Ask the Expert

After setting up wireless router, I can no longer get on the VPN

After I connected my wireless router (Netgear MR814), I cannot connect to my Nortel Contivity VPN anymore. It disconnected right after the display "Checking for banner text". Without the router, everything works fine. I even tried with another wireless router (US Robotics USR808054CAN). It has the same problem. If it is the wireless routers' problem, can you suggest one that will work?

    Requires Free Membership to View

The symptom you describe ("Checking for banner text" when using the Nortel Contivity VPN client) is a very common indicator of Network Address Translation (NAT) problems. In short, your VPN tunnel is being established (i.e., IKE gets through your router), but incoming VPN traffic is being blocked (i.e., IPsec ESP does not get through your router). Your VPN client is waiting to receive expected "banner text" that is being blocked, and eventually times out.

There are two ways for VPN clients to successfully make it through a NAT-ing device like a broadband/wireless router: VPN pass-through and NAT traversal.

  1. With VPN pass-through, the NAT-ing device observes VPN tunnel establishment and uses something to map arriving VPN data to the inside host that established the VPN tunnel. For example, when using IPsec VPNs, the NAT-ing device may forward inbound ESP (protocol 50) to the host that previously sent outbound IKE (UDP port 500) traffic. It is not unusual for this approach to work for one VPN tunnel at a time, or to work better with some VPN clients than others.

  2. With NAT traversal, the VPN client and gateway collaborate to avoid needing anything special from the NAT-ing device. They do this by detecting the presence of a NAT-ing device during tunnel establishment and agreeing to encapsulate VPN traffic inside a standard UDP envelope. The VPN client wraps outbound ESP inside a UDP header -- the NAT-ing device just sees a regular UDP packet and translates IP address and UDP port in the normal fashion. The VPN gateway sends ESP inside UDP as well, letting the NAT-ing device use the same IP address and UDP port number to map inbound packets back to the right VPN client.

The Netgear MR814 supports IPsec VPN pass-through, although I have seen some user posts suggesting that it only supports one tunnel at any given time. Your Nortel Contivity VPN client supports NAT traversal, although this option must be enabled on the VPN gateway to use it. I'm guessing that the MR814's VPN pass-through implementation isn't compatible with your version of the Contivity VPN client, but enabling NAT traversal would help.

Many users resolve this problem by contacting their VPN administrator to ask whether they need to use a newer version of their VPN client or connect to a different VPN gateway that has NAT traversal enabled. It is also possible that you need reconfigure your wireless router to unblock the UDP port used by NAT traversal. Consult Nortel's website (PDF) for a good description of this problem and possible resolutions, including figures that illustrate Contivity NAT traversal configuration.

This was first published in February 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: