I have been receiving this error for a few days now fueling my laziness to connect at the office. But unfortunately last week I was asked to assist in implementing a major change so I need to connect from home prompting me to fix this issue or else I need wake up early and haul my *ss to the office on a weekend.
The setup is I connect to the office VPN via the Nortel Contivity client utilizing SecureID token. I keep getting the error “Login failure due to remote host not responding” when I tried to connect. I didn’t have this problem before and can connect from my “virtualized” laptop (I did a Physical-to-Virtual (p2v) migration of my office laptop so that I don’t have to bring the laptop home often).
Going through the Nortel Contivity Client document, I found this:
This is typically caused by UDP500 traffic not getting back to the requesting client through a firewall and/or router. If your firewall/router supports IPSec passthrough you must enable IP50, IP51, UDP500 on both the source and destination (i.e. bidirectional) in order for the client to establish the connection. Some firewalls/routers have a generic setting "Enable IPSec" or "Enable IPSec Passthrough" and simply turning this on will usually solve the problem.
The keyword here is IPSec Passthrough. In order for IPsec to work through a NAT, the following protocols need to be allowed on the firewall:
- Internet Key Exchange (IKE) – User Datagram Protocol (UDP) port 500
- Encapsulating Security Payload (ESP) – IP protocol number 50
- Authentication Header (AH) – IP protocol number 51
I immediately login to my router administration panel and there it is, the IPSec Passthrough was disabled. This might have been disabled after a recent upgrade of the router’s firmware. After enabling this feature, the VPN client connected immediately.
DD-WRT –> Security -> VPN Passthrough
By the way, I have a Linksys WRT320N using a third-party firmware called DD-WRT.