Create Virtual Server to forward ESP protocol
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
I would like to setup a VPN Server in my home within my home network (not on TP-Link itself).
I have forwarded UDP port 500 and 4500 to the specific VPN server but I notice (when I am connecting to the VPN within same network) the VPN uses ESP protocol as well, which doesn't have a port.
Is it possible to forward ESP packets to the particular VPN server in my network?
Thanks.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi,
Do you mind telling us the name of the VPN server software you are using?
Apparently the ESP protocol can't be directly forwarded through a NAT.
Check if your VPN server has an option called "NAT-Traversal" (or NAT-T) and if it does, enable it.
I think in most cases this option is active by default anyways, because forwarding of UDP port 500 and 4500 has usually been sufficient for me to make L2TP/IPSec VPN work.
- Copy Link
- Report Inappropriate Content
Encapsulating Security Payload (ESP) is a member of the Internet Protocol Security (IPsec) set of protocols that encrypt and authenticate the packets of data between computers using a Virtual Private Network (VPN).
For IPSec protocol forwarding the UDP ports 500 and 4500 should suffice.
How the ESP protocol can be forwarded through a NAT device is explained in details here:
https://community.cisco.com/t5/security-knowledge-base/how-does-nat-t-work-with-ipsec/ta-p/3119442
Basically ESP packet would be encapsulated in a UDP packet with port number information included.
That's why you can't see the ESP packet when connecting to the VPN from outside your LAN.
- Copy Link
- Report Inappropriate Content
@woozle We are using Ubiquity Unifi Router as second layer network, and using their VPN Server.
- Copy Link
- Report Inappropriate Content
Ok, I think their VPN server should be no different then most others and it should work. Anyway, on the C1200 (and any other TP-Link model as well) there is nothing more you can do other than setting up port forwarding of UPD ports 500 and 4500. Oh, and make sure "L2TP Passthrough" and "IPSec Passthrough" are enabled on the C1200. (menu Advanced > NAT Forwarding > ALG)
What is the precise problem you've encountered?
- Copy Link
- Report Inappropriate Content
@woozle I tried using Wire Shark to see the traffic when I am in the network where I can connect directly to the VPN server and I can see the ESP packets.
However, when I am connecting remotely thru TP-Link Router, I don't see them. It may be other issues I am not sure.
However, I resolve this by using WireGuard and OpenVPN instead.
- Copy Link
- Report Inappropriate Content
@terziyski Since WireGuard / OpenVPN works but not L2TP, it may just be a different issue. I will explore further, thanks for the article!
- Copy Link
- Report Inappropriate Content
How are you trying to connect remotely?
Apparently support for L2TP/IPsec is broken in Android 12 and 13. (at least I've never managed to connect phones that run these versions)
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2023
Replies: 7
Voters 0
No one has voted for it yet.