Connecting to VPN Router That"s Behind Another Router

Hi Folks,

Hope someone can help me with this:

Setup is this:

- An Actiontec (from Verizon FiOS) broadband wireless router, dynamic
WAN IP, LAN IP 192.168.0.1. DHCP and wireless is enabled with minimal
security. This is so guests can connect to the internet but not to
the main LAN (see below); they're outsde the firewall.

- A Netgear fvs114 is connected via ethernet to the Actiontec, it has
a WAN address of 192.168.0.2 and a LAN address of 192.168.1.1, so
it's "WAN" is just the Actiontec router's LAN, firewall enabled.

I'm trying to get VPN working on the netgear. My setup on it seems ok
since I can successfully establish a tunnel from the 192.168.0.x
network into the 192.168.1.x network. But when I try from the internet
(using dynamic DNS and yes I do see the Actiontec from the outside)
I'm not getting a Phase 1 response. On the Actiontec, I have ports
1701, 500 forwarded to the Netgear as well as GRE.

I'm obviously missing something; any help would be appreciated. Also,
if there's any other info that I should post about my setup (models,
firmware, etc), let me know and I'll follow up.

Thanks much,

Jeff

Re: Connecting to VPN Router That"s Behind Another Router

Jeff wrote:
> Hi Folks,
>
> Hope someone can help me with this:
>
> Setup is this:
>
> - An Actiontec (from Verizon FiOS) broadband wireless router, dynamic
> WAN IP, LAN IP 192.168.0.1. DHCP and wireless is enabled with minimal
> security. This is so guests can connect to the internet but not to
> the main LAN (see below); they're outsde the firewall.
>
> - A Netgear fvs114 is connected via ethernet to the Actiontec, it has
> a WAN address of 192.168.0.2 and a LAN address of 192.168.1.1, so
> it's "WAN" is just the Actiontec router's LAN, firewall enabled.
>
> I'm trying to get VPN working on the netgear. My setup on it seems ok
> since I can successfully establish a tunnel from the 192.168.0.x
> network into the 192.168.1.x network. But when I try from the internet
> (using dynamic DNS and yes I do see the Actiontec from the outside)
> I'm not getting a Phase 1 response. On the Actiontec, I have ports
> 1701, 500 forwarded to the Netgear as well as GRE.

sounds like a NAT issue, try giving 192.168.0.2 an official IP adress on the Actiontec and do NAT in both directions.

so your endpoint of the tunnel (seen from the outside) is the not the Actiontec public adress, but a second public address.

M

Re: Connecting to VPN Router That"s Behind Another Router

Am Wed, 30 Jan 2008 17:24:08 +0100 schrieb mak:


>> I'm trying to get VPN working on the netgear. My setup on it seems ok
>> since I can successfully establish a tunnel from the 192.168.0.x
>> network into the 192.168.1.x network. But when I try from the internet
>> (using dynamic DNS and yes I do see the Actiontec from the outside)
>> I'm not getting a Phase 1 response. On the Actiontec, I have ports
>> 1701, 500 forwarded to the Netgear as well as GRE.
>
> sounds like a NAT issue, try giving 192.168.0.2 an official IP adress on the Actiontec and do NAT in both directions.
>
> so your endpoint of the tunnel (seen from the outside) is the not the Actiontec public adress, but a second public address.
>
> M

You'll need NAT Tarversal (udp/4500) and forward these ports.
1701 is L2TP, it depends on your connection but I guess you don't need
that.

cheers

Re: Connecting to VPN Router That"s Behind Another Router

Jeff wrote:

> - An Actiontec (from Verizon FiOS) broadband wireless router, dynamic
> WAN IP, LAN IP 192.168.0.1. DHCP and wireless is enabled with minimal
> security. This is so guests can connect to the internet but not to
> the main LAN (see below); they're outsde the firewall.
>
> - A Netgear fvs114 is connected via ethernet to the Actiontec, it has
> a WAN address of 192.168.0.2 and a LAN address of 192.168.1.1, so
> it's "WAN" is just the Actiontec router's LAN, firewall enabled. [...]

Read my lips: You do *NOT* want to terminate an IPSec VPN on a private
IP behind a NAT device. You *want* to terminate it on a public, routable IP.

Dump the 2 devices, get a serious firewalling/VPN device with at least
*three* physical interfaces (WAN, LAN1 (untrusted), LAN2 (trusted), deny
all traffic from LAN1 to LAN2, build the VPN between the roaming clients
and LAN2 and terminate it on the WAN interface (public IP).

The device with the three interfaces might be an old PC running Linux
with 3 or more NICs if you want to use cheap hardware. OpenSWAN and
iptables will do all what you want but you need some skills to get
everything running.

OR: if you want to keep 2 routers: use a public routable network between
the 2 routers, don't use NAT on the extermal router and terminate the
VPN on the public IP of internal router.

> I'm trying to get VPN working on the netgear.

For a serious thing get a serious device, netgear is mostly cheap crap.

Wolfgang

Re: Connecting to VPN Router That"s Behind Another Router

Am Thu, 31 Jan 2008 23:15:03 +0100 schrieb Wolfgang Kueter:


> Read my lips: You do *NOT* want to terminate an IPSec VPN on a private
> IP behind a NAT device. You *want* to terminate it on a public, routable IP.

Why not, first you can control the traffic even on the first device, the
bad thing is you can only say it is an encrypted esp packet.
If i use my roadwarrior access via openswan I do the sam thing only the
direction is turned around (IPSec pass through).

> The device with the three interfaces might be an old PC running Linux
> with 3 or more NICs if you want to use cheap hardware. OpenSWAN and
> iptables will do all what you want but you need some skills to get
> everything running.

also openbsd does a good job :).

> For a serious thing get a serious device, netgear is mostly cheap crap.
>
> Wolfgang

yes I totally agree with you, espacially in the described environment.

cheers

Re: Connecting to VPN Router That"s Behind Another Router

Burkhard Ott wrote:

> Am Thu, 31 Jan 2008 23:15:03 +0100 schrieb Wolfgang Kueter:
>
>
>> Read my lips: You do *NOT* want to terminate an IPSec VPN on a private
>> IP behind a NAT device. You *want* to terminate it on a public, routable
>> IP.
>
> Why not,

Because NAT kills IPSec. OK, The esp part will work through NAT, the ah part
will be killed.

Wolfgang

Re: Connecting to VPN Router That"s Behind Another Router

Wolfgang Kueter wrote:
> Burkhard Ott wrote:
>> Am Thu, 31 Jan 2008 23:15:03 +0100 schrieb Wolfgang Kueter:
>>> Read my lips: You do *NOT* want to terminate an IPSec VPN on a
>>> private IP behind a NAT device. You *want* to terminate it on a
>>> public, routable IP.
>>
>> Why not,
>
> Because NAT kills IPSec. OK, The esp part will work through NAT, the
> ah part will be killed.

I think [1] illustrates the problem rather well (section "AH and NAT -
Not Gonna Happen").

[1] http://www.unixwiz.net/techtips/iguide-ipsec.html

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich