Thursday, September 18, 2008

Connecting to a Cisco VPN through a home network

hoverX

join:2008-05-04
Etobicoke, ON


edit:
May 12th, @06:16PM

Connecting to a Cisco VPN through a home network

Hi There,

I'm trying to connect to my offices VPN from home. When i connect directly to my dsl modem i have no problems but when i'm connected to my router I get the message

"Secure VPN connection terminated by the client. the remote peer is no longer responding."

I'm using Cisco System VPN client 4.8. I'm connecting from a vista machine but have also tried it from an XP machine with the same results.

I'm pretty clueless when it comes to setting this type of thing up. What steps do i need to take to get this working?

m0x20

join:2008-04-23

what's your router?

you may want to enable VPN passthrough on your router

or possibly that your DSL modem is a gateway (Modem/Router) that when you're behind another router, you have a double NAT, where you're VPN may not passthrough on double NAT.

possible solution, set your modem to BRIDGE (eliminating the router functionality)

hoverX

join:2008-05-04
Etobicoke, ON

My router is a Dlink DGL-4300 and my modem is a speedstream 5200.

I checked online and i couldn't find any info on enabling VPN Passthrough on my router but i have verified that it does support this feature.

how do i determine if my modem is acting as both a modem and a router?

hoverX

join:2008-05-04
Etobicoke, ON
also, my isp is Bell Sympatico and it seems that they use a custom firmware preventing some features of the modem from being modified.


MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation

reply to hoverX
said by hoverX See Profile :

My router is a Dlink DGL-4300 and my modem is a speedstream 5200.

I checked online and i couldn't find any info on enabling VPN Passthrough on my router but i have verified that it does support this feature.

how do i determine if my modem is acting as both a modem and a router?
Here is the interface where it needs to be enabled: »support.dlink.com/emulators/dgl4···all.html

Look at the bottom and make sure you DISABLE the IPSec option. See here for why: »support.dlink.com/emulators/dgl4···Firewall

Allows multiple VPN clients to connect to their corporate networks using IPSec. Some VPN clients support traversal of IPSec through NAT. This option may interfere with the operation of such VPN clients. If you are having trouble connecting with your corporate network, try disabling this option.

Check with the system adminstrator of your corporate network whether your VPN client supports NAT traversal.

Note that L2TP VPN connections typically use IPSec to secure the connection. To achieve multiple VPN pass-through in this case, the IPSec ALG must be enabled.

m0x20

join:2008-04-23

reply to hoverX
yep, vpn passthroughs

and even if the enabling-of-passthrough did not work, you may need to check if your connection is on PPPoE, and if it is, ask bell to have your modem bridged, or you may set it to bridged mode, but your ISP may need to do something special on the modem.

good luck


TransparentNAT

@qwest.net

reply to hoverX
quote:
"Secure VPN connection terminated by the client. the remote peer is no longer responding."
This message means that you are behind a NAT router and NAT-T should be configured. The IPSec passthru hack provided by some routers is not reliable. Not many home routers implement it properly and the bugs in home router firmware change from release to release.

NAT-T was developed for VPN clients behind routers and requires no configuration on the router. Any router which can pass UDP packets may be used. Some administrators of Cisco HW are not aware of NAT-T and so mis-configure the VPN concentrator and/or the VPN client so you may need to have that fixed.

hoverX

join:2008-05-04
Etobicoke, ON


edit:
May 20th, @06:51PM

reply to MattE
"Here is the interface where it needs to be enabled: »support.dlink.com/emulators/dgl4···all.html"
That feature is only available on the latest version of the firmware. I'm hesitant to upgrade because the website doesn't explicitly say that the latest version is compatible with xbox live. I had a real pain in the ass time getting xbox live to work with this router so i don't want to screw anything up.

Is it safe to assume that if firmware 1.6 supports xbox live that firmware 1.7 does as well, even if the site doesn't explicitly say so?


RandomChance

@cox.net

quote:
Is it safe to assume that if firmware 1.6 supports xbox live that firmware 1.7 does as well
No. And it is not safe to assume that it will work even if it is supported. Such is the nature of consumer level routers.

Since you obviously do not want to take advantage of the previous suggestion to use NAT-T and avoid all such problems with your router you have no choice but to take your chances and hope that what works in one version still works in the next.

hoverX

join:2008-05-04
Etobicoke, ON
If i am understanding things correctly NAT-T is something my administrator at work has to enable?

No comments: