VPN stands for Virtual Private Networking and is a way to establish a secure "private network" to a computer at another location through the public Internet. This is frequently used by businesses to allow employees to telecommute and establish a connection to their private company network. If you don't need this ability, don't worry about a lack of VPN capability in the router you'll be buying.
If you do need this capability, check the router specs carefully to make sure your choice supports the protocol you need. Microsoft PPTP is frequently supported, some units support IPsec, and only a few support L2TP.
If you're using Microsoft's Internet Connection Sharing (ICS) to share your connection, forget about using IPsec based VPN, since it's not supported.
PPTP specific help can be found on this page.
If you are connecting to a remote VPN server from a computer on the LAN side of your router, you need VPN "client pass-thru" capability. When you run in "pass-thru" mode, you usually need to run some sort of client software on your machine. Let's look at the two most popular VPN protocols:
To use either of these protocols from computers on your LAN to connect to a VPN server via the Internet, your router needs to support "client pass-thru" for the protocol you need. Some routers support only one "pass-thru" client, others support many. In either case, you'll need to run some sort of VPN software on your client machine(s).
NOTE: Many inexpensive routers have a VPN "feature" that allows multiple client pass-thru sessions, but only one VPN session per VPN tunnel "terminator". This means that you can't connect multiple VPN clients simultaneously to the same VPN server, but can connect only one client per VPN server.
If you need to support multiple VPN clients to the same server, be sure that your router supports the ability to do this. Due to the range of VPN configurations and the difficulty in getting correct information from many router vendors, your safest bet is to spend some extra money and get a router that has a built-in VPN end point (see below).
If, however, you'll be hosting a VPN server behind the router, i.e. users will be connecting to you, make sure the router supports VPN "server pass-thru" in the protocol that you need. "Server pass-thru" usually supports only one VPN server.
Unless otherwise specified, assume that the router itself is not a VPN server or "endpoint".
[Help for setting up a PPTP connection through a router is available here.]
More ISPs are setting access control lists on their routers to filter (i.e. discard) IPSec traffic. Some ISPs are charging more for business services than consumer services (@Home Comcast, for example) and they do not want people buying consumer services and using them for business.
If you can't get your VPN connection to work, ask your service provider if they are filtering IPSec traffic. If they are, complain to them, change ISP's if possible, or complain to your state Attorney General or Consumer Affairs office!
We recently heard from a user who was having trouble getting their IPsec client to work with a router that supported IPsec passthrough. The problem turned out to be that the VPN in question was using Header Authentication. I'll let Mike Shields of Netgear explain:The problem is Header Authentication, and no NAT will work with it. When a company sets up a VPN system with IPSec, they can choose to have the packet header information included in the authentication scheme, or to just have the body of the message contain the authentication. If they choose to include the header, then absolutely nothing in the header can be changed, or the far side will consider the packet to be tampered and will reject it.
When a router performs NAT, it replaces the source address in the packet header with its own address, so it would fail Header Authentication. Luckily, most companies do not use Header Authentication, relying on authentication within the packet. This may leave the packets vulnerable to hijacking, but I think it causes fewer problems in getting the VPN running reliably.
A user in this situation may be able to use a router (more $$$) that does IPsec end-point, not just passthrough. In this case, the router runs the IPSec client, not the PC, so all encoding and encryption is done after NAT. The hitch is that the router's IPSec client must be compatible with the IPSec server at the far end, and not all IPSec implementations are alike. Who is it that said "The great thing about standards is that there are so many to choose from"?
Some encryption schemes used by IPsec are not "NATable". For example unencapsulated FMZ and NAT routers don't play nicely. Try using ISAKMP or encapsulated FMZ encryption if your IPsec client allows those choices. (For more information on this, go to this page.)
Here are some tips that we've picked up from users. If you'd like to contribute information on how you got your VPN setup working, send it in!
(If you're not comfortable with editing the custom.ini file, ATT Global Network Services has a handy tool that you can download and run that will do it for you. Go here and download "natswitch.exe" and run it.)
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|