This Technote refers to passing IPSec traffic through Netopia products; this does not address VPN tunnels which terminate at the router.

CAUTION: IPSec tunneling supports IP routing only. IPX, AppleTalk or any protocol other than IP will not be routed across an IPSec tunnel.

Firmware References:

• v8.2 R1 (and up) - 3300 Enterprise Series
• v7.3 (and up) - 3300 Series   
• v6.3.0 R7 (and up) - 3500 Series
• v5.3.7 (and up) - 4000 Series   
• v4.8.2 (and up) - R-Series

Netopia Web GUI Interface

Netopia Menu Interface

Before You Start

PLEASE READ our Notice on Configuring VPN Tunnels with Netopia Routers.

If your router uses the Netopia "Menu" interface:

Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting).
If your network has a different IP addressing scheme, modify this accordingly.
Click Here! for instructions on using telnet and Hyperterminal (serial connection).

Login with the user name and password. The Superuser login is required to save changes. If you are unsure of this, contact your network administrator.

Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.

The Esc key will take you back towards the main menu screen.

Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.

If your gateway uses the Netopia "Web GUI" interface:

• Browse into the Netopia's web interface at http://192.168.1.254 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly..
• Login with the admin user name and password. Admin login is required to save changes. If you are unsure of this, contact your network administrator.
• Remember to click the button to save any entries. Hitting the back button without clicking will undo any changes.
• Once you have completed your configuration, click on the symbol in your upper right hand corner to validate the changes. Then click on Save and Restart.

Notice:

This document is provided to you as an added service by Netopia Technical Support. Although the configurations described below have proven successful in many instances for doing Microsoft Networking across a WAN or VPN connection, we cannot guarantee success in all circumstances due to the many variables and unpredictable behavior common to Windows OS. If the following suggestions do not provide the results you desire, please contact your MIS Department, or Microsoft Technical Support directly as Netopia cannot further support the features of Windows OS.

Inbound Passthrough — Netopia Enterprise, 4000 Series and R-Series

1. Server List Entry:
   To pass UDP port 500 (IKE) and protocol 50 (ESP) through Network Address Translation (NAT) to a local private ip address of the VPN device a port 500 server list entry is used. The Netopia will pass UDP 500 and protocol 50 back to the target local ip. You can use this link to set up a server list entry. Note: ESP will pass through NAT; however AH will fail with NAT.
2. Static Maps:
   A static map can be implemented that passes all traffic through NAT to the target local private IP. The static map will pass all ports back to the target local private IP so UDP 500 and protocol 50 are implicitly passed via the static map. Note: ESP will pass through NAT; however AH will fail also in this case.

This functionality was officially supported at firmware 4.10.1 or greater (R-Series), and firmware 5.3.3 or greater (4000 Series).

Inbound Passthrough - - Netopia 3300 / 3500 Series

1. 6.30R7:  Inbound passthrough is NOT supported.
2. 7.1.1:  Inbound passthrough is NOT supported.
3. 7.1.2:  Inbound passthrough is supported using the Software Hosting passthrough feature. See 7.1.2 documentation for a description of this feature.

   
   Software Hosting: Access from Configuration --> Advanced

4. 8.x:  Inbound passthrough is supported via Static Maps and Server Lists. Click on the link to see the Netopia instructions for these features.

Outbound Passthrough - - Netopia Enterprise, 4000 Series and R-Series

The IPSec ALG will allow multiple hosts behind a single PAT address to simultaneously establish and maintain tunnels to the multiple exterior hosts. The only limitation will be that the IKE negotiations and the first ESP exchange may not be overlapped to a single remote host. This means that you should not try launching multiple IPSec clients at the exact same time. This could cause a problem for the initial mapping of the IPSec sessions.

PLEASE NOTE: The server MUST accept multiple connections from the same IP address. The proper functioning of this feature isn't entirely dependent upon the Netopia device.

Netopia firmware versions 4.11 +, 5.3.3 + and 8.0.9 + need source and destination port UDP 500 to activate the IPSec ALG. If the Netopia receives a packet to destination UDP 500 from source UDP 4500 for example, this is NOT going through the ALG but will be processed through NAT as a normal UDP session.

1. 8.x or greater Outbound IPSec is supported by default. There is no need to configure this option. It is possible to disable the IPSec ALG using the command "ip nat alg esp enable no" via the CLI. See below for an explanation of when this feature may need to be disabled.
   

   
   Netopia Firmware 8.x for Enterprise Main Menu

2. Customers should be on firmware version 5.3.8 R1 or above on Netopia 4000 series products to utilize the latest IPSec ALG. The ALG is available in firmware version 5.3.3 and above; however, Netopia tech support recommends the use of 5.3.8 R1 or above. This option is also supported by default. The 4000 series products allow you to turn this feature off if you wish via the CLI. The CLI command to disable IPSec passthrough would be "ip nat alg esp enable no" issued at a router CLI command prompt.

   PLEASE NOTE: The Command Line Interface can be launched in the Netopia Menu interface by simultaneously pressing the Ctrl and n keys from the router Main Menu. You will then see the screen display change to a # sign. Click Here! for documentation on the use of the Netopia CLI.

   Under certain circumstances it may be necessary to disable the IPSec ALG function. See the Conclusion below.
   
   
3. Customers should be on firmware version 4.11.3 or above on Netopia R-series products to utilize the latest IPSec ALG (however, support was first added in 4.10.1). This is supported by default.

Outbound Passthrough - - Netopia 3300 / 3500 Series

1. 6.3.0 R7 Outbound IPSec is supported. Make sure the IPSec passthrough box is checked in the web GUI as shown below.
   
   PLEASE NOTE: Under certain circumstances it may be necessary to disable this feature. An explanation follows below. To disable this feature the box should be unchecked.
   
   3500 Series firmware version 6.3.0 R7 + needs only destination port UDP 500 to activate the IPSec ALG. A session going through the Netopia from source UDP 4500 to destination UDP 500 WILL process through the Netopia IPSec ALG.
   

   
   Enabling IPSec PassThrough: Access from Security --> IPSec

2. 7.1 or greater Outbound IPSec is supported. Make sure the IPSec PassThrough box is checked in the web GUI as shown above.
   
   PLEASE NOTE: Under certain circumstances it may be necessary to disable this feature. An explanation follows below. To disable this feature the box should be unchecked.

Conclusion

Under certain circumstances it may be necessary to disable the IPSec ALG function:

1. The IPSec client you are using asks to disable IPSec ALG's or IPSec Helper Applications.
2. You want to use a NAT translation or NAT friendly mode on your IPSec client and want the Netopia device to have no effect on the packet.