cannot use Nortel vpn with ADSL router ?

[user]

Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

Hi,

I have a static IP/ADSL line and use a Zyxel Prestige 643 router as the
modem/router+firewall. The router has NAT enabled and serves as the DHCP
server for my local LAN.
I am able to do almost everything except VPN out to my work place (we
use Nortel's Contivity VPN client).
I opened up port 500 (UDP) to allow ISAKMP traffic - this got me past
the first stage. A network trace revealed 3 packets being exchanged for
ISAKMP aggressive on srcport==dstport==500. The subsequent packet from
my machine seems to choose a random UDP port. I have seen port# between
1450-1700 being used. I think this is an IP packet encapsulated in UDP.
However, I never get a response back since that port is typically
blocked on my firewall. I continue to see ISAKMP informational packets
on port 500 but at about this point the VPN software gives up.

Has anyone encountered a similar problem ?
Any suggestions on what I can do to get the traffic to pass through with
out opening up my firewall.

Thanks,
~sri

srikantkt (at) REMOVE_SPAM gmail (dot) com

 

[Guest]

Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

.. wrote:
> Hi,
>
> I have a static IP/ADSL line and use a Zyxel Prestige 643 router as the
> modem/router+firewall. The router has NAT enabled and serves as the DHCP
> server for my local LAN.

Can't use nortel VPN thru NAT. Period. End of story.

 

[Guest]

Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

T. Sean Weintz wrote:
> . wrote:
>
>> Hi,
>>
>> I have a static IP/ADSL line and use a Zyxel Prestige 643 router as
>> the modem/router+firewall. The router has NAT enabled and serves as
>> the DHCP server for my local LAN.
>
>
> Can't use nortel VPN thru NAT. Period. End of story.

Not true. Linksys (and many others) does it very well. They use
IPC-NAT. It maps the session ID found in the header of the packet and
maps it to the internal address. This is how it can receive IKE data
for several workstations on a single UDP port.

The initial IKE negotiation packet comes from the client with a source
and destination of UDP port 500. If the Nortel sees that the source
port has not been changed or NAT'ed it normally will not try to
encapsulate in UDP. If the source port is some other port, the Nortel
assumes the device is not "IPSec aware" and will start the UDP
encapsulation process. You are correct in thinking this is where you
are breaking.

The Fix:
Set up a one to one NAT. This will allow normal communications without
modifying ports.

Steve H.

 

[Guest]

Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

"." <dontspamme@junkmail.com> wrote in message
news:419867AB.5090307@junkmail.com...
| Hi,
|
| I have a static IP/ADSL line and use a Zyxel Prestige 643 router as
the
| modem/router+firewall. The router has NAT enabled and serves as the
DHCP
| server for my local LAN.
| I am able to do almost everything except VPN out to my work place (we
| use Nortel's Contivity VPN client).
| I opened up port 500 (UDP) to allow ISAKMP traffic - this got me past
| the first stage. A network trace revealed 3 packets being exchanged
for
| ISAKMP aggressive on srcport==dstport==500. The subsequent packet from
| my machine seems to choose a random UDP port. I have seen port#
between
| 1450-1700 being used. I think this is an IP packet encapsulated in
UDP.
| However, I never get a response back since that port is typically
| blocked on my firewall. I continue to see ISAKMP informational packets
| on port 500 but at about this point the VPN software gives up.
|
| Has anyone encountered a similar problem ?
| Any suggestions on what I can do to get the traffic to pass through
with
| out opening up my firewall.

There is no need to open any port for Contivity VPN. If your router
supports VPN pass through then that should be enough. You should check
with your work IT. The VPN switch needs to authenticate you then it'll
issue the ip from the server, maybe this is were the problem is.