cannot use Nortel vpn with ADSL router ?
Last response: in Networking
Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)
Hi,
I have a static IP/ADSL line and use a Zyxel Prestige 643 router as the
modem/router+firewall. The router has NAT enabled and serves as the DHCP
server for my local LAN.
I am able to do almost everything except VPN out to my work place (we
use Nortel's Contivity VPN client).
I opened up port 500 (UDP) to allow ISAKMP traffic - this got me past
the first stage. A network trace revealed 3 packets being exchanged for
ISAKMP aggressive on srcport==dstport==500. The subsequent packet from
my machine seems to choose a random UDP port. I have seen port# between
1450-1700 being used. I think this is an IP packet encapsulated in UDP.
However, I never get a response back since that port is typically
blocked on my firewall. I continue to see ISAKMP informational packets
on port 500 but at about this point the VPN software gives up.
Has anyone encountered a similar problem ?
Any suggestions on what I can do to get the traffic to pass through with
out opening up my firewall.
Thanks,
~sri
srikantkt (at) REMOVE_SPAM gmail (dot) com
Hi,
I have a static IP/ADSL line and use a Zyxel Prestige 643 router as the
modem/router+firewall. The router has NAT enabled and serves as the DHCP
server for my local LAN.
I am able to do almost everything except VPN out to my work place (we
use Nortel's Contivity VPN client).
I opened up port 500 (UDP) to allow ISAKMP traffic - this got me past
the first stage. A network trace revealed 3 packets being exchanged for
ISAKMP aggressive on srcport==dstport==500. The subsequent packet from
my machine seems to choose a random UDP port. I have seen port# between
1450-1700 being used. I think this is an IP packet encapsulated in UDP.
However, I never get a response back since that port is typically
blocked on my firewall. I continue to see ISAKMP informational packets
on port 500 but at about this point the VPN software gives up.
Has anyone encountered a similar problem ?
Any suggestions on what I can do to get the traffic to pass through with
out opening up my firewall.
Thanks,
~sri
srikantkt (at) REMOVE_SPAM gmail (dot) com
More about : nortel vpn adsl router
Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)
.. wrote:
> Hi,
>
> I have a static IP/ADSL line and use a Zyxel Prestige 643 router as the
> modem/router+firewall. The router has NAT enabled and serves as the DHCP
> server for my local LAN.
Can't use nortel VPN thru NAT. Period. End of story.
.. wrote:
> Hi,
>
> I have a static IP/ADSL line and use a Zyxel Prestige 643 router as the
> modem/router+firewall. The router has NAT enabled and serves as the DHCP
> server for my local LAN.
Can't use nortel VPN thru NAT. Period. End of story.
Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)
T. Sean Weintz wrote:
> . wrote:
>
>> Hi,
>>
>> I have a static IP/ADSL line and use a Zyxel Prestige 643 router as
>> the modem/router+firewall. The router has NAT enabled and serves as
>> the DHCP server for my local LAN.
>
>
> Can't use nortel VPN thru NAT. Period. End of story.
Not true. Linksys (and many others) does it very well. They use
IPC-NAT. It maps the session ID found in the header of the packet and
maps it to the internal address. This is how it can receive IKE data
for several workstations on a single UDP port.
The initial IKE negotiation packet comes from the client with a source
and destination of UDP port 500. If the Nortel sees that the source
port has not been changed or NAT'ed it normally will not try to
encapsulate in UDP. If the source port is some other port, the Nortel
assumes the device is not "IPSec aware" and will start the UDP
encapsulation process. You are correct in thinking this is where you
are breaking.
The Fix:
Set up a one to one NAT. This will allow normal communications without
modifying ports.
Steve H.
T. Sean Weintz wrote:
> . wrote:
>
>> Hi,
>>
>> I have a static IP/ADSL line and use a Zyxel Prestige 643 router as
>> the modem/router+firewall. The router has NAT enabled and serves as
>> the DHCP server for my local LAN.
>
>
> Can't use nortel VPN thru NAT. Period. End of story.
Not true. Linksys (and many others) does it very well. They use
IPC-NAT. It maps the session ID found in the header of the packet and
maps it to the internal address. This is how it can receive IKE data
for several workstations on a single UDP port.
The initial IKE negotiation packet comes from the client with a source
and destination of UDP port 500. If the Nortel sees that the source
port has not been changed or NAT'ed it normally will not try to
encapsulate in UDP. If the source port is some other port, the Nortel
assumes the device is not "IPSec aware" and will start the UDP
encapsulation process. You are correct in thinking this is where you
are breaking.
The Fix:
Set up a one to one NAT. This will allow normal communications without
modifying ports.
Steve H.
Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)
"." <dontspamme@junkmail.com> wrote in message
news:419867AB.5090307@junkmail.com...
| Hi,
|
| I have a static IP/ADSL line and use a Zyxel Prestige 643 router as
the
| modem/router+firewall. The router has NAT enabled and serves as the
DHCP
| server for my local LAN.
| I am able to do almost everything except VPN out to my work place (we
| use Nortel's Contivity VPN client).
| I opened up port 500 (UDP) to allow ISAKMP traffic - this got me past
| the first stage. A network trace revealed 3 packets being exchanged
for
| ISAKMP aggressive on srcport==dstport==500. The subsequent packet from
| my machine seems to choose a random UDP port. I have seen port#
between
| 1450-1700 being used. I think this is an IP packet encapsulated in
UDP.
| However, I never get a response back since that port is typically
| blocked on my firewall. I continue to see ISAKMP informational packets
| on port 500 but at about this point the VPN software gives up.
|
| Has anyone encountered a similar problem ?
| Any suggestions on what I can do to get the traffic to pass through
with
| out opening up my firewall.
There is no need to open any port for Contivity VPN. If your router
supports VPN pass through then that should be enough. You should check
with your work IT. The VPN switch needs to authenticate you then it'll
issue the ip from the server, maybe this is were the problem is.
"." <dontspamme@junkmail.com> wrote in message
news:419867AB.5090307@junkmail.com...
| Hi,
|
| I have a static IP/ADSL line and use a Zyxel Prestige 643 router as
the
| modem/router+firewall. The router has NAT enabled and serves as the
DHCP
| server for my local LAN.
| I am able to do almost everything except VPN out to my work place (we
| use Nortel's Contivity VPN client).
| I opened up port 500 (UDP) to allow ISAKMP traffic - this got me past
| the first stage. A network trace revealed 3 packets being exchanged
for
| ISAKMP aggressive on srcport==dstport==500. The subsequent packet from
| my machine seems to choose a random UDP port. I have seen port#
between
| 1450-1700 being used. I think this is an IP packet encapsulated in
UDP.
| However, I never get a response back since that port is typically
| blocked on my firewall. I continue to see ISAKMP informational packets
| on port 500 but at about this point the VPN software gives up.
|
| Has anyone encountered a similar problem ?
| Any suggestions on what I can do to get the traffic to pass through
with
| out opening up my firewall.
There is no need to open any port for Contivity VPN. If your router
supports VPN pass through then that should be enough. You should check
with your work IT. The VPN switch needs to authenticate you then it'll
issue the ip from the server, maybe this is were the problem is.
Related ressources:
- ForumMultiple VPN via ADSL Gateway?
- Forumadsl modem + router for vpn use .
- ForumNortel Extranet, VPN Passthrough, NAT & DG834G
- ForumNortel VPN problem with Intel WIFI 5300
- ForumUse local network whilst connected to Nortel Contivity VPN
- ForumProblem with VPN over Wireless - Help please!
- Forumhow to set multi-site-2-site vpn with dynamic ip
- ForumCannot connect to vpn through router
- ForumVPN Gurus, Help!!! How to size a VPN router ?
- ForumNortel VPN and Banner Text
- Forumrouter for apartment complex
- ForumVPN server for use with native XP client?
- ForumDSL/ Nortel VPN /3Com Hub issue
- ForumLinksys 8 port VPN router
- ForumCannot ping VPN network via D-Link DI-624 wireless router .
- ForumHow to setup a 1GB Gigabyte Network
- ForumVPN between ISDN and ADSL
- Forumcan a netgear router plus VPN client do this??
- ForumVPN Router with QOS and FQDN?
- Forumnetopia router 9100 R series
- More resources
Read discussions in other Networking categories
!
