cannot use Nortel vpn with ADSL router ?

Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

Hi,

I have a static IP/ADSL line and use a Zyxel Prestige 643 router as the
modem/router+firewall. The router has NAT enabled and serves as the DHCP
server for my local LAN.
I am able to do almost everything except VPN out to my work place (we
use Nortel's Contivity VPN client).
I opened up port 500 (UDP) to allow ISAKMP traffic - this got me past
the first stage. A network trace revealed 3 packets being exchanged for
ISAKMP aggressive on srcport==dstport==500. The subsequent packet from
my machine seems to choose a random UDP port. I have seen port# between
1450-1700 being used. I think this is an IP packet encapsulated in UDP.
However, I never get a response back since that port is typically
blocked on my firewall. I continue to see ISAKMP informational packets
on port 500 but at about this point the VPN software gives up.

Has anyone encountered a similar problem ?
Any suggestions on what I can do to get the traffic to pass through with
out opening up my firewall.

Thanks,
~sri

srikantkt (at) REMOVE_SPAM gmail (dot) com
3 answers Last reply
More about cannot nortel adsl router
  1. Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

    .. wrote:
    > Hi,
    >
    > I have a static IP/ADSL line and use a Zyxel Prestige 643 router as the
    > modem/router+firewall. The router has NAT enabled and serves as the DHCP
    > server for my local LAN.

    Can't use nortel VPN thru NAT. Period. End of story.
  2. Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

    T. Sean Weintz wrote:
    > . wrote:
    >
    >> Hi,
    >>
    >> I have a static IP/ADSL line and use a Zyxel Prestige 643 router as
    >> the modem/router+firewall. The router has NAT enabled and serves as
    >> the DHCP server for my local LAN.
    >
    >
    > Can't use nortel VPN thru NAT. Period. End of story.

    Not true. Linksys (and many others) does it very well. They use
    IPC-NAT. It maps the session ID found in the header of the packet and
    maps it to the internal address. This is how it can receive IKE data
    for several workstations on a single UDP port.

    The initial IKE negotiation packet comes from the client with a source
    and destination of UDP port 500. If the Nortel sees that the source
    port has not been changed or NAT'ed it normally will not try to
    encapsulate in UDP. If the source port is some other port, the Nortel
    assumes the device is not "IPSec aware" and will start the UDP
    encapsulation process. You are correct in thinking this is where you
    are breaking.

    The Fix:
    Set up a one to one NAT. This will allow normal communications without
    modifying ports.

    Steve H.
  3. Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

    "." <dontspamme@junkmail.com> wrote in message
    news:419867AB.5090307@junkmail.com...
    | Hi,
    |
    | I have a static IP/ADSL line and use a Zyxel Prestige 643 router as
    the
    | modem/router+firewall. The router has NAT enabled and serves as the
    DHCP
    | server for my local LAN.
    | I am able to do almost everything except VPN out to my work place (we
    | use Nortel's Contivity VPN client).
    | I opened up port 500 (UDP) to allow ISAKMP traffic - this got me past
    | the first stage. A network trace revealed 3 packets being exchanged
    for
    | ISAKMP aggressive on srcport==dstport==500. The subsequent packet from
    | my machine seems to choose a random UDP port. I have seen port#
    between
    | 1450-1700 being used. I think this is an IP packet encapsulated in
    UDP.
    | However, I never get a response back since that port is typically
    | blocked on my firewall. I continue to see ISAKMP informational packets
    | on port 500 but at about this point the VPN software gives up.
    |
    | Has anyone encountered a similar problem ?
    | Any suggestions on what I can do to get the traffic to pass through
    with
    | out opening up my firewall.

    There is no need to open any port for Contivity VPN. If your router
    supports VPN pass through then that should be enough. You should check
    with your work IT. The VPN switch needs to authenticate you then it'll
    issue the ip from the server, maybe this is were the problem is.
Ask a new question

Read More

vpn Routers Firewalls Networking