Hi all. Where I work, we have a few remote sites that have a BT SOGEA connection with a 4G failover element incorporating the BT Business Smart Hub 2. (BT Hub firmware version is unknown, although I expect somewhat recent as BT connections were only deployed a few months ago. )
I am however having great difficulty in getting a IPSec site-2-site VPN tunnel working through the BT Hub in question, with the LAN IP of our corporate VPN firewall in front of the BT hub specified as the DMZ device on the BT Hub. I have also disabled the firewall on the BT hub, also port forwarded UDP ports 1194, 500 and 4500 to the corporate VPN device in front of the BT hub.
(The BT Hubs with the SOGEA connections is only at the remote sites, the other end at the head office has a 1Gig symmetric leased line with a Cisco 4000 series router.)
I have tried using NAT-T on the corporate VPN firewalls at the ends with the BT Hubs, but made no difference; it’s like despite the firewall being turned off on the BT Hubs and the corporate VPN firewalls specified as the DMZ device on the BT Hubs, the BT hubs are not passing all traffic (including IP protocol 50 & 51) through to the DMZ’s device specified.
I know the DMZ’ing on the BT hub’s works to some extent as at the remote sites and when the corporate VPN firewalls are specified as the DMZ device on the BT Hubs , the corporate VPN firewalls can access the general internet and I can connect to the corporate VPN firewall using OpenVPN; just IPSec and the related IP protocols that IPSec uses does not seem to work as intended.
(Side note: OpenVPN on the corporate VPN firewalls is purely for remote client access, not site-2-site based VPN’s.)
The only way I can get the site-2-site IPSec vpn tunnel to work as intended is to put the BT hubs in bridge mode and do the PPPoE authentication on the corporate VPN firewalls, this of course means the 4G backup element of the BT hub won’t work.
Official support for the corporate VPN firewalls is unsure why the BT Hub’s are acting as they are and DMZ’ing IPSec traffic.
Anyone got any ideas why I am having the issues and if there is anything I can do on the BT Hubs?
TBH, I suppose very few use the BT Business Smart Hub 2 in this way and instead terminate the WAN IP directly on their own corporate Firewall using PPPoE like I am currently doing.
Regards: Elliott.
Solved! Go to Solution.
Hi eaveares,
I have asked that question to our experts also and they confirm that yes it does apply to NAT Traversal? (NAT-T)
Thanks
PaulC1
Perhaps you should talk to your company's IT department before trying to circumvent their policies? I apologise if you are authorised to do this.
I am the IT Security Engineer for my company, it's me myself who's got access and control over said devices. Just was not me who originally ordered the broadband service - that was by someone outside the IT department.
I have been working closely with the vendor of our cooperate VPN firewalls, and they could not get the IPSec VPN tunnel working with the BT hub in it's normal router mode.
I was hoping some on here may have some experience with the BT hubs in such a configuration or have had similar experiences.
I have had enough experience with BT Hubs to know that I wouldn't be relying on them unless they are in modem mode (and even then, not if I had another choice like an OR white modem, or Draytek modem). I haven't got direct experience of trying to do exactly what you are doing with the VPN and DMZ etc, but from previous experience trying to get them to do NAT/Routing stuff, and then them remaining doing that stuff as you asked them without suddenly changing config for no reason multiple times was impossible. The only solution found was to replace the Hub entirely with another brand.
I realise that removes your ability to use the 4G Halo modem, which is of course a massive part of what you are trying to achieve.
Hi eveares,
IPsec VPN servers are not possible behind a Smart Hub 2 due to it only supporting TCP and UDP pass-through. Even with DMZ being turned on.
I hope this clarifies this for you
PaulC1
Thanks, does that still apply and hold true with NAT Traversal? (NAT-T)
Hi eaveares,
I have asked that question to our experts also and they confirm that yes it does apply to NAT Traversal? (NAT-T)
Thanks
PaulC1