NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

gordo5's avatar
gordo5
Aspirant
Mar 02, 2020

Port Forwarding for IPsec

I don't want to use the built in vpn server and I've set up a RAS server at home and I can successfully connect to it locally using either PPTP or L2TP/IPsec.  I've also created a port forwarding rul...
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Mar 02, 2020

Have you tried creating rules for these ports just as you did for the PPTP?

When creating rules, I ignore the drop down menu and create everything as a "Custom Rule".  Give it a cool name, enter the port, select TCP and/or UDP.

  • gordo5's avatar
    gordo5
    Aspirant
    Mar 02, 2020

    Well, that is actually the problem.  The custom rule only allows you to select ports in Protocol  6 (TCP) and Protocol 17 (UDP).  IPSec uses Protocol 50 (ESP) and Protocol 51 (AH).

     

    Here is a nice summary:

    https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

     

    I saw the dropdown had a pre-defined rule for PPTP, which can be config'd using the custom rules.  If the custom rules won't allow you to configure IPsec, it would be nice if it was included in the pre-defined dropdown.

     

    • CrimpOn's avatar
      CrimpOn
      Guru - Experienced User
      Mar 02, 2020

      Of course, you are correct.  (I now have a Dunce Cap for every day of the week!)  Looks like you are stuck with either PPTP  on the RAS or OpenVPN (on the Orbi itself).  I have been very happy with OpenVPN on my Orbi.

       

      Perhaps you could hack at the iptables.  I know that Voxel's custom firmware for the RBR50 allows customizing iptables.  (I am also happy with this firmware.  Probably fat and dumb as well.)

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Mar 03, 2020

      ESP can never work as the NAT router would only translate the "outer" IP addresses, but there is no port information, ... so things will go bulloks.

       

      Look for L2TP/IPsec with NAT-T, here the ESP packets will be encpasulated in packets using port 4500/UDP.¨. Before, IKE will run on 500/UDP. AFAIK that's all you need to expose by adding forward rules.

      • gordo5's avatar
        gordo5
        Aspirant
        Mar 06, 2020

        Thanks.  I wasn't aware of the NAT issue with ipsec.  I've moved onto SSTP, which just needs tcp/443.  Took a several stabs to get the certs right (or, at least, close enough), but it works now.  Too bad there isn't any native android support for it...

         

        I went this route because I found the ORBI one slow.  I don't think the orbi processor is up to the task except for light duty things, like rdp.  Running my own vpn I can saturate my bandwidth.  :-)