After setting up wireless router, I can no longer get on the VPN

After setting up wireless router, I can no longer get on the VPN

After I connected my wireless router (Netgear MR814), I cannot connect to my Nortel Contivity VPN anymore. It disconnected right after the display "Checking for banner text". Without the router, everything works fine. I even tried with another wireless router (US Robotics USR808054CAN). It has the same problem. If it is the wireless routers' problem, can you suggest one that will work?

    Requires Free Membership to View

    Login

    By submitting your registration information to SearchNetworking.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchNetworking.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The symptom you describe ("Checking for banner text" when using the Nortel Contivity VPN client) is a very common indicator of Network Address Translation (NAT) problems. In short, your VPN tunnel is being established (i.e., IKE gets through your router), but incoming VPN traffic is being blocked (i.e., IPsec ESP does not get through your router). Your VPN client is waiting to receive expected "banner text" that is being blocked, and eventually times out.

There are two ways for VPN clients to successfully make it through a NAT-ing device like a broadband/wireless router: VPN pass-through and NAT traversal.

  1. With VPN pass-through, the NAT-ing device observes VPN tunnel establishment and uses something to map arriving VPN data to the inside host that established the VPN tunnel. For example, when using IPsec VPNs, the NAT-ing device may forward inbound ESP (protocol 50) to the host that previously sent outbound IKE (UDP port 500) traffic. It is not unusual for this approach to work for one VPN tunnel at a time, or to work better with some VPN clients than others.

  2. With NAT traversal, the VPN client and gateway collaborate to avoid needing anything special from the NAT-ing device. They do this by detecting the presence of a NAT-ing device during tunnel establishment and agreeing to encapsulate VPN traffic inside a standard UDP envelope. The VPN client wraps outbound ESP inside a UDP header -- the NAT-ing device just sees a regular UDP packet and translates IP address and UDP port in the normal fashion. The VPN gateway sends ESP inside UDP as well, letting the NAT-ing device use the same IP address and UDP port number to map inbound packets back to the right VPN client.

The Netgear MR814 supports IPsec VPN pass-through, although I have seen some user posts suggesting that it only supports one tunnel at any given time. Your Nortel Contivity VPN client supports NAT traversal, although this option must be enabled on the VPN gateway to use it. I'm guessing that the MR814's VPN pass-through implementation isn't compatible with your version of the Contivity VPN client, but enabling NAT traversal would help.

Many users resolve this problem by contacting their VPN administrator to ask whether they need to use a newer version of their VPN client or connect to a different VPN gateway that has NAT traversal enabled. It is also possible that you need reconfigure your wireless router to unblock the UDP port used by NAT traversal. Consult Nortel's website (PDF) for a good description of this problem and possible resolutions, including figures that illustrate Contivity NAT traversal configuration.

This was first published in February 2005