Guys I'm hooking up a network that needs to be connected with a linksys BEFVP41 router to a vpn at all times. The router will plug into the switch will will lead to all the computers. Will I encounter any access problems connecting with the vpn through seperate computers? It will appear that I connect to the vpn with the same ip for all computers. What about traffic? Will multiple users be able to communicate on the vpn at the same time? collisions etc? Ive never hooked up one of these vpn routers before and Im trying to find out what sort of problems I may run into. Is there a better router to do this with? thanks in advance
VPN routing with a linksys BEFVP41
- Thread starter jkj
- Start date
Garion
Platinum Member
- Apr 23, 2001
- 2,331
- 7
- 81
There are a lot of reasons that this doesn't work. Your router usually needs to be aware of the IPSec VPN protocol and be able to "fix up" the connections.
IPSec is not very friendly behind a NAT. The worst problem is that it uses a static source and destination UDP port and doesn't negotiate ports for the IKE (Internet Key Exchange) communication. This means that if you have one connection, it has "locked" the source and destination port on the NAT device and others can't get through.
Most VPN applications recognize this problem and have something called IPSec NAT Transversal (A.K.A. NAT-T), or something similar. This feature allows the client and server to move their connection to a random high port once they have established the connection and authenticated. This leaves the unchangeable, unsharable ports available for other machines to start VPN connections.
There's a large amount of information about this topic available here. . It's a Microsoft article, but generally correct.
Summary: Your router/firewall needs to be smart enough to handle it and your VPN server needs to do NAT-T for it to work with multiple people behind a NAT.
- G
IPSec is not very friendly behind a NAT. The worst problem is that it uses a static source and destination UDP port and doesn't negotiate ports for the IKE (Internet Key Exchange) communication. This means that if you have one connection, it has "locked" the source and destination port on the NAT device and others can't get through.
Most VPN applications recognize this problem and have something called IPSec NAT Transversal (A.K.A. NAT-T), or something similar. This feature allows the client and server to move their connection to a random high port once they have established the connection and authenticated. This leaves the unchangeable, unsharable ports available for other machines to start VPN connections.
There's a large amount of information about this topic available here. . It's a Microsoft article, but generally correct.
Summary: Your router/firewall needs to be smart enough to handle it and your VPN server needs to do NAT-T for it to work with multiple people behind a NAT.
- G
Thank you very much... Do you have a suggestion on which router to use to do this? The more I look at it the more i consider going with the linksys/cisco RV082 which is an 8 port switch since I only need 8 computers to be connected and just get rid of the 24 port switch altogether. Anyway what specifically do you mean by the router being smart enough? Ill find out if the server side has nat-t. Where should I send the gmail invite?
Garion
Platinum Member
- Apr 23, 2001
- 2,331
- 7
- 81
Switches are cheap. If you need 8 ports, stick them all on your 24-port switch and connect it to your router with a crossover. That gives you better expansion rather than having to depend on the built-in switch on the router.
You know, I think I might have misunderstood your original post. I thought you needed a router to sit in front of a bunch of machines that have individual VPN clients. I think what you actually want to do is to have your router be a VPN server and have every connect. If so, that's fine and the Linksys box should do a good job of it.
- G
You know, I think I might have misunderstood your original post. I thought you needed a router to sit in front of a bunch of machines that have individual VPN clients. I think what you actually want to do is to have your router be a VPN server and have every connect. If so, that's fine and the Linksys box should do a good job of it.
- G
No i think you were right on to start with. This is going in a doctors office that connects to a hospitals vpn for records etc. The hospital has the vpn. I want a router at the office that can connect to the hospital vpn and allow everyone access to records etc. Right now everyone has to log on with vpn software. and only one user can be on in the office this is the problem Im trying to solve. 
Garion
Platinum Member
- Apr 23, 2001
- 2,331
- 7
- 81
OK - Remember that NAT-T is a configuration of the VPN server not on your local network. The hospital VPN server must be configured to support it. If they do that, it'll probably fix their problem without any upgrades, assuming they have a router that's been made in the last 5 years.
- G
- G
Ok So your saying that if the hospital had nat-t the users at the office could all be on at once using the software solution?
It sucks thats the way it is. The hospital obviously doesnt have this b/c now they get bumped off if multiple users attempt to log in with the cisco vpn software.
Ok I spoke to the hospital today and their stuff does support nat-t they recomended the office get a cisco 831. Anyway he seems to think the linksys router will only allow 1 tunnel.... Any suggestions?
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter