Firewall Wizards mailing list archives
VPN through DSL
From: "Harris, John P" <John.Harris () usa xerox com>
Date: Wed, 13 Mar 2002 22:46:15 -0500
Hi Stephanie, If you are running an older Nortel client (older than version 4.x) and the servers you are connecting to are older than server version 4.x, you will need to open a "back connect" port on your NAT router. What happens is that the session gets established between you and the server and as part of the authentication scheme, the Contivity VPN server will actually send some packets back to verify you are who you are. Since this is not part of the established connection, most firewalls will dopr the packets, especially most out of the box NAT devices. Try opening this up from your VPN servers back to your client: IP protocol 50 IP Security Encapsulating Security Payload (ESP) IP protocol 51 IP Security Authentication Header (AH) Remember these are IP protocols like TCP/IP and NOT TCP/UDP port numbers. I think the older clients just used one of these, but at this time I don't remember which one it is! :-) (my gut is screaming 50 at me though).
From the client to the VPN server you will need to have open the following:
TCP > 1023 (I know it's alot, back to the comment about matching your VPN server IP) UDP = isakmp (500) Ip Protocol 50 (ESP) These may not be a accurate down to the port list, it's just what I think I remember from the manual long long ago :-) Later versions of the server and client software allow you to "Disable Keepalives" which greatly reduces this traffic. They have even implemented a solution in version 4.x that will pass all this traffic encapsulated in UDP (I believe). This has good and bad points and the fact they made it so you have to enable it for the whole server or nothing at all makes it a big choice for someone running these servers. Remember to specify this to only be allowed from your VPN servers IP's as you don't want the extra holes to exist. Other things to check are: Group ID and Group Password - Some providers use a GID and GP to differentiate between different clients groups with different network access privilages. If this information is wrong you will also get a authentication failure. SecureID - Make sure it is not locked, they have your PIN set right AND your card is synced to the SecureID server. Any one of these will make your card not function properly. The other folks are correct about the SID auth feature. If they are running the earlier server code, they have to use Radius authentication from the VPN server to the SecureID server and enabling this usually just shows you a different login page with seperate fields for PIN and PASSCODE. It may work either way depending upon how they have their infrastructure set up. Ping and traceroute may not be good tools to see if the server is there as they are not used by the client or server so they can be shut off for tighter security. The best advice is to try and contact the administrators of the servers themselves and see if they would be willing to assist you. There should be some additional connection information in the logs on the server. Particularly line that show you start to connect, then the server all of a sudden saying your not there anymore which is the result of the "keep-alive" function. First start by allowing any traffic from your VPN server back through your NAT router/firewall. If you are getting an error back you are reaching the server initially which tells you that it's actually there without using ping and traceroute anyway. I hope this helps. John John P. Harris Jr. SANS GSEC Engineering Solutions & Tech Competencies EDS Northeast Region I.Solutions E-Mail: John.Harris () usa xerox com Buick Club of America # 37854 Original Message Follows -----snip----- -----Original Message----- From: Neverdowski [mailto:nevers () swbell net] Sent: Tuesday, March 12, 2002 9:58 AM To: firewall-wizards () nfr com Subject: [fw-wiz] VPN through DSL I am desparate. I have been trying to connect to my office's VPN through my DSL connection at home for months now. In order to connect to my VPN, my office has provided an RSA SecurID token, which generates a random passcode at periodic intervals. I installed the Nortel Extranet client required by my office to connect and I run it after I have already established a DSL connection to the internet (with Enternet 300). However, the Extranet client always tells me that my login was unsuccessful, check my id and password. I have done so, and each time, my office says that both are in working order. I then contacted my ISP, who supplied the Enternet 300 software with which I establish my connection to the internet. They are clueless (Southwestern Bell - go figure). If I look at the details of my connection with in the Enternet 300 software, I see "SecurID disabled". No one can tell me why it says this, or how to enable SecurID. The furthest I got with any of the techs who tried to help, was to run Tracert, which showed that everything was peachy until we hit the tenth address which states "Request timed out", even though the 11th-14th still return replies (with the 14th being the address I want to reach). Someone at one point suggested I get a router. Is that my only option? Why would having a router on the external DSL modem on my home PC help? Any suggestions, help etc. would be greatly appreciated. Thanks, Stephanie _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards -----snip----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re[2]: VPN through DSL, (continued)
- Re[2]: VPN through DSL Jason Ostrom (Mar 13)
- RE: VPN through DSL Tina Bird (Mar 13)
- RE: VPN through DSL Behm, Jeffrey L. (Mar 13)
- RE: VPN through DSL - On the subject of PPTP Peter Lukas (Mar 13)
- RE: VPN through DSL - On the subject of PPTP Patrick Darden (Mar 14)
- RE: VPN through DSL - On the subject of PPTP Peter Lukas (Mar 13)
- RE: VPN through DSL rob . roberson (Mar 13)
- RE: VPN through DSL Peter Lukas (Mar 13)
- RE: VPN through DSL Joe Keegan (Mar 13)
- RE: VPN through DSL Frederick M Avolio (Mar 15)
- RE: VPN through DSL Ames, Neil (Mar 13)
- VPN through DSL Harris, John P (Mar 14)
- RE: VPN through DSL Behm, Jeffrey L. (Mar 14)
- RE: VPN through DSL Litscher, Mark (Mar 14)
- Re[2]: VPN through DSL Thomas Ray (Mar 15)