How does IPSec Passthrough enable packet transfer through a router?

1545 pts.
Tags:
IPsec
IPsec Passthrough
IPsec VPN
Network security
Networking
VPN
I have configured a remote access IPSec VPN with UDP encapsulation enabled which passes through a broadband router which in turn has IPSEC Passthrough enabled. The remote access tunnel works fine with the IPSEC Passthrough enabled. However, if the Passthrough option is disabled the tunnel is not established. No ACLs have been configured on the broadband router. What is the IPSEC Passthrough doing to allow the IPSEC packets to get through? I configured a second IPSEC VPN but without UDP encapsulation but enabled IPSEC Passthrough on the router which allowed phase one to be established but not phase two. I can understand this since it cannot NAT the encrypted phase two packets. But how are the encrypted phase one packets traversing the NAT device?

Answer Wiki

Thanks. We'll let you know when a new response is added.

From the description, I suspect that the router is capable of terminating a VPN itself, so by default it will intercept any VPN packets and process them. The passthrough option allows these packets to be passed through as they are ignored by the router and processed like any other packet destined for a host on the ‘inside’.

Your second question is not so obvious. Phase 1 is UDP (IP protocol 17, port 500), the Phase 2 uses ESP (IP Protocol 50) so I suspect that UDP was permitted, but not ESP ? Does the config permit UDP and TCP but not other IP protocols ? Without seeing the config, and knowing the specific device it is a little difficult to diagnose further.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Daltxguy
    ISAKMP Phase 2 is also UDP:500. What are you calling phase 1 and how do you know it completed?
    25 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following