Sonicwall firewall blocking isakamp of competing product's..

G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Lots of our users can connect to our Astaro VPN gateway ("gateway")
from workstations that are located behind firewalls that perform PAT.
We are using SSH's Sentinel VPN client, using isakamp/IPSEC.

There is one user who can successfully connect from her laptop when at
home where she has a consumer grade firewall. When she is at work,
however, where she is behind a SonicWall firewall, she cannot connect
to our gateway.

I looked at the traffic that arrives at the gateway when a VPN is
initiated, by running tcpdump on the Astaro VPN gateway, and found
that there is absolutely no traffic arriving at the gateway when she
tries to establish a VPN from behind the SonicWall firewall!

Is this a known problem ("feature") of the SonicWall?
Could it be that SonicWall filters out isakamp packets?

Thanks,
--Ulf
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

"arabub" <arabub@yahoo.com> wrote in message
news:a714a1f2.0406092010.72f8af67@posting.google.com...
> Lots of our users can connect to our Astaro VPN gateway ("gateway")
> from workstations that are located behind firewalls that perform PAT.
> We are using SSH's Sentinel VPN client, using isakamp/IPSEC.
>
> There is one user who can successfully connect from her laptop when at
> home where she has a consumer grade firewall. When she is at work,
> however, where she is behind a SonicWall firewall, she cannot connect
> to our gateway.
>
> I looked at the traffic that arrives at the gateway when a VPN is
> initiated, by running tcpdump on the Astaro VPN gateway, and found
> that there is absolutely no traffic arriving at the gateway when she
> tries to establish a VPN from behind the SonicWall firewall!
>
> Is this a known problem ("feature") of the SonicWall?
> Could it be that SonicWall filters out isakamp packets?
>
> Thanks,
> --Ulf

I believe the SonicWALL firewall is configured (by default) to block UDP
port 500. To add it to the policy should be rather easy as it's
predefined as 'Key Exchange (IKE)'.

--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".