VPN connectivity and IP protocol 50

I am leasing Comcast statics. Would this "true bridge" mode I've been reading about help? I have the Comcast device configured to do as little as possible (NAT and DHCP off, firewall disabled). My VPN endpoint is one of the Comcast static IPs.

I think it might depend on whether you are leasing a static IP or not.... if you are configuring your VPN router/endpoint with a 10.1.10.x address, then you will be depending on the Comcast gateway to pass ESP packets (protocol 50). I do not believe the firewall is sophisticated enough to allow you to do this.

I will say, that I run multiple IPsec VPN endpoints that are configured with Comcast-provided static IPs, and they all work fine. The Comcast gateways should pass all traffic through to static IP-configured devices.

No, "true bridge" isn't available if you have statics. It disables the static IP, and all other routing functions of the Comcast gateway, essentially turning it into a plain cable modem.

I am assuming that you have modified each endpoint's configuration to point to the Comcast static IPs? If so, do you have the ability to run a packet trace on the endpoints, to see where they get dropped?

Yes, I'll try the packet tracing and follow up.

After running Wireshark, we don't see any obvious port or protocol blocks. We are instead seeing NAT errors. We have the gateway set to not use NAT, but the remote site is telling us via Wireshark log that we still look NAT'd from the remote site's perspective.

This particular VPN we are trying to setup is a site to site between HQ and Microsoft Azure using RRAS. One of the requirements is we cannot be NAT'd behind the gateway.

Any suggestions?

Is anyone monitoring this thread? Comcast support has been abominable. In my experience, this isn't business class internet. This is dressed up consumer/residential internet.

I can't get any support, either online or via phone and the gateway is a piece of junk.