What Ports Need Open for VPN?

[djtech2k]

I have a Netgear FVM318. I thought that the main reason for using VPN is to avoid opening ports. However, I can get any connection to this VPN. Do I need to open any ports? I am a little confused????

 

[Ntr0P]

VPN when properly deployed will provide your connections adequate protection, and it will also help you avoid opening additional ports. Not only does VPN allow you to tunnel information and not open those extra ports but it also provides confidentiality, authentication, integrity, and non-repudiation (CAIN for short). You won't get that on a standard connection.

Depending on how you are doing this, the connection will vary. I have not used the Netgear device you mentioned, but often these will have a PPTP and/or IPSec passthrough option. That is all you really need to know. Otherwise, the specifics are below...

PPTP:
IP Protocol: 47 (GRE) - note this isn't a port, this is a protocol like TCP or UDP.
TCP Port: 1723

IPSec:
IP Protocols: 50 (ESP) and 51 (AH)
UDP Port: 500

 

[djtech2k]

First, thanks for the helpful reply. Now, I have made changes to the firewall to allow incoming traffic on those two ports. I allowed UDP on port 500 and TCP on 1723. I allowed traffic from any IP. It asks me for the local "server" for this service. I was not sure what to put in, but I entered the internal IP of my firewall/VPN. I want to get in thru vpn at the firewall so I can access any machine on this network. My major problem has also been configuring the VPN and VPN client. It asks for all sorts of IP addresses, which is fine, BUT the terminology SUCKS! It is so vague, it is impossible to make sense out of it. Part of the problem is that I will need the VPN setup to accept connections from some static and some dynamic IP's.

So, I am not sure if my problem is ports or misconfiguration on the VPN side.

Any guesses?

 

[Ntr0P]

You will only need to open either TCP 1723 or UDP 500, but not both unless you intend on using BOTH PPTP and IPSec. Both are different types of VPN. That aside, there are also the corresponding IP Protocols that need to be allowed, mentioned in my post above.

Did you check if the Netgear has a PPTP and/or IPSec passthrough option? If so, it will alleviate the need to open these ports explicitly.

On to your issue: you want to get in thru vpn at the firewall so you can access any machine on the network...

Is this a home or coporate network?

Do you have a VPN endpoint device, or are you running W2K server or the likes?

Do you want to use PPTP or IPSec?

Need to understand more about what you want/need to do in order to be of more help.

 

[djtech2k]

From what I have read, this device will use IPSec for its VPN tunnel. This is a business network, but it is rather small.

The network setup at the moment is as follows:

internet > router > FVM318(fw/router/vpn) > internal_computers

My original intention was to have external users be authenticated with the VPN, then be able to access any workstation of their choice. Their is a machine "acting" as a server, but there is no domain, only a workgroup.

Netgear told me last night that this device does not require any ports to be open. I can check the VPN log and it shows activity, but the messages do not tellme much to troubleshoot.

 

[djtech2k]

I have tried everything I can think of and I get nowhere. I can see the VPN trying to make the connection from the VPN logs on the FVM318, but it never connects. Here is the final entry in the log every time:

IPsec:refine host connection fail!

Any ideas?

 

[djtech2k]

Here is an entire log entry from my FVM318:

IPsec:Receive Packet address:0x179623c from 12.145.57.217
IPsec:main_inI3_outR3()
IKE:[VPNFORDJ] RX << MM_I3 : 12.145.57.217
IPsececoded Peer's ID is ID_IPV4_ADDR:10.10.57.217 and 0.0.0.0 in st
IPsec:refine host connection fail!

 

[AlexIT]

It looks like you are NATing the VPN connection from this:

IKE:[VPNFORDJ] RX << MM_I3 : 12.145.57.217
IPsececoded Peer's ID is ID_IPV4_ADDR:10.10.57.217
IPsec:refine host connection fail!

If you are, then stop, otherwise you need to change your IKE parameters to stop using the ID_IPV4_ADDR in its authetication.

