RE: IPSEC (Nortel Client behind V4.05 BEHIND NAT)

  • From: "Greg Foulks" <greg.foulks@xxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 8 Apr 2002 14:44:14 -0400

IPSEC does not like traffic that has been NAT'd

You can remove port 51. You only need to enable port 50 this is what is used to 
authenticate to switch via IKE

You can't communicate past the switch because NAT traversal is not setup to 
allow the ISA server to send it's data using UDP.

I've been thru this heart ache.. It took a couple of months to get everything 
figured out. Once I upgraded the switch and client,
enabled NAT traversal, defined the port to use for UDP and set up the split 
tunnel to secure the switch it all works as advertised.

Greg


-----Original Message-----
From: Scott Sandeman [mailto:sandeman@xxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, April 08, 2002 2:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: IPSEC (Nortel Client behind V4.05 BEHIND NAT)


http://www.ISAserver.org


Hmm,

    Though I am not using ISA the new software might help. They have an
upgrade policy with Nortel, so perhaps I can get the new software for client
and switch.

    However in  the current config (Switch 2.6 and client 2.62) I can get
authentication from behind the NAT.. But again I get no traffic after that.
So if I set up for "split tunneling"  & "nat traversal" perhaps that might
alleviate the prob.
I am mapping ports 50 and 51... Any idea if this is right... ?.. Is it that
the NAT it "tagging" all traffic and the Contivity doesn't like that.. ?

I dunno.. Just grasping at straws I guess.

-- Scott Sandeman
Operations Manager
Northern Media Solutions
sandeman@xxxxxxxxxxxxxxxxxxxx



> http://www.ISAserver.org
>
>
> You'll need to upgrade to 4_15.03 client and load the latest version 4
> software on the switch.
>
> Then you'll need to configure "split tunneling" and "nat traversal" on the
> switch. The Nortel doc's are well written with
> instructions on doing this.
>
> Keep in mind that the port your decided to use for "nat traversal" on the
> switch must be opened on the ISA for you to connect. This
> could explain why you can authenticate but can't communicate.
>
>
> Greg
>
>
> -----Original Message-----
> From: Scott Sandeman [mailto:sandeman@xxxxxxxxxxxxxxxxxxxxx]
> Sent: Monday, April 08, 2002 2:07 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] IPSEC (Nortel Client behind V4.05 BEHIND NAT)
>
>
> http://www.ISAserver.org
>
>
> Hello all
>
>   I have been a member of this list for a while and it has proven
> informative. Though this question is not directly associated with ISA, I
> thought that there was no better list to post this question.
>
> Now that the buttering up is done.. Here we go.
>
> I have a small client that uses the Nortel VPN Client against a Nortel
> Contivity  1500 "switch". The client tests many platforms from home and use
> WinRoute Pro v4.1 at each employee's home to enable them to connect to the
> internet from several machines at once. They would like to be able to
> connect to the Contivty from behind a NAT from each Home Office.
>
> Do you have any suggestions. WinroutePro is capable of  Packet filtering and
> port mappings to specific internal IP's.
>
> Currently I am able to connect to the "server" and get an IP assigned to the
> client though I can transmit no traffic to the server after authentication.
>
> Any ideas..
>
> Cheers
> Scott
>
> -- Scott Sandeman
> Operations Manager
> Northern Media Solutions
> sandeman@xxxxxxxxxxxxxxxxxxxx
>
>
>
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg.foulks@xxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> sandeman@xxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>






------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



Other related posts: