OT networking (Cisco VPN) question

Ben Scott dragonhawk at gmail.com
Sat Jan 20 21:03:40 EST 2007


On 1/20/07, jsf <jfreeman at gmail.com> wrote:
>  I went into the DL 604 config and set up port forwarding on the IPSec
> port (udp500) for the inside IP address of the DL 604 (192.168.10.1).
> now things get interesting:

  Eh.  You can't use "port forwarding" with IPsec.  The concept does not apply.

  (Gory details: IPsec is a suite of protocols, which includes IKE
(Internet Key Exchange), AH (Authentication Header), and ESP
(Encapsulated Secure Payload).  ESP and AH use IP Protocol Numbers 50
and 51, respectively.  An IP Protocol Number is not a TCP or UDP Port.
 ESP and EH exist below the layer of TCP and UDP Ports.  ESP and EH
exist at the same layer as TCP and UDP.  IKE uses UDP/500, which you
could in theory use port forwarding with, but there isn't much point
in having IKE configure an SA (Security Association) if it can't work
in the first place.)

  In all likelihood, your VPN system will need to implement NAT
Traversal (NAT-T) for anything to work.  Fortunately, NAT-T is pretty
well supported.  I'll assume you have NAT-T capability (otherwise,
we're pretty much sunk).

  You'll want to go into your router(s) and disable anything and
everything that tries to help the VPN.  In particular, stop trying to
port forward UDP/500; that will just make things worse.  Also disable
any "IPsec passthrough" or things like that.

> I have a Linksys WRTG54 connected to it bridging the DHCP server on the DL604..
> Basically, the Linksys is just a WiFI extension of the DL 604.. it doesn't have a
> separate IP of its own (afaict) and is only providing WiFI service.

  You may want to plug your laptop into the LAN side of the DL-604 via
wired Ethernet, at least at first.  That should remove a lot of
variables from the equation, which usually makes trouble-shooting a
lot simpler.

  ----

  The LinkSys WRT54G has a LAN side and a WAN port (WAN may be labeled
"Internet" on some versions).  It will always have a LAN IP address,
and it will be trying to have a WAN IP address.  It implements a
router (not a bridge) between the LAN and WAN sides.  It will default
to doing NAT between the WAN and LAN.  It will also default to proving
DHCP service on the LAN.

  I'm not familiar with the DL-604, but if it's like most "home
routers", it's just like the LinkSys: LAN side, WAN side, NAT between
the two, DHCP server on the LAN.

  If you've got the WAN port of the LinkSys plugged into the LAN side
of the DL-604, that might be causing you grief, and certainly isn't
helping.  What you want to do instead is to use the LinkSys as a WAP
(wireless access point) and bypass the rotuer functions.  To do so:

  First, configure the LinkSys for the LAN side of the DL-604.  The
LinkSys uses a web UI like everything else on the market.  The default
IP address is 192.168.1.1 and the default password is either
"linksys", "admin", or "password" (I forget which).  The username is
ignored.  Assign the LinkSys a static IP address on the LAN (for
example, 192.168.10.69).  Disable the DHCP server.

  Once that is done, plug the LAN side of the DL-604 to the LAN side
of the WRT54G.  There should not be anything plugged into the
"Internet" or "WAN" port of the WRT54G.

  You should now be able to get an IP address from the DL-604's DHCP
server, either via wired Ethernet, or wireless (via the WRT54G).

  -----

  If the IP address space of the network you are trying to connect
overlaps that of your LAN, nothing will work.  That is to say, if your
home LAN is 192.168.10.0/24, and your work network also uses
192.168.10.0/24, it will not work.  The equipment on your LAN will not
be able to tell the difference between your LAN and the remote
network.

  It might be a good idea to renumber your home LAN to use something
more unusual.  The  172.16.0.0/12 block is often suggested.  For
example, 172.30.53.0/24 might be a better choice.

-- Ben


More information about the gnhlug-discuss mailing list