Troubleshooting VPN passthrough for Home Routers
VPN is a way to connect two secure networks over the Internet for example a home network and one in a business. It needs special equipment or software at both ends.
The term "VPN passthrough" on routers means that the equipment does NOT support one of the endpoints, but only that it allows traffic from those endpoints to "pass through". All NETGEAR routers support VPN passthrough for IPSec, PPTP and L2TP. To create one of these endpoints, see What is VPN?.
This article applies if you were already connected with VPN, but installing a NETGEAR router stopped your VPN from working.
NETGEAR routers with VPN passthrough are intended to work without modification, however sometimes troubleshooting is necessary to localize a problem.
List of routers and their VPN connections. If your router supports 0 VPN terminators, you need other equipment or software besides the router.
To Troubleshoot VPN passthrough
Any of these steps may solve the problem:
- If your equipment supports NAT-T (NAT Traversal), turn it on.
- Contact your network administrator to understand details of how you need to configure your VPN software. (Common software is Cisco NAT-T and NETGEAR ProSafe).
- If your company uses L2TP passthrough, register your computer's MAC address with your company's system adminstrator. The address is found on the bottom label of the router
- Upgrade to the latest router firmware.
- Turn port forwarding for the VPN ports: 50, 51, (and 500, for IPSec VPN's). Turn on port 1723 for PPTP VPN's- used for PPTP control. Turn on port 1701 for L2tp- L2tp routing and remote access.
- By default the router's firewall is configured to drop (delete) ICMP packets sent from outside your network to the WAN port. Your VPN may require the ICMP packets. To accept them:
i. Log in to the router using a browser by typing http://192.168.0.1 or http://192.168.1.1.
ii. Type admin for the username and password for the password (unless you change the password from the default). Older routers use 1234 for the default password.
iii. Select WAN Setup > Advanced > Respond to Ping on Internet Port.
iv. Click Apply.
Number of VPN Passthrough Connections Limited by Network Configuration
The VPN passthrough feature on a router does not create one of the endpoints needed to create a VPN tunnel. The feature merely lets a tunnel created by others to "pass through" the router. See What is VPN? for background information on VPN. The number of VPN passthrough connections is limited by:
- The maximum number of VPN passthroughs the NETGEAR router can handle, and
- Whether the VPN connection is for more than one VPN gateway, and
- Whether the VPN gateway supports NAT traversal detection.
The maximum number of VPN passthrough connections that NETGEAR routers have is described here.
This illustration shows two VPN passthrough connections through a NETGEAR router (one red and one blue).
The next example differs because, although there is only one VPN gateway, all three computers behind the NETGEAR router are showing the same public IP address to the Internet. That is, the router is using NAT to convert all the private IP addresses to one public IP address. Therefore the VPN gateway on the outside cannot tell the difference between the computers all the traffic from them appears to the VPN gateway to be from the same computer.
The above configuration will work, however, if the VPN Gateway supports NAT traversal detection. The newer NETGEAR routers FVS318v3, FVS124G, FVS338, and FVX538 do this. (The VPN client, which is the initiator of the tunnel, does not need NAT traversal detection.)