How to set up Vigor Router to pass-through VPN tunnel?

Vigor Router supports VPN pass-through which allows VPN traffic to pass through the router. Generally, for VPN client behind Vigor Router to connect to a VPN Server on the internet, there is no special settings required.

   

However, for clients on the Internet to establish VPN tunnel with a VPN Server behind Vigor Router, first we need to disable Vigor Router's VPN service, and then set up Port Redirection or Open Port to redirect the VPN traffic on WAN interface to the VPN server on LAN network.

   

Below are the ports that need to be opened on Vigor Router's WAN interface for VPN traffic to pass through:

  • PPTP VPN: TCP 1723
  • IPsec VPN: UDP 500, UDP 4500(If NAT-T is used)
  • L2TP VPN: UDP 1701

For details setup of VPN pass-through for each VPN type, please refer to the instructions below.

 

PPTP VPN

To pass through VPN client for PPTP VPN, there's no special setting required; while if VPN server is behind Vigor Router, we need to:

1. Disable PPTP VPN Service from VPN and Remote Access >> Remote Access Control Setup.

   

2. Go to NAT >> Open Ports to open TCP port 1723 for the VPN server on LAN.

   

 

 

IPsec VPN

There are some restrictions on IPsec VPN pass-through due to the incompatibilities between IPsec and NAT:

  • IPsec VPN with Authentication Header (AH) cannot pass through NAT because AH does not allow IP header to be changed.
  • To pass through multiple outgoing IPsec tunnels (with ESP security), it requires that NAT Traversal (NAT-T) supported on both VPN Client and Server. Without NAT-T, only one outgoing IPsec VPN can be established at a time.

To allow IPsec VPN server pass-through Vigor Router, we need to:

1. Disable IPsec VPN Service from VPN and Remote Access >> Remote Access Control Setup.

   

2. Go to NAT >> Open Ports to open UDP port 500 for the VPN server on LAN.

   

3. If NAT Traversal (NAT-T) is in use, UDP port 4500 is also required.

   

4. If the IPsec connection uses PKI for authentication instead of Pre-Shared key, it is necessary that “Accept large incoming fragmented UDP or ICMP packets” is enabled in Firewall >> General Setup.

   

 

 

L2TP VPN

Please note that L2TP with IPsec policy is in transport mode, which can only pass through NAT if both VPN client and server support NAT-T (Note: All Vigor models support NAT-T). Whether IPsec policy is enabled or not, to allow a VPN server pass-through Vigor Router, we need to:

1. Disable IPsec VPN Service from VPN and Remote Access >> Remote Access Control Setup.

   

2. Go to NAT >> Open Ports to open UDP port 1701 for the VPN server on LAN.

   
Was this article helpful?
51How to set up Vigor Router to pass-through VPN tunnel? has been viewed------ 51 ------times.