VPN Pass-Through Setup

Vigor Router supports VPN pass-through to pass VPN traffic router's LAN. This article shows how to set up VPN pass-through on Vigor Router.

To do this, you will need:

1. Disable the VPN service on the router: Go to VPN and Remote Access >> Remote Access Control Setup, un-check the VPN protocol that you want to forward to the router's LAN.

2. Go to NAT >> Open Ports, and open the required port to the IP address of the VPN server. The ports required for each protocol are:

• PPTP: TCP 1723 (the router will also forward GRE IP47 automatically)
• L2TP: UDP 1701
• IPsec: UDP 500 and UDP 4500 if NAT-T is used (the router will also forward ESP IP50 automatically)

3. For IPsec that uses PKI authentication, it is necessary that “Accept large incoming fragmented UDP or ICMP packets” is enabled at Firewall >> General Setup.

Limitations of IPsec VPN

Noted that there are some limitations of IPsec VPN pass-through due to the incompatibilities between IPsec and NAT:

1. IPsec with Authentication Header (AH) cannot pass through NAT because AH does not allow changing the IP header
2. To pass through multiple outgoing IPsec tunnels, it requires that both the VPN client and server support NAT-Traversal (NAT-T). Without NAT-T, it only allows one outgoing IPsec VPN at the same time.
3. L2TP with IPsec policy is in transport mode, which can only pass through NAT if both VPN client and server support NAT-T (Note: All Vigor Router support NAT-T).