NetMAX VPN Server Suite (Virtual Private Networking) :
How do I get my VPN client to work from behind a NAT?

General Howto for getting a VPN client to work from behind a NAT

Thanks to contributions from NetMAX VAR Gregg Sloop

This article describes one implementation of getting a VPN client to work behind a NAT gateway.
This is a source of confusion and frustration for a lot of folks, and we hope that this article will help get you moving forward.
Be forewarned, however, this article delves into some pretty arcane technical stuff that you may not understand.
Your mileage may vary.

Assumptions:

The router or machine which is acting as the Internet gateway for the VPN client either natively supports "VPN/IPSEC passthrough" or can be configured to pass VPN traffic through port forwarding.
The person following this procedure has a NetMAX-compatible VPN client installed on a system behind a NAT gateway.

If the gateway has native support for IPSEC passthrough, things just might work without making any changes at all.
However,some routers will require you to specify the host to which the VPN traffic should be passed.
If this is the case with yours, simply follow the manufacturer instructions and tell the router the proper host to redirect such traffic.
If, however, your gateway does not have native support for IPSEC passthrough, you can accomplish the same thing using traffic filtering and redirection.
The first step is to set up traffic rerouting to send UDP traffic destined for the external IP address of the NAT gateway on port 500 to the internal machine.
In NetMAX, this is accomplished under HOME|Network|Routing|Reroute.
Included below are the guidelines for creating the necessary rules on the external interface of the firewall.
They are set up for a NetMAX, but can easily be adapted for most firewalls.

    Direction:   Input
    Action:      Allow
    Source:      Any
      Protocol:    UDP
      Port:        500
    Destination: IP of this NetMAX
      Protocol:    UDP
      Port: 500

    Direction:   Output
    Action:      Allow
    Source:      IP of this NetMAX
      Protocol:    UDP
      Port:        500
    Destination: Any
      Protocol:    UDP
      Port: 500

    Direction:   Forward
    Action:      Allow
    Source:      Any
      Protocol:    ESP
    Destination: Any
      Protocol:    ESP

At this point, things should be working, if your NAT gateway truly supports VPN passthrough.

address-suppressed

What new entries get added to /etc/crontab for VPN subsystems to function?

This document is: http://www.netmax.org/cgi-bin/fom.cgi?file=557

	[Search]	[Appearance]
This is a Faq-O-Matic 2.721.

This FAQ administered by ...Cybernet Systems Corp.