Ask the Expert

Problem connecting to virtual private network (VPN) through Linksys router

I have been working out of the house for years for a large corporation and have had no prior problems connecting to our virtual private network (VPN). However, my cable Internet provider recently forced me to close my residential account and open a separate business account to use a VPN. We have tried using two different modems: one with a static IP and the other with a dynamic IP. When I connect either of these directly to my laptop, I can get into the VPN, but when I go through a Linksys router, the VPN does not work. Any suggestions?

    Requires Free Membership to View

    Login

Without knowing the make and model of your router and VPN, I can only guess -- but I can make a pretty good guess, based on your symptoms. Since your VPN tunnel works when directly connected through the modem, the problem is not the modem or its IP address. The problem must be introduced by the router -- most likely, by creating an IP address conflict, blocking a VPN protocol, or corrupting VPN packets using Network Address Translation (NAT).

I have seen cases where the router's default LAN subnet happens to overlap with the modem's default LAN subnet, or with a private subnet used inside an enterprise network. For example, if your modem and your router both assign 192.168.1.x to their LAN connections, you will never be able to route traffic successfully from your laptop onto the Internet. Similarly, your company network and your router both use 192.168.1.x, you may be able to connect to your VPN but never able to actually route traffic into your company network. Simply change the default LAN subnet on your router (both the router's LAN IP and its DHCP IP range) to detect and avoid this problem.

More often, I see broadband routers (which are really firewalls) block incoming VPN protocols by default. For example, an IPsec VPN requires the router to accept protocol 50 or 51 (ESP or AH), while a PPTP VPN requires the router to accept protocol 47 (GRE). You can usually accept these protocols by enabling a feature on your broadband router. For example, on a Linksys RT31P2, this option is enabled under Security / VPN Passthrough.

Even when VPN passthrough has been enabled on the router, some VPN tunnels get broken by NAT. An extremely common symptom of this problem is to see your VPN tunnel established ("displaying banner text") but never see any data being exchanged through the tunnel ("timing out, tunnel disconnected"). Most VPN gateways have been updated to include NAT Traversal capabilities that encapsulate VPN protocols inside UDP packets. When this is done, NAT changes the UDP packet header (the wrapper) without modifying the UDP packet payload (the VPN protocol inside the wrapper). That avoids breaking the VPN tunnel by leaving the VPN protocol alone. You see, VPNs are designed to detect forged or modified packets and may otherwise discard packets that your router's NAT has changed. The solution to this problem depends on your company's VPN gateway and client. Have your IT department ask your VPN vendor about "NAT Traversal," also known as NAT-T.

If all else fails, consider using a different router -- at least briefly -- to find and then fix the problem. Broadband routers are readily available from office supply and electronics stores for less than $50, or perhaps you can borrow one from a neighbor or co-worker just long enough to diagnose your VPN problem.

View our network administration expert's response to this question: How can I resolve this remote worker's VPN connection problem?

This was first published in September 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top