Jump to content


Photo

Cannot port forward to internal VPN server

vpn gre port forward firewall os x l2tp pptp

  • Please log in to reply
2 replies to this topic

#1 Marion Bates

Marion Bates
  • Members
  • 2 posts

Posted 30 March 2014 - 02:21 PM

I have a VPN server on my LAN. With my previous router (Untangle), I had a port forward rule for the following:

 

tcp AND udp 500,1701,4500,1723

and GRE

and ESP

 

Worked fine. But on the Barracuda X300, no matter what I try, I cannot connect to the VPN server, even if I forward any/all ports and protocols. The traffic never makes it to the server (using tcpdump to watch.) On the client end, I get

 

listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:45:32.661442 IP [clientip].500 > [serverip].500: isakmp: phase 1 I ident
14:45:32.705251 IP [serverip].500 > [clientip].500: isakmp: phase 1 R inf
14:45:35.705894 IP [clientip].500 > [serverip].500: isakmp: phase 1 I ident
14:45:35.744256 IP [serverip].500 > [clientip].500: isakmp: phase 1 R inf
14:45:38.744863 IP [clientip].500 > [serverip].500: isakmp: phase 1 I ident
14:45:38.784516 IP [serverip].500 > [clientip].500: isakmp: phase 1 R inf
 
then it times out ("server not responding.") Again, the server itself never sees the traffic, nor does the Barracuda show anything from my real source IP in the firewall log. Other, non-VPN stuff on the same server (e.g. ssh, https) work fine. 
 
I've tried every combination I can think of re: Connection settings on the rule itself (default SNAT, No SNAT, a connection object with an explicit NAT type + an outbound rule to force replies to come from the same IP, etc. Nada. 
 
I am aware that the Barracuda product offers VPN services of its own, but I really need to get the old one working again until I can update my scattered clients.
 
Thanks in advance for any advice or ideas. It doesn't look like I can attach screenshots to posts here, but I can upload and link to them if need be.
 
-- MB


#2 Mario Pirker

Mario Pirker
  • Barracuda Team Members
  • 112 posts

Posted 31 March 2014 - 01:55 AM

Hi Marion,

 

please turn off the option:

VPN > Site2Site VPN > Use Dynamic IPs from YES to NO.

The desription of the help page:

Use Dynamic IPs — Set to Yes (default) if the service is connected to the Internet via a dynamic link with a dynamically assigned IP address. If Yes, the VPN service will listen on all available IP addresses, including the management IP address, for VPN connections. If this is not the desired behavior, then set this to No and reboot the Barracuda Firewall. When the system restarts, the VPN service will listen only on the interfaces with the VPN Server enabled (this setting is configured on the BASIC > IP Configuration page).

 

This option enforces to listen the Barracuda Firewall on port 500 and 4500 on all IP addresses.

After disabling this option followed by a reboot, the firewall does not have a listen socket any longer on all IP's and therefore forwards the request to your internal VPN server.

 

Best regards,

Mario



#3 Marion Bates

Marion Bates
  • Members
  • 2 posts

Posted 31 March 2014 - 09:13 AM

Holy buckets! THANK YOU Marco, you just tipped me over the edge to where I'm now going to keep this thing.  :) 

 

Regards,

 

-- MB