IPSec VPN Client and Motorola vt1000

Posts: 1 · New Forum Member Joined: Mar 30, 2004 Posts: 1

I need to access my corporate VPN network, and this will not work with recommended setup from Vonage (MTA first then router). Besides moving my MTA behind my router (which not an option with the poor call quality I am getting... I hear a noticable difference switching between the two set ups) what are my options?

Does anyone have this working?

Is Vonage working on this?

Posts: 66 · Full Forum Member Joined: Dec 15, 2003 Posts: 66

It works great for me both inbound and outbound. I heard from a Vonage tech that some IPSec and PPTP VPN problems were fixed in the Motorola 1.16d software. I have my Moto configured in bridging mode (NAT/DHCP turned off). This means your Moto gets one IP address from your ISP, and your router connected to the Moto's PC port gets another IP address. Not all ISPs will support this. I have RoadRunner in Minneapolis and they have no problem with this.

I have also done outbound IPSec and PPTP with 1.16 software and the Moto configured with NAT/DHCP turned on. This reduces your IP address requirements to one.

Hope this helps.

Bob

huntm wrote:

I need to access my corporate VPN network, and this will not work with recommended setup from Vonage (MTA first then router). Besides moving my MTA behind my router (which not an option with the poor call quality I am getting... I hear a noticable difference switching between the two set ups) what are my options?

Does anyone have this working?

Is Vonage working on this?

Posts: 7 · New Forum Member Joined: Mar 30, 2004 Posts: 7

Bobbabai, I too am having VPN problem which it looks like you've solved. I was wondering if you might be able to explain how you have your network physically set up now that you have NAT/DHCP on the MTA unit turned off, and VPN with IPSec working.

Is it the Vonage-suggested way? i.e., Cable Modem-> MTA (WAN port) -> Router (WAN port)

or the other way? Cable Modem-> router (WAN port) -> MTA (WAN port using an open LAN port from the router) -> computer (using the PC port)

If it is the second way, Vonage indicates that you don't get QoS.

Also, you said that you get two IP addresses from your ISP. Is this something you needed to set up with them, or does it happen automatically when you turn off the NAT/DHCP on the MTA unit?

Thanks for your help.

Posts: 66 · Full Forum Member Joined: Dec 15, 2003 Posts: 66

rong, the physical setup is the same as Vonage's suggested method:
Modem->MTA (WAN port)->Router (WAN port).

My ISP (RoadRunner in Minneapolis) allows customers to get 2 IP addresses at once. They've allowed this from the beginning about 2 years ago.

Bob

Posts: 1 · New Forum Member Joined: Apr 09, 2004 Posts: 1

Is there any fix to this yet? I have temporarily fixed the issue by moving my Motorola box behind my router. So far I have not noted any quality issues but I haven't used the phone much either.

Like most of the other posts, when my Voip box was between my cable modem and my router I could not use my VPN connection to my office network (my ISP - comcast - only offers one IP address).
I'd like to move it in front of the router to benefit from the QoS features (if any) but I need the VPN to work.

Posts: 1 · New Forum Member Joined: Mar 30, 2004 Posts: 1

once lowering the mtu on the machine using vpn to 1300 -- my vpn issues cleared up. . .

Between the doublenat (one on the home lan router, the second as it cleared the motorolla Voip box) -- i figured the nat encapsulation was exceeding the 1500 limit and killing the connections

Posts: 2 · New Forum Member Joined: Apr 14, 2004 Posts: 2

I have a configuration as follows:
cable modem <> VT1000V <> Linksys WRT54G router <> 2 computers

When I disabled DHCP/NAT on the VT1000V , the following problems occurred (for the first time) on my 2 client computers:
1. All attempts to ping external hosts by name results in "ping request could not find the host xx.com" error.
2. All attempts to ping external ping hosts by IP address result in "request time out" error.
3. All attempts to load external web page in a browser result in "this page cannot be displayed" error message.

By "external", I mean anything outside of the cable modem.

Unfortunately, I can only get one IP address from my ISP. I experimented with different "power-up orders" for my gear, and in some cases, the VT 1000V gets an IP address from the ISP, and in some cases the Linksys router gets the IP address. But never do both devices get an IP address.

IP addresses are as follows:
---
WRT54G router: WAN-192.168.102.50 (static) LAN-192.168.1.1 (static)
2 computers: 192.168.1.100 and 192.168.1.101 (both static)

My ISP's DNS server addresses are properly entered on the router and the computers. However, I cannot even ping the ISP's DNS servers or gateway by IP address (per #2 above).

Could anyone please advise me as to the resolution of this problem? My goal is to have a working configuration in which DHCP/NAT is disabled on the VT1000V, but that problems 1, 2 and 3 as listed above are not manifested.

Thanks,

jeffrob

Posts: 66 · Full Forum Member Joined: Dec 15, 2003 Posts: 66

christoperj wrote:

Between the doublenat (one on the home lan router, the second as it cleared the motorolla Voip box) -- i figured the nat encapsulation was exceeding the 1500 limit and killing the connections

This is strange, christopherj. NAT doesn't add any bytes to the IP packet - it just translates IP addresses and ports. My guess is that you are having a fragmentation problem. Then you use any VPN tunneling, the IP packet is encapsulated inside another protocol. In the case of PPTP, the tunneling encapsulation is the GRE protocol. For L2TP, it's UDP. For IPSec, it's UDP. The tunneling encapsulation adds its own header which increases the size of the packet which will result in fragmented packets if the packet size exceeds 1500. Maybe something in the path is not handling fragmented packets correctly.

Odd that I don't have the same problem when I use NAT on the Motorola. But I think I haven't tried NAT on the latest 1.16d firmware.

Bob

Posts: 66 · Full Forum Member Joined: Dec 15, 2003 Posts: 66

jeffrob wrote:

Could anyone please advise me as to the resolution of this problem? My goal is to have a working configuration in which DHCP/NAT is disabled on the VT1000V, but that problems 1, 2 and 3 as listed above are not manifested.

Jeff, if your ISP will only give you one IP address, there is no way to use the bridging feature of the Motorola. One workaround would be to use yet another NAT router in front of the Motorola, like this:

NATRouter --> Moto (bridged) --> OriginalNATRouter/Switch --> PCs

Bob

Posts: 2 · New Forum Member Joined: Apr 14, 2004 Posts: 2

Thanks for the answer, Bob!

So, it looks like I can solve the problem with an extra IP ($10 a month to the cable company) or an extra router (one-time charge of ~$40). The extra router option might be the way I go.