IPsec Passthrough and VPN Passthrough: What Are They?

by Mihir Patel

IPsec Passthrough and VPN Passthrough: What Are They?

As an IT administrator, you constantly come across Virtual Private Networks (VPNs). One of the major benefits of using a VPN is that it establishes a safeguard to protect the sensitive data—like medical records or financial transactions—of your organization. VPNs are commonly built on IPsec, a technology that helps to ensure the security of communications over a VPN. Let’s quickly define what VPNs and IPsec are.

A VPN in a business context allows users to access a private network and share sensitive data remotely via public networks such as the internet.

IPsec is a suite of protocols that is used to establish mutual authentication between computers at the beginning of a communications session and to negotiate cryptographic keys during the session.

VPNs are commonly used in small and large enterprises to enable employees to access their corporate network remotely. If your enterprise uses an older protocol such as IPsec or PPTP, a VPN Passthrough is required.

In this article, you will learn what a VPN Passthrough is and why we need them.

What is a VPN Passthrough?

A VPN Passthrough is a router feature that allows the device connected to your router to establish what’s known as an outbound VPN connection, which is a connection from your office or home out to the internet.

To understand VPN Passthrough, we need to understand routers first. There are routers that natively support a VPN connection and though it is rare to find nowadays, there are also routers that don’t. In the latter case, a VPN Passthrough is required to allow you to access a remote network.

A VPN Passthrough is a way to connect two secured networks over the internet. VPN Passthrough helps a system behind a firewall of a router to access a remote network. It quite literally allows the VPN traffic to pass through the router, hence why it’s called VPN Passthrough.

These days, it’s uncommon to find modern routers without a passthrough feature already built in. You can enable or disable VPN Passthrough in the router’s management interface. Every router has a different interface so be sure to check out the manual. Most routers enable VPN Passthrough by default.

Before we dig deeper, let’s clarify the difference between a VPN Passthrough and a VPN router, because they’re not the same thing.

  1. VPN Passthrough is a feature on a router that allows VPN traffic to pass through using old VPN protocols.
  2. VPN router is a router that a VPN client is installed on.

Why Do We Need a VPN Passthrough?

To understand how passthrough works, we need to understand NAT which stands for Network Address Translation.

For our purposes, NAT allows devices to share the same internet connection by translating the IP address space of an internet network with the IP address space of an external network (like the internet) that a router is connected to. NAT is commonly used on modern routers, but VPN protocols such as IPsec and PPTP do not work with NAT.

VPN protocols encrypt the connection, which prevents NAT from accessing and modifying certain information in IP packet headers to do its job. If you don’t have a passthrough, NAT will effectively block these connections. Routers with VPN Passthrough support two of the most common type of legacy VPN protocols: IPsec and PPTP.

What is IPsec Passthrough?

If your business has sensitive data, security is a major concern. Internet Protocol Security (IPsec) is a suite of protocols used to encrypt data packets to establish secure connections. It is a security layer embedded in the network itself. Most routers connect to the internet using a NAT protocol which is incompatible with IPsec.

IPsec Passthrough allows IPsec tunnels to pass through the router. Layer 2 Tunneling Protocol (L2TP) is used to enable Point-to-Point sessions through the internet at the Layer 2 level. These networking procedures and protocols establish secure IP connection over gateways and make it compatible with NAT protocol.

Many routers come with IPsec Passthrough and L2TP Passthrough, which are already enabled by default. For further details, read the manual that comes with your router on how to enable and disable these passthroughs.

Let’s cover some of the advantages and disadvantages of using IPsec Passthrough.

Advantages

  1. The main advantage of enabling IPsec Passthrough is that it will establish and safely maintain IP connections over routers that require NAT.

Disadvantages

  1. All data packets that are passing through the router require encryption and decryption and putting a load on the CPU, which leads to increased computational time.
  2. By enabling IPsec Passthrough, any vulnerabilities that exist at the IP layer in the remote network could be passed to the corporate network across the IPsec tunnel.
  3. Without IPsec Passthrough enabled, your traffic will be blocked if firewall restrictions are in place. This is not an issue if you have a modern router, but it can be an issue if you have an outdated router.

What is PPTP Passthrough?

Point-to-Point-Tunneling Protocol (PPTP) interconnects different Virtual Private Networks (VPN) together and allows tunneling through an IP network like the internet.

Most routers facilitate device connections to the internet using NAT which, as mentioned above, is incompatible with PPTP. The PPTP Passthrough feature allows PPTP to pass through a NAT router. This, as a result, allows VPN clients connected to such a router to make outbound PPTP connections.

This extra layer of implementation along with IPsec can make your networking security more robust.

Let’s cover some of the advantages and disadvantages of using PPTP Passthrough.

Advantages

  1. Enabling PPTP Passthrough guarantees the fastest VPN speeds via your PPTP connection.
  2. This extra layer of PPTP Passthrough along with IPsec Passthrough can make your networking security more robust.

Disadvantage

  1. The biggest disadvantage to enabling PPTP Passthrough is that it might compromise your security if your PPTP connection goes through your router by accident. This is because PPTP barely provides any security.

Conclusion

A VPN Passthrough is a feature that allows your router to support legacy VPN protocols.

While a growing number of VPNs are implementing more modern VPN protocols like WireGuard, it can be costly for organizations to replace legacy VPN infrastructure. Using VPN Passthrough can help solve one of the shortcomings of IPsec and PPTP, and is an all but necessary part of allowing IPsec and PPTP to be used in networked organizations. Fortunately, most modern routers are embedded with passthrough functionality.

All that said, VPN technology is quickly becoming outdated, with more secure, Zero Trust-based technologies replacing VPNs. Twingate offers a zero trust solution in a SaaS product that is easy to deploy, administer, and use. With Twingate, you don’t need to configure or even know about VPN passthrough. Learn how this is possible with a demo request today!

"In the age of COVID-19, having an efficient and secure IT infrastructure is more important than ever. We used Twingate to replace a VPN that was bursting at the seams after our business transitioned to remote work. I’m extremely happy to have Twingate."
Paul Mason
CTO at Human Interest

Get set up in minutes

Try Twingate today and give your team access to private applications in minutes