Before starting the configuration of a Virtual Private Network (VPN) involving a Netopia Router or Gateway, there are some general factors that you should always take into account. The information contained herein should be considered appropriate to consider under most, if not all internetwork configurations involving the VPN. This would hold true for PPTP as well as IPSec and ATMP.
Please Note: Most Windows Networking applications (Network Neighborhood, etc.) do not automatically function the same across a WAN as they do on a LAN. Windows networking issues are outside the scope of Netopia Technical Support, and further information should be obtained from Microsoft support and documentation.
Also posted to this website are a number of documents that provide specific configuration outlines for different VPN protocols between multiple Netopia products, or to and from remote clients with which we have performed tests inhouse. While we provide this configuration information as an added service, Netopia Technical Support cannot provide configuration and troubleshooting support of any third-party device connecting to the Netopia.
Click Here! to go to the Support Resource Center. (Selecting your product family will guide you to a technotes reference page.)
If you would like to have a Netopia Technical Support Engineer configure the VPN parameters for you, there are several support options which may be purchased from Netopia Customer Care.
See the VPN Set-up Service Program for details.
VPN services to or from routers with non-routable WAN addresses are not supported by Netopia Technical Support. Many VPN implementations need special handling to work through Network Address Translation, if they are even able to at all. The National Internet Commission (NIC) unroutable address spaces are defined as the following:
- 10.x.x.x
- 172.16.x.x-172.31.x.x
- 192.168.x.x
Even though it may be possible through experimentation to effect VPN functionality in the case of a non-routable WAN address, Netopia Technical Support cannot troubleshoot these configurations.
Example configurations included in our technotes use non-routable WAN addresses for illustrative purposes only. Please modify your configuration for the appropriate IP addressing from your ISP.
Please Note: If your router is currently running Netopia Residential Firmware with a web "GUI" configuration menu, you may be able to gain enhanced VPN functionality with an upgrade to Business-Class firmware. Most 3300 Series Netopia Gateways can be upgraded to Enterprise level firmware. Click Here! to purchase the upgrade key.
Before you attempt to make a VPN connection, confirm your Netopia router configuration conforms to these guidelines:
If you have Input Filters added to an enabled Filter Set (see A above to find out what Filter Set you have enabled), you need to include input rules to allow the protocols used by your VPN tunnel. For PPTP tunnels, you will need to allow both TCP port 1723 and GRE, as show below in Figure A. For ATMP tunnels, you will need to allow UDP port 5150 and GRE, shown in Figure B. For IPSec VPN connections you will need to allow UDP 500 as well as protocols 50 and 51 as shown in Figure C.
Figure A - PPTP Filter
Figure B - ATMP Filter
Figure C - IPsec Filter
Now that you know what Filter Set you have enabled (see the first bullet), you can add input rules to the Input Filter of your enabled Filter Set by following these steps from the Main Menu:
- Go to Quick Menus
- Select IP Filter Sets
- Select Display/Change IP Filter Set
- Select your enabled Filter Set
- Select Add Input Filter to Filter Set...
- To configure an Input Filter for PPTP, enter the following parameters:
To configure an Input Filter for ATMP, enter the following parameters:
To configure an Input Filter for GRE (for both ATMP and PPTP filter sets), enter the following parameters:
To configure an Input Filter for IKE (for an IPSEC filter set) enter the following parameters:
To configure an Input Filter for ESP (for an IPSEC filter set) enter the following parameters:
To configure an Input Filter for AH (for an IPSEC filter set) enter the following parameters:
If you plan to do Windows networking across your VPN, you should have the Netbios Filter DISABLED in your Internet Connection Profile. To check what Filter Set you have enabled, follow these steps from the Main Menu:
- Go to WAN Configuration
- Select Display/Change Connection Profile
- Select your Internet profile
- Select IP Profile Parameters
- For Filter Set, the name listed is the name of the Filter Set enabled.
- To remove the Filter Set, simply select Remove Filter Set, and you will see the Filter Set name disappear.
(Note: For Ethernet routers, ignore steps 2 and 3
and select WAN Setup instead.)
You should have NO PPTP or IPSec (port 500)Servers added to your enabled NAT Server List. To check what NAT Server List you have enabled, follow these steps from the Main Menu:
- Go to WAN Configuration
- Select Display/Change Connection Profile
- Select your Internet profile
- Select IP Profile Parameters
- For NAT Server List..., the name listed is the name of the NAT Server List enabled.
(Note: For Ethernet routers, ignore steps 2 and 3
and select WAN Setup instead.)
- Go to Quick Menus
- Select Network Address Translation
- Select Show/Change Server List...
- Select your enabled NAT Server List (the name from the previous step 4).
- Select Show/Change Server... and your list of active Servers will appear.
(Note! If you do not have a Show/Change Server option and only see Add Servers, you should be fine and do not have any PPTP or IPSec Servers and can move on to the next step) - Once again, confirm there are NO PPTP servers or servers encompassing port 500 (for IPSec) listed. If so, remove the Server by hitting your escape key once, select Delete Server, and select the PPTP Server.