How does IPSec Passthrough enable packet transfer through a router?
I have configured a remote access IPSec VPN with UDP encapsulation enabled which passes through a broadband router which in turn has IPSEC Passthrough enabled.
The remote access tunnel works fine with the IPSEC Passthrough enabled. However, if the Passthrough option is disabled the tunnel is not established. No ACLs have been configured on the broadband router.
What is the IPSEC Passthrough doing to allow the IPSEC packets to get through? I configured a second IPSEC VPN but without UDP encapsulation but enabled IPSEC Passthrough on the router which allowed phase one to be established but not phase two. I can understand this since it cannot NAT the encrypted phase two packets. But how are the encrypted phase one packets traversing the NAT device?
Software/Hardware used:
Software/Hardware used:
ASKED:
April 9, 2009 3:43 PM
UPDATED:
April 19, 2013 8:09 PM
Answer Wiki:
From the description, I suspect that the router is capable of terminating a VPN itself, so by default it will intercept any VPN packets and process them. The passthrough option allows these packets to be passed through as they are ignored by the router and processed like any other packet destined for a host on the 'inside'.
Your second question is not so obvious. Phase 1 is UDP (IP protocol 17, port 500), the Phase 2 uses ESP (IP Protocol 50) so I suspect that UDP was permitted, but not ESP ? Does the config permit UDP and TCP but not other IP protocols ? Without seeing the config, and knowing the specific device it is a little difficult to diagnose further.
To see all answers submitted to the Answer Wiki: View Answer History.
ISAKMP Phase 2 is also UDP:500. What are you calling phase 1 and how do you know it completed?