IPSEC VPN through firewall/router

Discussion in 'OT Technology' started by SLED, Dec 13, 2003.

  1. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    IPSEC VPN through firewall

    i'm working with this lady on some contract stuff for her law office and she had this guy working there on IT stuff before and setup this netgear vpn firewall. Well, half of her employees work from home and need access to their files that could consist of patient records and other confidential info. The VPN idea was fine until her employees started buying home firewall/routers. Wow, what a pain in the ass.. i can get all the workstations connecting to her office from her employees homes (behind the firewall) and it authenticates and everything, but will NOT let anybody access any resources. I can't FTP, PING, or telnet to ANYTHING. Everything works just fine if i disconnect the router, and plug the clients into the cable modem directly. I tried everything almost. I made sure the home routers allowed IPSEC passthru and that ftp was allowed on the incoming connections. I also tried throwing the local ip address of the pc on the router's DMZ... still nothing.

    It's really throwing me for a loop, and all she needs to have is her employees access files securely over the internet. I'm about 1 nerve away from just installing cygwin on her server with OpenSSH, forwarding port 22 through the router at the office and calling it a fucking day. They already have SFTP clients.

    It sucks cuz she already spent the money on the hardware... what do you think i should do? Is there anything else to try with the VPN side of things?
     
  2. DSHR

    DSHR Well-Known Member

    Joined:
    Jun 4, 2000
    Messages:
    73,585
    Likes Received:
    25
    Location:
    ATL|LA
    Sounds like a similar problem I had less complicated though.

    Broadband modems with dependant intergrated firewalls are horrible.

    What are they using at the office for a connection and does it has a firewall on it?

    Also do you have the ICMP enabled on the Netgar Router? This may not be a good question since your able to see files from the outside.

    If your not able to ping the router or FTP this may be the problem seems odd though if you have DMZ enabled.

    Wish I good help more :hs: I'm a bit rusty with networking so pardon me with any dumb suggestions.
     
  3. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    no dumb suggestions man. i'm willing to try just about anything at this point. I'm not blocking ICMP on either side of it (client or server). I forget the model, but the vpn server is a netgear :ugh:
     
  4. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    What Private IP address are you handing out for VPN clients? Most home routers use 192.168.1.?. If your VPN addresses are in the same class, you'll have all kinds of networking problems. In other words, try changing your VPN IP addresses to the Class A address (10.?.?.?)
     
  5. you might be f-d -- a lot of cheaper VPN solutions can't read/handle the several-times encapsulated packet structure that multiple soho routers (or multiple any routers of course) forces on you ... I couldn't use my linksys when we used the symantec raptor VPN client for our raptor firewall at the office ... now that we moved to a cisco solution, it's golden ... I could authenticate and allegedly the tunnels were built, but I had zero resource accessibility with the raptor solution ...
     
  6. interesting, was also just reading about VPN solutions that attempt to use certificates that fragment at the router due to being over standard frame length ... a list of routers that exhibited fragmented certificate problems that seem similar to described:

    Linksys BEFSRxx v1.39 or v1.40.1

    SMC 7004BR Barricade R1.93e

    Nexland Pro400 V1 Rel 3M

    NetGear RT314 V3.24(CA.0)

    Asante FR3004 V2.15 or later

    http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel401/401_clnt.htm (halfway down) ... just a thought.
     
  7. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    dude, just looked at the router, and it's that RT314... i did also try a newer D-link though, and it did the same thing :sad2:

    oh well, i think i'm going to set up the SFTP server... she only needs to grant access to the files anyways.
     
  8. Balzz

    Balzz N54 Elitist OT Supporter

    Joined:
    Mar 30, 2000
    Messages:
    22,467
    Likes Received:
    0
    Check if there are any firmware upgrades that allow the VPN termination device to support NAT-Transparency - encapsulation with a UDP wrapper.
     
  9. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    And my suggestion?
     
  10. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    they are on seperate subnets... tried that
     
  11. BlazinBlazer Guy

    BlazinBlazer Guy Witness to The De-Evolution of Mankind.

    Joined:
    Jul 24, 2002
    Messages:
    18,783
    Likes Received:
    0
    Location:
    Lansing, MI USA
    forgive me, I'm tired as fuck so my answers/questions may be unintelligible at this point - I'll look back at what I'm writing tomorrow.

    is the office router/server/whatever trying to authenticate back to the home computers through any specific ports? If so, you might try setting up the home routers with port forwarding of those ports to the computer. Also you might try doing a MAC address clone on the home routers so that it will see a NIC's MAC instead of a Router's MAC and perhaps let it through.

    and did you try changing the address range being assigned by the router? Change from a 192.168.1.x system to something like 10.5.1.x and see if that makes any difference.

    :dunno:

    of course, depending on what kind of server or whatnot the clients are trying to access you could setup a "thin-client" or VNC connection and just feed a desktop with all the apps/etc. over the network.
     

Share This Page