Equipment (Modems,Gateways)
Back to Top

VPN IPSec tunnel between CG3000DCR and Fortigate firewall

SOLVED
Highlighted
PFALimited
New Member

VPN IPSec tunnel between CG3000DCR and Fortigate firewall

We're trying to setup an IPSec tunnel between our new Comcast/Netgear CG3000DCR modem/router and a Fortigate firewall at a remote office. We have filled in all of the information on the CG3000DCR VPN page and keep getting a status of "Broken" on the Tunnle List screen. Any tips or tricks for this? Does Comcast need to enable something inside the CG3000 to enable being able to do this?

 

thanks!

Accepted Solution

Re: VPN IPSec tunnel between CG3000DCR and Fortigate firewall

Hello PFALimited and welcome,

 

The NetGear3000 (NG3K) does not support and IPSec configuration specific setting even though it is presented within the GUI user interface. What you must do is insure that your IPSec tunneling VPN Prescribed Ports are bidirectionaly open whether you are using the NG3K DHCP or Static IP device address. 

 

You can use the standard NG3K login of connecting any computer to any free LanPots 1-4, then bring up a browser, type 10.1.10.1, username=cusadmin,password=highspeed.

 

Hope this helps you out. 

View solution in context
Trusted Forum Contributor

Re: VPN IPSec tunnel between CG3000DCR and Fortigate firewall

Hello PFALimited and welcome,

 

The NetGear3000 (NG3K) does not support and IPSec configuration specific setting even though it is presented within the GUI user interface. What you must do is insure that your IPSec tunneling VPN Prescribed Ports are bidirectionaly open whether you are using the NG3K DHCP or Static IP device address. 

 

You can use the standard NG3K login of connecting any computer to any free LanPots 1-4, then bring up a browser, type 10.1.10.1, username=cusadmin,password=highspeed.

 

Hope this helps you out. 

PFALimited
New Member

Re: VPN IPSec tunnel between CG3000DCR and Fortigate firewall

Wow! If I understand your reply correctly, the NG3K's VPN screen for setting up an IPSec tunnel does nothing?!?! That's very strange!!! Is that a limitation of the device/firmware, or is that a Comcast imposed limitation?

 

As to your suggestion, it sounds like you are suggesting that we setup another device capable of establishing an IPSec tunnel behind the NG3K (a firewall, etc.) and then setup the NG3K to pass the IPSec ports via port forwarding? If so, does the port forwarding inside the NG3K work properly for those ports (500, 4500) given that the NG3K has this pseudo non-working "VPN" capability? Also, what's the deal with IP Protocol Type=ESP (value 50)   <- Used by IPSec data path? That's not port 50 I'm guessing... How do you open that path in the NG3K?

 

thanks a million for your help!

Trusted Forum Contributor

Re: VPN IPSec tunnel between CG3000DCR and Fortigate firewall

Hi PFALimited,

 

Please see my responses to your comments/questions below.  Thanx much.

 

Wow! If I understand your reply correctly, the NG3K's VPN screen for setting up an IPSec tunnel does nothing?!?! That's very strange!!! Is that a limitation of the device/firmware, or is that a Comcast imposed limitation?

Yes, this VPN environment within all Comcast Gateways (CGs) is not supported. However, there is no reason why you cannot facilitate this environment by insuring the  CG ports (NG3K in your case) for the tunneling device are all bidirectionally open. We have many customers who have facilitated this implementation and all works fine. 

 

As to your suggestion, it sounds like you are suggesting that we setup another device capable of establishing an IPSec tunnel behind the NG3K (a firewall, etc.) and then setup the NG3K to pass the IPSec ports via port forwarding? If so, does the port forwarding inside the NG3K work properly for those ports (500, 4500) given that the NG3K has this pseudo non-working "VPN" capability? Also, what's the deal with IP Protocol Type=ESP (value 50)   <- Used by IPSec data path? That's not port 50 I'm guessing... How do you open that path in the NG3K?

To log into your  NG3K connect a computer to any free LanPort 1-4, then bring up a browser, enter 10.1.10.1, username=cusadmin, password=highspeed and use the following for your tunneling device using DHCP or StaticIP:

 

DHCP: click on firewall, Port Configuration, then click on add button, add port forwarding which look something like this - VPN1 1723 1723 both DHCP address 10.1.10.XXX (recommend you use a high end range address XXX=150-170 of your VPN tunneling computer device. 

 

StaticIP: click on firewall, click on the disable True Static IP firewall check mark to enable, then click apply. Next click Port Configuration, then True Static IP Management Port link, make sure the "Block All Ports With The Exception of the Following" mode is selected. This will maximize your StaticIP device security by ONLY having your VPN and tunneling ports open per my original post link on whatever you are using.  This will look like VPN1 1723 1723 both Static IP address of your VPN tunneling computer device.

 

Hope this helps you out.

PFALimited
New Member

Re: VPN IPSec tunnel between CG3000DCR and Fortigate firewall

Hi Rich,

 

Many thanks for the response. We have Static IP's and have now put in place the vpn port settings you recommended for the gateway. We also now have a fortigate firewall sitting just behind the NG3K to handle real firewall duties and establish the vpn to our remote site.

 

However, the VPN does not function. There must be something else inside the NG3k blocking the traffic that we can't see through the cusadmin interface? I've been reading on this issue and people recommend putting the NG3K in "True Bridge Mode". Will that work with our static IP setup? How do we go about doing this?

 

thanks!

Labels
Discussion stats
  • 4 replies
  • 2844 views
  • 0 kudos
  • 2 in conversation