Requirements for connecting tunnels and passing Symantec VPN Client traffic through a home gateway router (cable/DSL)

Article:TECH79976  |  Created: 2002-01-24  |  Updated: 2009-01-23  |  Article URL
Article Type
Technical Solution


Your home computer sits behind a home gateway device (a cable or DSL router). You may be able to connect a tunnel, but are unable to send traffic through the tunnel to the remote private network.


If the VPN tunnel policy passes traffic through the firewall proxies, make sure that ping* is one of the services that your rules permit.

Tunnel does not connect through the device, but connects over a dial-up connection
If you cannot connect your tunnel through the home gateway device, but you can connect without the home gateway device, either with the computer directly connected to the Internet or over a dial-up connection, the following troubleshooting steps may resolve the problem.
  • Determine if filtering (that is, service redirection of ports/protocols) is taking place on the device. If so, disable it.
  • If the device has an incorporated firewall or packet filter, and the filter is on, then enable UDP port 500 bidirectionally.

Tunnel connects, but does not pass traffic through the device
If you can connect the tunnel, but are unable to pass traffic through the tunnel, ping the internal interface of the firewall. If the ping succeeds to the internal firewall interface, but not to any other server inside, there may be a subnet conflict or routing issue. For more information, read the Symantec Knowledge Base article, Cannot ping beyond firewall's internal interface after RaptorMobile connects. If you cannot ping the internal firewall interface, confirm the following:
  • Your intermediary device (cable/DSL router) is IPSec compliant.
  • Your device is updated with the latest firmware.
  • IPSec Passthrough is enabled on your device.
    Typically, you set this in the Setup or Advanced Setup portions of the management console for your device.
  • Your Internet service provider (ISP) is not blocking IP types 50 (ESP) and/or 51(AH).
    Some providers may charge an additional fee to allow VPN protocols to pass.
  • Your device is performing one-to-one NAT, not Port Address Translation (PAT). PAT is not supported with any VPN client at this time.

If these conditions are met and traffic still does not pass through the tunnel unless you bypass your home gateway device, contact the vendor of your device to determine the proper configuration to allow IPSec traffic through your device.

If the device or ISP does not pass IP types 50 (ESP) and/or 51(AH), and you connect Symantec Client VPN 8.0 to a Symantec Gateway Security 2.0 or Symantec Enterprise Firewall 8.0 gateway, enabling UDP Encapsulation on the client should allow VPN traffic to pass through the device.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices