Question IPSec VPN Question

[benzr8]

Hi guys,

I need assistance on a set up we have here. We currently have an ISP provided router than can only do VPN Passthrough, but we need an IPSec connection to our data center.

We now bought a TPLINK-600VPN that can do IPSec, but need assistance on the connection.

I need to understand how I can be able to use the IPSec on the TPLink to connect to our data center. Any help would be appreciated.

 

[bill001g]

IPSEC is one of the harder ones to setup mostly because you must manually set many of the options. It is mostly set it up and then watch the error messages it will tell you what things do not match.

It must run in what is called NATT mode. The remote end must allow for this, if it is configured to only accept the most strict implementation it will never work. The end device must have the actual IP address assigned to it which would mean the IPSEC would need to go on the ISP router. Most people do not run it this way since having NAT in the path is so common.

Details like this and what all encryption key options are is something from the data center IT are going to have to tell you.

IPSEC is mostly learned by trying it, you can read all the stuff but there are so many options it quickly becomes confusing. The data center may have a sample configuration you can start with.

 

[benzr8]

IPSEC is one of the harder ones to setup mostly because you must manually set many of the options. It is mostly set it up and then watch the error messages it will tell you what things do not match.

It must run in what is called NATT mode. The remote end must allow for this, if it is configured to only accept the most strict implementation it will never work. The end device must have the actual IP address assigned to it which would mean the IPSEC would need to go on the ISP router. Most people do not run it this way since having NAT in the path is so common.

Details like this and what all encryption key options are is something from the data center IT are going to have to tell you.

IPSEC is mostly learned by trying it, you can read all the stuff but there are so many options it quickly becomes confusing. The data center may have a sample configuration you can start with.

Hi bill001g, I've set up the IPSec configurations on the secondary router to match the ones at the DC. The secondary router (TP-Link) has a web interface for these VPN (IPSec configurations). My issue now is having it work, there some applications at the DC we would like to access from our office network. The primary router (ISP router) has a WAN IP, and the secondary router is using a LAN IP.

I'm not sure how I would get VPN to work from the secondary router to the DC, if the primary router has no IPSec feature.

Thanks so much for the response.

 

[bill001g]

Generally you need to port forward UDP 500. The main router should support ipsec pass though. This is because IPSEC does not use UDP or TCP it uses PROTOCOL 50 &51. Since port forwarding only support TCP and UDP a router need special support to allow it to pass these other protocols. It generally just works you do not have to configure anything if the router has the feature. In some case you will need to port forward UDP 4500 but that depends on what ipsec option you are using.

 

[benzr8]

Generally you need to port forward UDP 500. The main router should support ipsec pass though. This is because IPSEC does not use UDP or TCP it uses PROTOCOL 50 &51. Since port forwarding only support TCP and UDP a router need special support to allow it to pass these other protocols. It generally just works you do not have to configure anything if the router has the feature. In some case you will need to port forward UDP 4500 but that depends on what ipsec option you are using.

Thanks a lot, let me try that. Do I port forward from the TP-Link to the main router (ISP)? So basically TP-Link private IP to ISP router public IP and the ports?

 

[bill001g]

port forwarding is a NAT issue it must be done in the main router