 

[djtech2k]

AlexIT,

This device does use NAT, but I do not think that I can disable it. Netgear says that this VPN will work with NAT and without opening any ports for it. I am so frustrated with this! I keep trying to change the configuration, but it never works. One part that confuses me...The setup on the VPN side asks for my LAN IP, LAN Subnet mask, and WAN IP. For example,I supply it for my office connection, however, it will not allow me to enter my LAN IP address of my workstation (10.10.57.217) because it says it cannot allow it to be on same subnet as the internal IP of the VPN (10.10.1.1), which is on a different remote network. I also need to be able to connect from dynamic dial-up machines, but they wont work either. I have followed the Netgear cryptic docs, but they a contradicting and the configuration does not work.

Anyone else having this much trouble??

 

[AlexIT]

Ok, do I have this right:
VPN client < internet > router > FVM318 > network

Without going too deep, if your router between the FVM318 and the internet is performing NAT you will not be successful. Assuming its not, in the configuration for the FVM318 you will assign it one IP from the network for it to assign as you client's virtual IP.

Like this:
FVM318 WAN public=66.218.71.198
LAN IP=192.168.1.10
subnet 255.255.255.0
remote virtual IP=192.168.1.100
remote virtual subnet mask=255.255.255.255

Client &quot;bobs_laptop&quot; (from ISP IP=10.10.2.20)
VPN public=66.218.71.198
IP subnet=192.168.1.0
LAN subnet mask=255.255.255.0

 

[djtech2k]

OK, here is the deal:

The &quot;outside&quot; router is doing nothing. It is simply a default gateway for the FVM318. here is the real IP layout:

FVM318:
LAN IP: 10.10.1.1
LAN subnet mask: 255.0.0.0
WAN IP: 170.215.143.190
WAN Subnet Mask: 255.255.255.252

My Station(1 configuration):
LAN IP: 10.10.57.217
LAN subnet mask: 255.0.0.0
WAN IP: 12.145.57.217 (all traffic directed to 12.145.57.217 is ported to my station)

I am not sure what you mean by &quot;remote virtual ip&quot;.

In the FVM318 config, it wants the following info:
Local IPSec Identifier
Remote IPSec Identifier
Remote LAN IP
Remote LAN Subnet Mask
Remote WAN IP

It also has the encryption/security settings. I have those setup to match the client settings. What should go where? I would also use this config. but from a dial-up connection, so I would not have a real IP address in that case.

In my workstation (using Safenet SoftRemote):
-Remote Party ID type (IPSubnet, IP)
-Subnet and/or IP
-Secure gateway Tunnel IP
-My Identity type (IP)-it selects my 10.10.57.217 IP automaticatlly.
Virtual Adapter - DISABLED
Internet I interface setting (modem,NIC)-auto selects IP again

What goes in those?

Again, I will use it primarily from dial-up, but this config is just from one of my main office machines.

What do you think?

 

[AlexIT]

Ok, here goes:

FVM318
Connection Name = REMOTEVPN
Local IPSec Identifier = (UNIQUE ID) = FVM318TOHOME
Remote IPSec Identifier = (UNIQUE ID) = HOMETOFVM318
Remote LAN IP = (Pick a IP on the LAN subnet that is NOT USED) = 10.10.1.218
Remote LAN Subnet Mask = 255.255.255.255 (telling the FVM318 this is a single PC its connecting to)
Remote WAN IP = 0.0.0.0 (If your PC does not have a Static Public IP this is telling the FVM your machine IP traffic could come from anywhere.)


Station1
Remote Party ID type (IPSubnet) = 10.10.1.0
Subnet = 255.255.255.0
Secure gateway Tunnel IP = 170.215.143.190
My Identity type (IP) = (enter above) = 10.10.1.218
Virtual Adapter - (May have to be ENABLED to enter above value...try bothways)


These plus the preshared key you entered exactly the same in both the FVM318 and Station1 is all that is needed for dial-up access. (It will work if you have a static IP too, but you are better off changing the remote WAN IP in the FVM318 if you are only going to have a static IP...more security if the traffic must come from a known IP address.)

Good Luck,
Alex