what exactly is a router doing, when you enable l2tp pass-through?

if a router like the linksys wrt54g has the option to "enable l2tp
pass-through" - does it mean it just forwards l2tp through to the
client? In other words: if I disable l2tp pass-through but establish
portforwarding for UDP 500 and UDP 1701 would it be the same?

Thanks,
Jan

(E-Mail Removed) (Jan) wrote in news:6103291d.0405261300.68557356
@posting.google.com:

> if a router like the linksys wrt54g has the option to "enable l2tp
> pass-through" - does it mean it just forwards l2tp through to the
> client? In other words: if I disable l2tp pass-through but establish
> portforwarding for UDP 500 and UDP 1701 would it be the same?
>

L2TP is a VPN protocol like TCP/IP is a carrier protocol to carry data
from one machine to another machine on a network LAN or WAN. The L2TP VPN
protocol encrypts and encapsulates the data within the L2TP protocol and
the L2TP rides on the TCP/IP the carrier protocol.

For a secure VPN connection, there must be two valid VPN end-points. If
you disable L2TP on the router, the VPN connection is no longer a valid
secure VPN connection. VPN can be established on a machine behind the
router and it would still be a valid VPN connection, without the router
using its VPN protocol.

Port forwarding is port forwarding of ports to an IP/machine opening the
ports on the router to the public Internet and has nothing to do with a
secure end-point to end-point VPN connection.

Duane

Duane Arnold <(E-Mail Removed)> wrote in message news:<Xns94F5B4A3C31A2notmenotmecoml@216.148.227.7 7>...
> (E-Mail Removed) (Jan) wrote in news:6103291d.0405261300.68557356
> @posting.google.com:
>
> > if a router like the linksys wrt54g has the option to "enable l2tp
> > pass-through" - does it mean it just forwards l2tp through to the
> > client? In other words: if I disable l2tp pass-through but establish
> > portforwarding for UDP 500 and UDP 1701 would it be the same?
> >
>
> L2TP is a VPN protocol like TCP/IP is a carrier protocol to carry data
> from one machine to another machine on a network LAN or WAN. The L2TP VPN
> protocol encrypts and encapsulates the data within the L2TP protocol and
> the L2TP rides on the TCP/IP the carrier protocol.
>
> For a secure VPN connection, there must be two valid VPN end-points. If
> you disable L2TP on the router, the VPN connection is no longer a valid
> secure VPN connection. VPN can be established on a machine behind the
> router and it would still be a valid VPN connection, without the router
> using its VPN protocol.
>
> Port forwarding is port forwarding of ports to an IP/machine opening the
> ports on the router to the public Internet and has nothing to do with a
> secure end-point to end-point VPN connection.
>
> Duane

Hi Duane,

thanks for your answer. Basically what you are saying is: with
enabling L2TP Passthrough - you only open the L2TP Ports and Protocol
in the firewall? You know, if the router is doing NAT, than you get a
problem with L2TP because the router can not modify UDP Packets. I
really do not see, why a client behind a l2tp-passthrough router can
speak l2tp, if it only opens ports. With windows 2003 server you get a
new implementation of VPN for example, where additional UDP packets
encapsulate the former l2tp packets. The encapsulation packets can
then be modified by the Nat router. In this case there are changes
made to the packets. But why would l2tp also work with just opening
ports in the firewall? By just opening ports, the router would not be
allowed to modify the packets without invalidating them.

cheers,
Jan

I have to differ. There are two arrangements for VPNs: site-to-site and
remote-access. In a site-to-site VPN, the VPN tunnel terminates on a
router, so that all the devices at that site can take advantage of the
tunnel. In a remote-access VPN, the tunnel is terminated on a single
computer. In the former case, the router must have a full implementation of
the VPN protocol. In the latter case, the router only needs VPN passthrough
to allow the tunnel to pass through the router to the single device that
terminates the tunnel.

Port forwarding is part of VPN passthrough, but I don't think it's the whole
issue. I'm a little unsure here without doing some research, but I'll give
it a try. I believe the other aspect of VPN passthrough has to do with NAT.
Strictly speaking, protocol layers above the Network layer (IP) should not
put IP address into their data fields, because a NAT router normally
translates only the IP addresses found in the IP header (all the fields in
an IP packet other than your data). Some higher layer protocols do embed IP
addresses in their data; FTP is notorious for this. For any higher layer
protocol that behaves this way, the router must have knowledge of that
protocol so that it can FIXUP the addresses embedded in data fields. I
believe this is the case for L2TP as well.

Ron Bandes, CCNP, CTT+, etc.

"Duane Arnold" <(E-Mail Removed)> wrote in message
news:Xns94F5B4A3C31A2notmenotmecoml@216.148.227.77 ...
> (E-Mail Removed) (Jan) wrote in news:6103291d.0405261300.68557356
> @posting.google.com:
>
> > if a router like the linksys wrt54g has the option to "enable l2tp
> > pass-through" - does it mean it just forwards l2tp through to the
> > client? In other words: if I disable l2tp pass-through but establish
> > portforwarding for UDP 500 and UDP 1701 would it be the same?
> >
>
> L2TP is a VPN protocol like TCP/IP is a carrier protocol to carry data
> from one machine to another machine on a network LAN or WAN. The L2TP VPN
> protocol encrypts and encapsulates the data within the L2TP protocol and
> the L2TP rides on the TCP/IP the carrier protocol.
>
> For a secure VPN connection, there must be two valid VPN end-points. If
> you disable L2TP on the router, the VPN connection is no longer a valid
> secure VPN connection. VPN can be established on a machine behind the
> router and it would still be a valid VPN connection, without the router
> using its VPN protocol.
>
> Port forwarding is port forwarding of ports to an IP/machine opening the
> ports on the router to the public Internet and has nothing to do with a
> secure end-point to end-point VPN connection.
>
> Duane
>

