cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Broadband help

For queries about your TalkTalk broadband service.

DG8041W not forwarding IPSec vpn traffic

dw07dal
Participant
Message 24 of 24

Hi,

 

 I have a  DG8041W with fibre 65 connection. I have a VPN server on LAN. I can connect to the VPN ok from the LAN. when I try to connect to the server from the internet the connection fails negotiation. I have allowed IPSec ports upd-4500 and udp_500 through the router.

 

 The port forwading page specifies IPSec. But it looks like the router is either NATing IPSec, or its fragmenting the paclet, or its blocking ESP.

 

 This VPN server log show udp packets with messages larger than udp packets.

 

 The VPN connects fine on the LAN only difference is the connection is sourced from the WAN port now. The router is marketed as being IPSec forwarding capable, and has an option to allow IPSec.

 

I can connect to VPN server across the internet if I use cisco-force-udp on vpn client, but not traffic flows over the tunnel

 

 How dp I speak to an engineer to resolve? 

 

 

vpn server log

2022-05-09 03:36:08 Local7.Debug 10.10.10.10 2658: May 10 20:17:20.006: ISAKMP (0:0): received packet from 213.205.192.234 dport 500 sport 7344 Global (N) NEW SA
2022-05-09 03:36:09 Local7.Warning 10.10.10.10 2659: May 10 20:17:20.006: %CRYPTO-4-IKMP_NO_SA: IKE message from 213.205.192.234 has no SA and is not an initialization offer
2022-05-09 03:36:09 Local7.Warning 10.10.10.10 2660: May 10 20:17:20.018: %CRYPTO-4-IKMP_PKT_OVERFLOW: ISAKMP message from 213.205.192.234 larger (3424390) than the UDP packet length (80)

 

 

 

 
0 Likes
23 REPLIES 23

Message 21 of 24

Hi dw07dal

 

Thanks for your reply.

 

@KeithFrench are you able to help with this please?

 

Debbie

dw07dal
Participant
Message 22 of 24

Hi Michelle,

 

 I hope you are doing well

 

 Yes it works fine if I connect from the LAN, but fails from the internet. The router is seeing the traffic and starts negotiating a connection but it fails due to udp packet message and header length mismatch.

 

 The only difference here is where I am connecting from. The LAN connection to the vpn server from the vpn client has to flow through the huawei LAN interface on wifi to get to the vpn server on the wired LAN port with a secondary ip on a seperate network to the vpn client LAN. 

 

 So the traffic path is the same only difference is the ports on the huawei which are traversed, that is the connection is now sourced from the internet and comes in the huawei WAN interface to get to the vpn server. instead of its LAN interface

 

 the WAN port does NAT for portwarding to map the public to the private internal ip of the vpn server. But the huawei has no granular configuration options. only port-forwarding with nat combined.

 

 does this huawei have a cli with more configuration options? I can not find any guides 

0 Likes

Michelle-TalkTalk
Support Team
Staff
Private Message
Message 23 of 24

Hello,

 

I'm not aware of any specific issues with VPN and the Huawei Wifi hub. Has this worked previously? Have you tried factory resetting the router and then re-setting this back up again?

 

Thanks

 

0 Likes