to work. The big benefit of NAT-T is that the endpoints automatically detect if there's a NAT device in between them during tunnel negotiation, and if so, they encapsulate everything in UDP port 4500 packets.

So, the client and the router are doing NAT-T automatically, that's why they're working through the LinkSys. The Transparent Tunnelling option on the client is for the older, Cisco Proprietary version of IPSec encapsulation, which doesn't work (but also doesn't matter if it's enabled) when connecting to a router.

1 REPLY
Cisco Employee

Re: Linksys BEFSR41

The Transparent Tunnelling feature on the client won't actually be doing anything when you connect to a router. This feature allows the VPN client to encapsulate all the IPSec packets into either UDP or TCP packets so, as you said, they'll be able to go through a PAT device. This feature only works when connecting to a VPN concentrator and also has to be enabled on the concentrator. The default TCP/UDP ports this feature uses is 10000.

This feature was in the VPN3000 product before the introduction of NAT-T, the IETF standard way of doing IPSec encapsulation. NAT-T basically does the same thing as the Transparent Tunnelling feature, however there is no configuration required in the client or in the router for this to work. The big benefit of NAT-T is that the endpoints automatically detect if there's a NAT device in between them during tunnel negotiation, and if so, they encapsulate everything in UDP port 4500 packets.

So, the client and the router are doing NAT-T automatically, that's why they're working through the LinkSys. The Transparent Tunnelling option on the client is for the older, Cisco Proprietary version of IPSec encapsulation, which doesn't work (but also doesn't matter if it's enabled) when connecting to a router.

326
Views
0
Helpful
1
Replies
CreatePlease to create content