VPN passthrough is typically used on small office home office (SOHO) network gateway devices. This means that the gateway itself is not the termination point of the VPN, but rather a passive device allowing the VPN packets to pass through the firewall. Depending on the type of VPN, different protocols and ports are required to enable the VPN traffic. In the case of IPsec, the required ports are typically user datagram protocol (UDP) Port 500 for Internet key exchange (IKE) and Port 4500 for network address translation (NAT) traversal. On most systems, this feature can be enabled or disabled within the device’s configuration menu.
The benefit of disabling VPN passthrough is enhanced security by blocking open communication ports through the firewall that otherwise would be open and accessible. The drawback is that a user behind the gateway would not be able to establish a VPN connection, since the required VPN ports are blocked at the firewall. In particular, if an end user relies on a VPN connection for their home office, those ports should not be blocked.
Email your VPN-related questions to firstname.lastname@example.org
This was first published in April 2012