Q

Troubleshooting DSL Gateway router

After installation of a home DSL Gateway router (BELKIN F5D6230) the following problem occurred with VPN-1 from Checkpoint:

  1. PING to VPN Gateway works fine
  2. VPN Client is started and Gateway asks for user name etc and confirms successful connection
  3. PING to VPN Gateway (and any other host behind the gateway) is not replied anymore

When I remove the router and connect PC directly to DSL modem (PPPoE) all works fine.

What can be done to persuade the router to work with VPN?
Siegfried
Hi Siegfried,
There are a couple of potential issues that you might check here.

First, your router is probably NATing addresses so that when you connect through it, your VPN client has a private IP address, not a publicly routable IP address. This would explain the difference between being directly connected to the DSL modem (where the PC has a public IP address) and being indirectly connected through the router (where it doesn't.) In order to solve this, it's important that the VPN client and gateway both support NAT traversal (a process where IPSec packets are encapsulated inside UDP packets to get through NAT firewalls and routers.) I believe that newer versions of Check Point do this.

If you've already done this, the next thing is to make sure your router is supporting the NAT-traversal packets. To do this, you need to open UDP port 551 - the UDP port for encapsulated IPSec traffic.

Second, if all this configured properly (i.e., you have NAT traversal enabled and you have the right ports open on your router,) it may be that the client itself is not routing the traffic correctly. If the client isn't configured properly and it has a local private address, it will pass the VPN traffic directly to the local network and not through the tunnel. The local network and gateway router won't know what to do with the traffic and the pings fail. So the client tunnel configuration must associate the private addresses behind the VPN gateway (on the other side of the connection) with the VPN tunnel.

One more thing, the client SHOULD NOT associate the public address of the VPN server with the tunnel. When you ping the public address of the VPN gateway (the Check Point firewall at the other end of the connection), that ping should not go through the tunnel, it should go outside the tunnel- even when the tunnel is up. It may be that you have your configuration has this inverted and private traffic is being dumped onto the local network and the publicly routable gateway address is being routed through the tunnel in which case, neither ping will work.
Hope this helps,
Mark

This was first published in August 2002

Dig deeper on Network Hardware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close