Ok, thanks Ron. Just to give everybody who is interessted an overview
here is what I tested so far:

Scenario: w2k3 vpn server behind a NAT

- XP client directly in the internet -> L2TP connect succeeded
- XP client behind a NAT Router with enabled firewall and disabled
IPsec and L2TP passthrough -> L2TP no connection
- XP client behind a NAT Router with enabled firewall but ENABLED
IPsec and L2TP passthrough -> L2TP no connection
- XP client behind a NAT Router with enabled firewall, enabled IPsec
passthrough AND 818043 (NAT-T client Hotfix from MS) installed on the
client
-> L2TP connect succeeded (IPsec passthrough enabling was enough, no
L2TP passthrough had to be enabled. If I ONLY enable L2TP passthrough
and have the NAT-T hotfix installed on the client - its NOT working)

The Router is a Linksys WRT54G.

Jan


"Ron Bandes" <RunderscoreBandes @yah00.com> wrote in message news:<0sntc.58463$(E-Mail Removed) .net>...
> I have to differ. There are two arrangements for VPNs: site-to-site and
> remote-access. In a site-to-site VPN, the VPN tunnel terminates on a
> router, so that all the devices at that site can take advantage of the
> tunnel. In a remote-access VPN, the tunnel is terminated on a single
> computer. In the former case, the router must have a full implementation of
> the VPN protocol. In the latter case, the router only needs VPN passthrough
> to allow the tunnel to pass through the router to the single device that
> terminates the tunnel.
>
> Port forwarding is part of VPN passthrough, but I don't think it's the whole
> issue. I'm a little unsure here without doing some research, but I'll give
> it a try. I believe the other aspect of VPN passthrough has to do with NAT.
> Strictly speaking, protocol layers above the Network layer (IP) should not
> put IP address into their data fields, because a NAT router normally
> translates only the IP addresses found in the IP header (all the fields in
> an IP packet other than your data). Some higher layer protocols do embed IP
> addresses in their data; FTP is notorious for this. For any higher layer
> protocol that behaves this way, the router must have knowledge of that
> protocol so that it can FIXUP the addresses embedded in data fields. I
> believe this is the case for L2TP as well.
>
> Ron Bandes, CCNP, CTT+, etc.
>
> "Duane Arnold" <(E-Mail Removed)> wrote in message
> news:Xns94F5B4A3C31A2notmenotmecoml@216.148.227.77 ...
> > (E-Mail Removed) (Jan) wrote in news:6103291d.0405261300.68557356
> > @posting.google.com:
> >
> > > if a router like the linksys wrt54g has the option to "enable l2tp
> > > pass-through" - does it mean it just forwards l2tp through to the
> > > client? In other words: if I disable l2tp pass-through but establish
> > > portforwarding for UDP 500 and UDP 1701 would it be the same?
> > >
> >
> > L2TP is a VPN protocol like TCP/IP is a carrier protocol to carry data
> > from one machine to another machine on a network LAN or WAN. The L2TP VPN
> > protocol encrypts and encapsulates the data within the L2TP protocol and
> > the L2TP rides on the TCP/IP the carrier protocol.
> >
> > For a secure VPN connection, there must be two valid VPN end-points. If
> > you disable L2TP on the router, the VPN connection is no longer a valid
> > secure VPN connection. VPN can be established on a machine behind the
> > router and it would still be a valid VPN connection, without the router
> > using its VPN protocol.
> >
> > Port forwarding is port forwarding of ports to an IP/machine opening the
> > ports on the router to the public Internet and has nothing to do with a
> > secure end-point to end-point VPN connection.
> >
> > Duane
> >

"Ron Bandes" <RunderscoreBandes @yah00.com> wrote in
news:0sntc.58463$(E-Mail Removed). net:

> Port forwarding is part of VPN passthrough, but I don't think it's the
> whole issue. I'm a little unsure here without doing some research,
> but I'll give it a try. I believe the other aspect of VPN passthrough
> has to do with NAT. Strictly speaking, protocol layers above the
> Network layer (IP) should not put IP address into their data fields,
> because a NAT router normally translates only the IP addresses found
> in the IP header (all the fields in an IP packet other than your
> data). Some higher layer protocols do embed IP addresses in their
> data; FTP is notorious for this. For any higher layer protocol that
> behaves this way, the router must have knowledge of that protocol so
> that it can FIXUP the addresses embedded in data fields. I believe
> this is the case for L2TP as well.

I did read some articles out on Google about IPsec and L2TP issues with a
NAT router where the VPN end-point was behind the router for Win 2K, XP
and 2K3. In that case, the solution was to map the ports (port forward)
the VPN ports to the IP/machine behind the router.

In the case of the OP who seems to have VPN issues at the machine level,
port forwarding the VPN ports may resolve the issue for a VPN
server/client software setup at the O/S level.

I don't think one needs to enable the pass through protocol on the router
in this situation, since it's the machine that's the end-point. I could
be wrong.

Duane