Community home

Hi,

That's the same scenario I am trying to create, to configure an IPSEC vpn over a Vodafone USB stick back to an ADSL connection. I was able to get the vpn to connect, but no traffic flows and I can't ping either end of the vpn.

I thought it was my Billion 7402NX router which I noticed doesn't support NAT-T so I am swapping it for a Draytek Vigor 2820n as it does support NAT-T, but now I've seen your post, I'm not sure it will work.

I also have a Three mobile data connection which I will try to connect to see if it is the network.

Please post again with any information or updates though as there don't seem to be many forum posts dealing with router-to-router vpn's over 3G.

I need to set up a VPN from a Draytek 2820 router using only a Vodafone L3565 USB (on monthly contract) to another Draytek 2820 Router using ADSL. My problem is the way NAT is implemented over the Vodafone network prevents me from connecting the two - using a dynamic dns does not help. Does anybody know of a way this can be achieved at router level? What I am trying to achive is the connection of remote cameras at temporary sites to a central point. ...

If you don't have NAT on the ADSL side - I don't see the problem... however, the devil is in the details.

I have no knowledge of the router you reference - so have no idea of its capabilities.

I run a similar setup to what you are trying to do - but with a couple of differences.

I have a central "hub" node on the Internet running Linux and directly reachable/accessible (not behind NAT). This hub has a static IP address and never moves allowing any device to reach it.

I then have various remote nodes - one of which is a machine which connects via the Vodafone network. I have other nodes that connect to the central hub via whatever means available. This hub and spoke arrangement allows me to connect to any of the remote nodes or any of the remote nodes to contact each other by tunnelling through the VPNs via the hub no matter how the remote nodes connection topology looks (behind NAT or not). For me the implementation is solid and works well.

What I have found is that some ISPs / Mobile Internet operators (one of Vodafone's competitors) actively blocks IPSEC key exchange packets. But using a SSL/TLS VPN worked. So the VPNs from the remote nodes to the hub use either a IPSEC VPN (usually available on decent routers from various manufactures) or a SSL/TLS VPN (not so common on routers from experience).

Some consumer routers support DynDNS which allow the router to update a globally accessible DNS server every time its dynamic IP changes. This DynDNS name can then be used by your remote nodes to contact the hub node even though its on a changing dynamic IP address.

Technically what you want to do is possible and is proven to work. Just depends on the features/capabilities of the equipment you are using.

The ADSL part of the router-to-router VPN link isn't the problem, it is the Vodafone network (and the NAT devices on it) which must be preventing the traffic flowing over the VPN. There is no publicly accessible IP address given to the device which is connecting to the Vodafone APN which means that the traffic can't get back to the spoke from the hub. I found a topic regarding public IP's on 3G data card providers below. Luckily I have a Three data connection which I am going to test in the coming weeks. I'll hopefully find out if my connection receives a public IP address this week, if so, I can't see any reason why the VPN won't work.

http://forum.vodafone.co.uk/index.php?showtopic=1800

I thought that a NAT-T device like the Vigor 2820 would get around the problem of the non-public IP which Vodafone give to the 3G connection, but from the original post it appears this is not so. I am waiting for my Vigor 2820 to arrive to test.

Lastly, SSL vpn is not possible for a router-to-router vpn. It's ok if you have a PC with a VPN client installed, but I haven't come across any routers which can use SSL VPN's to each other.

The ADSL part of the router-to-router VPN link isn't the problem

As I said above - as long as you don't have a NAT also in-front of your ADSL link - the topology you are trying to achieve is no different to what I have running. It works.

it is the Vodafone network (and the NAT devices on it) which must be preventing the traffic flowing over the VPN. There is no publicly accessible IP address given to the device which is connecting to the Vodafone APN which means that the traffic can't get back to the spoke from the hub.

NAT will only allow "associated" traffic to flow across the device. If you consider the wireless modem to be the "inside" and your ADSL modem the "outside". Then the VPN has to be established from the inside to the outside. Once established traffic can be either direction inside the VPN.

If you try to establish from the outside to the inside - it will not work.

I found a topic regarding public IP's on 3G data card providers below. Luckily I have a Three data connection which I am going to test in the coming weeks. I'll hopefully find out if my connection receives a public IP address this week, if so, I can't see any reason why the VPN won't work. http://forum.vodafone.co.uk/index.php?showtopic=1800

There is no reason why the VPN won't work now using the current topology. I've been using my VPN for almost a year now with no problems. The issue is what the equipment you are using supports.

