December 19th, 2003, 04:23 AM
Does anyone know of any good resources for VPN problems.
I want to understand a little bit more about how this works and why for example when I connect to a Cisco Pix from a public ip I am allowed access, from behind a Smoothwall 2.0 box I am allowed access, but behind a Netgear DG814 ADSL,Router, Firewall my connection is not allowed. I've tried variations on all the usual settings, port forwarding etc.
I want to understand more about NAT & IPSEC and a how a VPN works.
December 19th, 2003, 09:37 AM
For the Cisco VPN 3000 concentrator I had to change it to use UDP instead of TCP in the past when client was trying to access from behing linksys NAT firewall.
Caviats for the 3.6.3 client......
If you use the VPN Client with a Digital Certificate and your Client sits behind a Cable/DSL router or some other NAT device, you might not be able to connect to your VPN Gateway device. The problem is not with the VPN Client or the Gateway; it is with the Cable/DSL router. When the VPN Client uses a Digital Certificate, it sends the Certificate to the VPN Gateway. Most of the time, the packet with the Certificate is too big for a standard Ethernet frame (1500), so it is fragmented. Many Cable/DSL routers do not transmit fragmented packets, so the connection negotiation fails (IKE negotiation).
This problem might not occur if the Digital Certificate you are using is small enough, but this is only in rare cases. This fragmentation problem happens with the D-Link DI-704 and many other Cable/DSL routers on the market. We have been in contact with a few of these vendors to try to resolve the issue.
Testing with the VPN Client Release 3.1 indicates that VPN Client connections using Digital Certificates can be made using the following Cable/DSL routers with the following firmware:
Linksys BEFSRxx v1.39 or v1.40.1
SMC 7004BR Barricade R1.93e
Nexland Pro400 V1 Rel 3M
NetGear RT314 V3.24(CA.0)
Asante FR3004 V2.15 or later
Others like 3COM 3C510, and D-Link DI-704 either had updated firmware that was tested and failed, or had Beta firmware that was NOT tested because the firmware notes did not indicate a fix specifically for fragmentation.
Last edited by juniperr; December 19th, 2003 at 09:40 AM.