Home Company Services Home Networks Site Map Search

VPN

 

Up

 

Important Notes on "Home Networks" Section of Website:

  • This information was compiled by the author and is provided as a public service. The author is not responsible for any errors or omissions, or for any consequential problems that might result. USE AT YOUR OWN RISK.
  • NO LIABILITY: Use of this information may void your warranty, or cause irreparable harm to your equipment. Changing the configuration of your device may be in violation of your contract with your service provider. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES.
  • PRIVACY POLICY: This site collects no personal information; does not require registration; and does not use browser "cookies."
  • SUPPORT: The author does not have the time to give individual technical support.
  • FEEDBACK: Email comments and suggestions to webmaster@bbarrera.com.

General Setup Guidelines for IPSec VPN

Overview

Setting up an IPSec VPN can be tricky because there are 3 variables: corporate VPN server, PC client software, and router. The router makes setup difficult because of NAT, but in general all you need to do is forward port 500 to your PC running the VPN client software. However, this assumes corporate VPN server supports NAT routers.

If the corporate VPN server is not configured for NAT routers, you can connect without the router but not with the router. In particular, Check Point's FW-1 server will require configuration by IT so I've added notes in this document to point out trouble areas. I've seen positive remarks about easy setups with Cisco and Nortel VPN clients, so either the corporate VPN server supports NAT routers "out of the box" or they were configured that way by IT.

Background Information

First thing to understand is that IPSec has 4 different protocols for encrypted communications. You'll want 'ESP TUNNEL' if goal is to operate over NAT (either your router or if ISP does NAT on your IP). Note that both corporate VPN server and PC client must be configured this way - for example Check Point's FW-1 Server may not be setup for this mode so you'll need IT to make appropriate changes on their side.

The router must support pass-thru of IPSec ESP tunnels (IP protocol #50) -- latest firmware from Netgear and ZyXEL does a great job supporting IPSec pass-thru without any special configuration settings.

Next it helps to know that keys are typically negotiated automatically using IKE. There are other protocols, but this is most common. IKE uses UDP port 500, so you should forward this port in your router. If you do port forwarding, save yourself the headaches and put PC on a static IP (rather than using router's DHCP server). Note again that many Check Point FW-1 installations are initially configured for FWZ which will not work through the router -- so get IT to support IKE on the FW-1 server.

There are three basic setup configurations to consider with IPSec. To reduce potential problems, I recommend IPSec setup with direct Modem-PC configuration before trying behind NAT router. Here are the three setup cases:

Case 1: Modem-PC (no NAT router). This is generally easiest setup, and you should do this before attempting setup behind NAT router. The reason is that your PC has a public IP address (no routing or subnet issues), and there are no issues with IPSec client/server support of NAT. To be safe you'll want to use a software firewall on the PC. Exception 1: dynamic IP address may cause problems with corporate firewall and IPSec server (if so, IT must configure server/firewall). Exception 2: your ISP does NAT on your address, so your setup is really NAT based (see Modem-NATrouter-PC).

Case 2: Modem-NATrouter-PC. First, your NAT router must support pass-thru of IPSec protocol (IP protocol #50), and be able to forward UDP port 500 to PC. The actual setup can be more difficult for a variety of reasons. See the checklist below for help.

Case 3: Modem-Router-PC (no NAT, all public IPs behind router). This is unusual for home setups, because most of us just get a single dynamic IP address. You're lucky if you have this, because there are no issues with routing, subnets, and NAT support in server/client software. Tell IT what public IP you have and your in business (fingers crossed).

My biggest problem with IPSec behind NAT router was getting the attention of the IT department at work I've been through a pretty painful IPSec configuration -- server was not configured to support NAT and IT didn't understand issues. After six weeks we got it to work with Check Point's FW-1 Server and SecuRemote clients. If you have same client/server there is a great independent support website with extensive FAQs that answered all our questions: »www.phoneboy.com

Checklist for NAT-based configuration of IPSec

1. Key negotiation. This is either manual or automatic. IKE is an automatic key negotiation, and it uses UDP port 500. Safest configuration for RT314 is to setup port forwarding on menu 15 (port 500 and IP address of LAN PC). See item #2 below, I was able to setup RT314 w/o port forwarding.

2. RE-negotiation of keys. I've seen some posts that IT configured server to renegotiate keys every hour (reason: extra security). This causes two problems: requires NAT router to forward UDP port 500 (NAT sees unrequested UDP packet), and it interrupts any ongoing transfer (kills that big file upload/download between home and corporate servers). In my case re-negotiation was set for 8 hours, and I was never online that long so no port forwarding required and no interrupted transfers.

3. Encrypted tunnel. Both client and server MUST use "ESP TUNNEL" and NOT ESP transport, AH transport or AH tunneling. Netgear RT314 supports ESP Tunnel pass-thru (IP protocol #50) without any special configuration. However, this may require some configuration of client and server, depending on the version number of client and server software. And of course both client and server must use same encryption algorithm (e.g. DES, 3DES, etc).

4. NAT support. IPSec client (on your PC) and server (IT) MUST be configured to work with NAT. Some IPSec servers support several different NAT modes, the RT314 uses "many to one" NAT. Configuring for NAT operation may involve special options on both ends, or be as simple as setting an option on the client. Note that not all servers and clients support NAT, and some that claim no support actually work!

5. LAN Subnets. Home LAN and corporate LAN MUST have different subnets (assuming corporate LAN uses private IP subnet addresses). If not, you can send packets to corporate LAN but they'll never get routed back home. The corporate LAN I connected with used two subnets: 192.168.0.x and 192.168.1.x, so I changed subnet in home router/PCs to 192.168.2.x.

6. Routing. Some IPSec servers (e.g. Check Point FW-1) will require configuring routing rules or options to route packets back to your home LAN.

Other Resources

Resolving issues due to Cisco VPN "Split Tunneling" feature:
http://www.dslreports.com/forum/remark,1214573;root=equip,9;mode=flat 

My original post (May 17, 2001) on this topic:
http://www.dslreports.com/forum/remark,847107;root=equip,9;mode=flat#847470

 

 

Home ] Up ]

Send mail to webmaster@bbarrera.com with questions or comments about this web site.
Copyright © 2001 B. Barrera & Associates
Legal Information and Disclaimer
Last modified: April 26, 2001