In fact you can get a static IP address for your connection - you just need your own APN which comes with some types of Vodafone's corporate accounts. You just need to be prepared to pay for the privilege.

I thought that a NAT-T device like the Vigor 2820 would get around the problem of the non-public IP which Vodafone give to the 3G connection, but from the original post it appears this is not so. I am waiting for my Vigor 2820 to arrive to test.

I've had both IPSEC with NAT-T and SSL/TLS VPNs working over the Vodafone 3G link with no problems other than the standard extra long TTLs and high packet loss at times.

Lastly, SSL vpn is not possible for a router-to-router vpn. It's ok if you have a PC with a VPN client installed, but I haven't come across any routers which can use SSL VPN's to each other.

Not so common so you cannot go to PCWorld and pick them up for £10. But there are plenty of decent routers that support SSL/TLS VPNs - a quick google search provided about a dozen links.

So what is your exact setup that allows this to work on the Vodafone network, if you don't mind me asking?

So what is your exact setup that allows this to work on the Vodafone network, if you don't mind me asking?

I'll try to explain the topology when I have time. I gave up on routers a while ago because they were not flexible enough for me. Use Linux & FreeSWAN and OpenVPN these days.

Also keep this in mind at the moment... current Vodafone network issues!

http://forum.vodafone.co.uk/index.php?s=&a...st&p=264526

Right ok, so you are not using the router-to-router vpn setup like the topic of this thread addresses. The original post describes a scenario where the remote site only has a CCTV camera attached to a router so no PC/Linux involved.

With regards to your link to the other post, doesn't using IPSEC in aggresive mode get around the changing IP address issue?

For the record, I checked my Three connection yesterday and using the APN '3internet' I get a publicly accessing IP address, so this will work for connecting a VPN. Shame Vodafone don't offer a similar service, ie one APN for private address and one for public address but until I get a NAT-T router to test with, it is possible to establish a VPN router-to-router but traffic won't flow.

Right ok, so you are not using the router-to-router vpn setup like the topic of this thread addresses.

If it looks like a router, walks like a router, quacks like a router - to me its a router; independent of what OS it runs. These days I just choose Linux/OpenBSD as my preferred routing OS.

Maybe I should have rephrased my sentence from:
"I gave up on routers a while ago because they were not flexible enough for me."
to
"I've given up on commercial consumer router solutions as they are usually too inflexible for my needs. I've also given up on corporate router solutions for situations that don't need throughput; or specific vendor only features because of the IOS upgrade/License/Support treadmill. Instead I now roll-my-own using low power generic devices that allow me to use Linux/OpenBSD providing much more flexibility. I now find supporting strange network topologies and alternative connectivity options including 3G modems and mobile networks not a problem."

As an example of the type of devices I use:
As I've been in trouble before for posting links here. Do a quick search for: .

I admit that rolling-one's-own is not for everyone - but for me and others I've done it for - "it just works".

The original post describes a scenario where the remote site only has a CCTV camera attached to a router so no PC/Linux involved.

There is no PC involved (in the traditional sense). It looks like a router - and for most people - it is a router.

But my original answer was regarding the original posters issue regarding getting a VPN between two routing devices across the Vodafone Mobile Broadband and the associated 5 levels of NAT. I have had a working solution for the last 11 months (or at least did have). My problems with the Vodafone network are very high latencies/packet loss - not the NATs or Public/Private IP addresses.

With regards to your link to the other post, doesn't using IPSEC in aggresive mode get around the changing IP address issue?

Yes - It is something I need to look at. But I'll have to make a site visit so for the moment it can wait.

For the record, I checked my Three connection yesterday and using the APN '3internet' I get a publicly accessing IP address, so this will work for connecting a VPN. Shame Vodafone don't offer a similar service, ie one APN for private address and one for public address but until I get a NAT-T router to test with, it is possible to establish a VPN router-to-router but traffic won't flow.

Vodafone have stated here on this forum previously that they have requested a large public IP address block but have had the request refused by RIPE.
http://forum.vodafone.co.uk/index.php?s=&a...st&p=238581
If we take that at face value - they have tried.