How do I disable VPN passthrough? What are the benefits and drawbacks to disabling this function?
VPN passthrough is typically used on small office home office (SOHO) network gateway devices. This means that the gateway itself is not the termination point of the VPN, but rather a passive device allowing the VPN packets to pass through the firewall. Depending on the type of VPN, different protocols and ports are required to enable the VPN traffic. In the case of IPsec, the required ports are typically user datagram protocol (UDP) Port 500 for Internet key exchange (IKE) and Port 4500 for network address translation (NAT) traversal. On most systems, this feature can be enabled or disabled within the device’s configuration menu.
The benefit of disabling VPN passthrough is enhanced security by blocking open communication ports through the firewall that otherwise would be open and accessible. The drawback is that a user behind the gateway would not be able to establish a VPN connection, since the required VPN ports are blocked at the firewall. In particular, if an end user relies on a VPN connection for their home office, those ports should not be blocked.
Email your VPN-related questions to email@example.com
Dig Deeper on Network automation and intent-based networking
Related Q&A from Rainer Enders
Rainer Enders explains how to allow certain users to access a VPN client while restricting others. Continue Reading
Our VPN expert explains why a Layer 3 VPN can ping but not do a tracepath from the client in this response. Continue Reading
In this Ask the Expert response, VPN expert Rainer Enders explains why BGP-4 support is necessary when configuring a router for a Layer-3 MPLS VPN. Continue Reading