D-Link Forums

The Graveyard - Products No Longer Supported => Routers / COVR => DIR-130 => Topic started by: Phoenixfif on March 17, 2009, 10:04:08 AM

Title: VPN Dual NAT Nightmare
Post by: Phoenixfif on March 17, 2009, 10:04:08 AM

I am trying to establish a IPSec VPN between 2 DIR-130s.
 #1 is at the office with a static IP set in bridge mode and a LAN of 10.10.85.0.  This one I am not worried about.

 #2 is at home with a dynamic IP using “name”@dyndns.org as a locator and a LAN of 10.10.8.0.  This is a FIOS connection with an Ultra 3 modem.  When I put it the bridge mode I am able to make and maintain the VPN. The problem is that when you have FIOS TV service as I do, the TV converter boxes all pull an IP address thru the coax from the FIOS modem to use for updates, pay per view, etc.  In the bridge mode the converters are unable to do this.

 With out bridging I am doing a dual NAT and unable to make the VPN.  I have tried giving the DIR-130 a DMZ on the FIOS with no luck.
 Anyone know how to setup a VPN in this type of situation?
Thanks

Title: Re: VPN Dual NAT Nightmare
Post by: Fatman on March 17, 2009, 10:49:41 AM

It would really depend on the configurations of your NAT device and whether it offers some sort of semi-intellegent IPsec passthrough.

Title: Re: VPN Dual NAT Nightmare
Post by: Phoenixfif on March 17, 2009, 11:13:38 AM

When you say semi-intelligent IPesc passthrough do you mean that the NAT device is adding route information to the packet?

Title: Re: VPN Dual NAT Nightmare
Post by: Fatman on March 17, 2009, 02:29:00 PM

No, it means that the device is capable for forwarding AH or ESP to the router if it detects the IKE proposal.

D-Link's home class products tend to have a check box named IPsec passthrough for this functionality, though depending on what is on each end even our routers will hiccup sometimes.

Title: Re: VPN Dual NAT Nightmare
Post by: Phoenixfif on March 17, 2009, 05:20:06 PM

What I did was set the DIR-130 to a static IP of 192.168.1.10 and set the Westell FIOS router to DMZ the same address.  Shouldn’t that pass all traffic through unmolested including IPsec?

Title: Re: VPN Dual NAT Nightmare
Post by: Fatman on March 18, 2009, 08:41:27 AM

That really depends.

Some implement DMZ as being a default forward

Some as a forward of 6:0-65535 (all TCP ports) and 17:0-65535 (all UDP ports).

If they are only forwarding TCP and UDP ports that will do very little to assist with the tunnel.

Title: Re: VPN Dual NAT Nightmare
Post by: Phoenixfif on March 19, 2009, 10:38:14 AM

I talked with Westel’s level 2 tech support and learned several things.
 
The internal firewall affects both inbound and outbound traffic.  At its lowest setting it will still affect some outbound traffic like port triggered.  You have to make advanced settings adjustments get triggered traffic through.

You have to make port forward rule for all traffic including IPsec to the DIR 130.

Do not use the DMZ.  It will void the port forward rules.

What Ports does the DIR-130 use for its IPsec?

Title: Re: VPN Dual NAT Nightmare
Post by: Fatman on March 20, 2009, 08:36:12 AM

This is what I meant when I said that if all we can do if forward TCP and UDP ports this will not work.

We need to forward protocols as well as ports.

IPsec, while not a formal standard is a very strong informal standard, it's going to operate on some subset of the following protocol:port values depending on your exact configuration.

17:500 (UDP:IKE)
17:4500 (UDP:NAT-T)
51 (AH)
50 (ESP)