Can FirstSpot pass VPN traffic?

JF · Joined: 03 Mar 2004 Posts: 4

It looks like FirstSpot cannot pass the VPN traffic out to Internet. I have used Cisco VPN client to test. I have opened a web browser to type a URL, authenticated with FirstSpot before the test.

It is very important function, because our clients need using this connection to their company. Can FirstSpot do it?

Blide · Joined: 24 Feb 2004 Posts: 14 Location: Texas

I have used 2 different VPN clients (Sonicwall & Symantec) and they are also a no go on firstspot. I'm willing to help patronsoft test but they will need to contact me.
_________________
Thanks for the help..

kevin · **Forum facilitator** Joined: 26 Sep 2003 Posts: 442

Thanks, JF, Blide.

We've tested FirstSpot with IPSEC VPN and MS PPTP before. We will also do a round of extensive testing on IPSEC this coming week (Mar-15). And will let you know our findings ASAP.

~ Patronsoft Limited ~

bhhanson · Joined: 05 Apr 2005 Posts: 15

I got a call from a guest that they were trying to connect VPN to their office and was unable to connect. They appear to be using Microsoft PPTP and GRE VPN. I see packets hit the firewall here and are accepted and are forwarded on. I have not yet had a chance to work with them to do a TCPDUMP to watch traffic.

So, is there some conclusions on the ability to support VPN connections?

Thank you.
Brad Hanson
Minneapolis

kevin · **Forum facilitator** Joined: 26 Sep 2003 Posts: 442

If you're using Advanced Edition of FirstSpot, you can turn off the NAT at the public interface, FirstSpot will then act like a vanilla router. Please remember to add a return route at the next-hop router though.
_________________
~ Patronsoft Limited ~

bhhanson · Joined: 05 Apr 2005 Posts: 15

Does your reply imply that in order for VPN access to work for guests, the NAT feature should be disabled? I'm not sure I want that to be that way as it might cause other problems for us.

Thank you...

kevin · **Forum facilitator** Joined: 26 Sep 2003 Posts: 442

If the VPN server and clients supports NAT-traversal, then they should have no problems passthrough any NAT-devices and we've tested that with FirstSpot. For others, a workaround is to turn off the NAT of FirstSpot.
_________________
~ Patronsoft Limited ~

jeisenzimmer · Joined: 21 May 2006 Posts: 17 Location: Devils Lake, ND

Kevin, as you said before:

"If you're using Advanced Edition of FirstSpot, you can turn off the NAT at the public interface, FirstSpot will then act like a vanilla router. Please remember to add a return route at the next-hop router though."

I need a smigit of help setting this up. I've tried and it will not cooperate, with or without ProxyARP. Can I get a solution USING and NOT USING ProxyARP, if possible? On the public side, everything's fine, but on the private side it's not. Here's the scenario:

CLOUD
(G/W:209.243.31.1)
|
|
(WAN IP: 209.243.31.122)
Linksys Router
(LAN IP: 192.168.1.1)
|
|
(PUB IP: 192.168.1.5)
FirstSpot Server
(PRI IP: 10.0.0.1)
|
|
(IP: 10.0.0.50 (DHCP))
My Laptop

Any ideas? please reply!
Thanks much appreciated!
_________________
Jeremy Eisenzimmer
Professional Technologies

kevin · **Forum facilitator** Joined: 26 Sep 2003 Posts: 442

Hi Jeremy,

First, please verify that your VPN connection works ok if FirstSpot is taken out completely.

Then, according to your topology,

1) this can be done without ProxyARP.

2) you would disable NAT at FirstSpot's public interface (under the Dispatcher tab, inside Configuration Manager), restart FirstSpot

3) At your Linksys router, add a route like this:

destination network: 10.0.0.0
netmask 255.255.255.0 (I'm assuming you're using 24bit mask)
gateway ip: 192.168.1.5
metric: 2 (or anything that's appropriate)

Reboot your router.

4) after changing these, try if you can access the Internet through FirstSpot (i.e. being asked for authentication and then redirected).

5) If #4 works, try your VPN connection
_________________
~ Patronsoft Limited ~

sdwedemeyer · Joined: 18 Oct 2006 Posts: 21 Location: Atlanta, GA, USA

What happened to the original questions in this thread? Is the conclusion that we have to have the Advanced version in order to support IPSEC VPN?

I have FirstSpot 4.012 installed and a guest claims that his VPN client is not working through the system.

I do know that MS LLTP VPN does work, but did not test IPSEC.
_________________
Stephen D Wedemeyer

ramada · Joined: 16 May 2007 Posts: 11 Location: Portugal

Hi.

I have 4.0.13 trial version and I'm using Cisco VPN Client without any problem. I use IPSEC/TCP on port 10000.

cya
Ramada

sdwedemeyer · Joined: 18 Oct 2006 Posts: 21 Location: Atlanta, GA, USA

Did you make any specific configuration changes in firstspot for that to work?
_________________
Stephen D Wedemeyer

ramada · Joined: 16 May 2007 Posts: 11 Location: Portugal

no, no specific configurations.

alan · **Forum facilitator** Joined: 26 Sep 2003 Posts: 4435

ramada, what Windows version are you running FirstSpot on? Also, I assume the NAT within FirstSpot is on (default), right?
_________________
~ Patronsoft Limited ~

ramada · Joined: 16 May 2007 Posts: 11 Location: Portugal

I'm running FS in Win 2003 standard with NAT enabled.

My Cisco VPN client uses ipsec over tcp. It's a good way to get through firewalls.

BTW Alan, when will be out FS v5 so I can give it a try? My trial v4 is expiring and I would like to see the improvements on v5...