RE: IPSEC behind 5XT

["Ben Nagy" <ben () iagu net>]

Question one 'is are you using NAT?'. That can complicate things.

Overall, I would make sure you aren't using NAT, and then make sure that
your Netscreen is properly passing the traffic on the 'other' IP Protocols.
You need GRE (47) for PPTP and ESP and AH (50 and 51) for IPSec.

You can check this using traceroute with hping, and the --ipproto option.

If the basic connectivity tests work out then it could be some weird
in-protocol VPN chicanery, but it doesn't smell like it.

I'd like to be more help, but there's really not enough info at this stage.

Cheers,

ben

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Clark, Steve
> Sent: Friday, August 29, 2003 12:09 AM
> To: firewall-wizards () honor icsalabs com
>
> Good afternoon,
>
> I am trying to figure out how to configure a 5XT to allow 
> other company's
> remote VPN products to pass thru a 5XT. Two situations:
>
> 1. SSH Sentinel connecting to a Linksys VPN - remove the NS 
> from in between
> and the VPN works fine. Put SSH Sentinel behind the NS 5XT in 
> route mode and
> the VPN will not build. The logs from SSH indicate: 
> Retransmitting packet,
> retries = 5. First I thought it was the Linksys VPN, but...
> 2. PPTP VPN on a XP laptop - outside the NS, works fine, 
> behind the NS, same
> issue - will not build a tunnel to a different company's VPN router.
>
> Have called NS support and they look at debug and say all is 
> well - however,
> still can't connect and I don't think 2 company's devices are 
> failing ONLY
> on me.
>
> NS 5XT in route mode on OS 4.0.0r8
>
> Any ideas of where to look or what direction to go?
>
> TIA
> Steve

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards