VPN over CGNAT

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › VPN over CGNAT

SATTV

1670 posts

Uber Geek
+1 received by user: 657

ID Verified

#240370 4-Sep-2018 16:30

Hi All,

I am struggling with this one.

I have a client that has an office in Auckland and they have several users who remote in from home on occasion to access their desktops / network drives.

A few users have got the Spark wireless broadband at home that is obviously GC-NAT.

I cant for the life of me get a L2TP or PPTP VPN to connect. ( I know PPTP is less secure but just want to get them working )

I know they can apply for a static IP and that is an additional $15 per month but I would try and find other means of possible.

Most devices are W10 pro 1803 and just using the built in Windows VPN client.

At the Office they are terminating to a Cyberoam UTM.

I have seen on Geekzone people say to use a VPN, are they referring to a site to site VPN rather than a dial in VPN?

Is anyone able to point me in the right direction?

John

I know enough to be dangerous

1 | 2

3324 posts

Uber Geek
+1 received by user: 1006

ID Verified

Trusted

2degrees

Subscriber

#2083959 4-Sep-2018 17:15

The clients being behind CGNAt shouldn't have any barring on the ability to use a 'dial in' style VPN. Sounds more like an issue with an ACL not allowing inbound VPN connections from ANY ip.

Perhaps also get the clients to install the cyberroam client vpn software

SATTV

1670 posts

Uber Geek
+1 received by user: 657

ID Verified

#2083966 4-Sep-2018 17:57

insane:

The clients being behind CGNAt shouldn't have any barring on the ability to use a 'dial in' style VPN. Sounds more like an issue with an ACL not allowing inbound VPN connections from ANY ip.

Perhaps also get the clients to install the cyberroam client vpn software

Thank for the reply.

I can VPN in from work without issue and so can others who are not on GC-NAT

John

I know enough to be dangerous

RunningMan

9184 posts

Uber Geek
+1 received by user: 4834

#2083968 4-Sep-2018 18:01

Not a case of all the affected clients appearing as a single IP to the VPN server, and it not allowing multiple simultaneous connections from the same IP?

SATTV

1670 posts

Uber Geek
+1 received by user: 657

ID Verified

#2083969 4-Sep-2018 18:05

RunningMan:

Not a case of all the affected clients appearing as a single IP to the VPN server, and it not allowing multiple simultaneous connections from the same IP?

Thanks for the idea, not trying to connect at the same time.

John

I know enough to be dangerous

hashbrown

463 posts

Ultimate Geek
+1 received by user: 131

#2084047 4-Sep-2018 20:46

PPTP uses GRE for transport so won't work with CG-NAT.

Looks like Cyberoam has SSL VPN support which is probably your best long term option.

stinger

628 posts

Ultimate Geek
+1 received by user: 169
Inactive user

#2084061 4-Sep-2018 20:59

SATTV:

Is anyone able to point me in the right direction?

What is the error message the users are receiving?

CG-NAT should not be the issue. Fact is 99% of the devices in peoples homes are behind a NAT from the ADSL/UFB router, so double NATing shouldn't be any more complicated. I've used a CGNAT / NAT combo with OpenVPN without any problems.

Dyson

Shop now for Dyson appliances (affiliate link).

SATTV

1670 posts

Uber Geek
+1 received by user: 657

ID Verified

#2084066 4-Sep-2018 21:09

I will have to grab the exact error tomorrow, basically after about a minute of saying connecting it fails.

I know enough to be dangerous

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#2084071 4-Sep-2018 21:29

Get a static IP address on wireless broadband. Problem solved.

hashbrown

463 posts

Ultimate Geek
+1 received by user: 131

#2084072 4-Sep-2018 21:37

stinger:

CG-NAT should not be the issue. Fact is 99% of the devices in peoples homes are behind a NAT from the ADSL/UFB router, so double NATing shouldn't be any more complicated. I've used a CGNAT / NAT combo with OpenVPN without any problems.

Home routers often implement workarounds for common NAT issues. CG-NAT doesn't implement these as they simply don't scale to thousands of endpoints.

Zeon

3926 posts

Uber Geek
+1 received by user: 759

Trusted

#2084109 4-Sep-2018 23:00

IPv6 VPN?

Speedtest 2019-10-14

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2084324 5-Sep-2018 13:42

CGNAT is a pain for ipsec, SSL is probably the best option as mentioned above. It may also be MTU related, I've had to drop MTU sizes to 1308 or less to handle VPNs coming from crusty 3G/4G or CGNAT networks (and ipsec hates being fiddled with so anything vaguely fragmenty will kill it)

Dyson

Shop now for Dyson appliances (affiliate link).

qwerty123

147 posts

Master Geek
+1 received by user: 20

#2084407 5-Sep-2018 15:41

Those NAT'ed users probably share the same external IP. L2TP uses IPSec transport and with IPSec you cannot have multiple clients sharing the same external IP because of the way IPSec matches peer's IP to secret/certificate even if NAT traversal enabled.

PPTP uses TCP for control connection, but GRE for tunnel. And with GRE you also cannot have multiple clients sharing the same IP.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2084446 5-Sep-2018 17:16

qwerty123:

Those NAT'ed users probably share the same external IP. L2TP uses IPSec transport and with IPSec you cannot have multiple clients sharing the same external IP because of the way IPSec matches peer's IP to secret/certificate even if NAT traversal enabled.

That't not true for ipsec clients (and aggressive mode).

qwerty123

147 posts

Master Geek
+1 received by user: 20

#2084535 5-Sep-2018 20:12

vulcannz:

That't not true for ipsec clients (and aggressive mode).

Not a problem for clients, but a headache for server. In general case you cannot have multiple SAs between server and multiple clients behind the same NAT IP. Every next client will destroy already established SA during negotiation.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2084555 5-Sep-2018 21:06

qwerty123:

vulcannz:

That't not true for ipsec clients (and aggressive mode).

Not a problem for clients, but a headache for server. In general case you cannot have multiple SAs between server and multiple clients behind the same NAT IP. Every next client will destroy already established SA during negotiation.

Again that is not true. I've done it plenty. Each connection SA has a unique SPI. Each client can maintain a connection even if everyone is on that same IP. Otherwise you'd have problems with CGNAT, hotels, airport lounges and so forth. I've been in a hotel with 800 people from the same company using the same IPSEC VPN portal no problems whatsoever.

The only time you'd ever see such an issue was a long long time ago when routers at the client end did not properly support Protocols 50 and 51, and couldn't not handle multiple outbound NAT sessions for IPSEC.

Network security is what I do for a job. VPNs are a big part of that (IPSEC site to site/client and SSL). Over the last 18 years I've worked with VPNs on Sonicwall/Juniper/Netscreen/Palo Alto/Fortinet/and Checkpoint boxes.

1 | 2