cancel
Showing results for 
Search instead for 
Did you mean: 

Quick VPN question

N/A

Quick VPN question

Does anyone know how to get a VPN connection to work through a Binatone adsl 2100. The router wont allow the VPN server to assign the PC with an IP address.
Does the answer lie in the mysteries of IP forwarding? Any help will be greatly appreciated as I an tired of hearing "that is not under the remit of our support". Evil

Moderators note (John) Post moved to a section dealing with networking
4 REPLIES
mssystems
Rising Star
Posts: 270
Thanks: 33
Fixes: 1
Registered: 10-08-2007

Quick VPN question

Probably not.

Most such VPN problems are caused by Port Address Translation (or DNAT) routers not being able to redirect the IP protocols used to establish the tunnel. The IP protocols used do not have port numbers so cannot be forwarded by port number. A DMZ host requires port numbers so again can't forward a portless IP protocol.

Further than that it all gets very complicated depending on what type of VPN you are using (PPTP, IPSec etc), where the client and server are in relation to routers, whether you have addiditional public IPs, whether you can map public IPs to private IPs through the router, whether both routers support NAT-T...Lets just say lots of variables.

Regards
Matt
www.mssystems.co.uk
N/A

Quick VPN question

Thanks for the info Matt

The VPN i am trying to connect to is IPSec. If I bin the router and buy a modem for the VPN PC will this do the trick?

I have our IT guy saying that VPN cannot go through a router and everybody else at Plus net tech support saying it can, but not telling me how. They told me that I can have a block of four IP adresses and that this will help to resolve the problem, and monkeys will fly out of my butt!

I think i will have to make a blood sacrifice to the network god.

Thanks again

Jon
mssystems
Rising Star
Posts: 270
Thanks: 33
Fixes: 1
Registered: 10-08-2007

Quick VPN question

LOL

The network gods are very fickle indeed. To curry favour requires utmost dedication to the writings of the RFC. The gods must be regularly appeased at midnight by sacrifice of your social life in the temple of Cisco. :twisted:

Anyhow. IPSec is usually a bit of a bitch unless you are linking two routers from the same manufacturer.

Before binning your router you could try disabling the PAT, often (incorrectly) called NAT in the router set up. You will need an additional public host IP address, which means you need +net to supply you a 4 address subnet, you lose an address to the network number and another to the broadcast address.

You set the outside of your router with the first host address. You set the inside of the router with the same host address, this creates a Zero IP bridge whereby ALL traffic is forwarded to the inside segment. You set your PC with the second host address, which is directly routable on the internet so you get ALL traffic including the lower level IP protocols which do not use UDP/TCP. Note: any other PCs on the hub or switch will no longer be able to reach the internet unless they also have Internet routable IPs.

If you don't want to do the above, get yourself a DLink DSL300+ ADSL to Ethernet modem. This is a very cool bit of kit if a little quirky. It picks up your dynamic or fixed IP from your ISP and assigns it to your PCs Ethernet card. You end up with what used to be known as an IP unnumbered link (or there abouts). The DSL300+ is the only Ethernet modem I know of that can do this.

Once you have ALL the traffic hitting your Ethernet card you really want to firewall the connection. The built in XP firewall is better than nothing. Zone-Alarm is better if you know how to use it.

Now you are ready to start playing with the VPN client software. Your IT department should be able to help you with that as they will have a config which they know works.

Good luck
Matt
www.mssystems.co.uk

FYI
NAT - Network Address Translation is the mapping of one fixed public Ip to one fixed private IP. Cheap routers rarely do this.
D-NAT - Dynamic NAT is a method of multiplexing UDP/TCP traffic to private IPs via a single public IP identifying each private IP by port number. Also Known as PAT - Port Address Translation. This is how most cheap routers operate.
N/A

Quick VPN question

Thanks Matt

I think I will go with the cowards option and a dedicated Modem for the VPN PC. It will then be a very complicated task to unplug the router and then plug in the modem.

Thanks for the info. Dig the piccy how cold was it in Scapa flow? Was 7C in capernwray last weekend, and 27C in sharm-el-sheik.

Best

Jon