IPSEC does not like traffic that has been NAT'd You can remove port 51. You only need to enable port 50 this is what is used to authenticate to switch via IKE You can't communicate past the switch because NAT traversal is not setup to allow the ISA server to send it's data using UDP. I've been thru this heart ache.. It took a couple of months to get everything figured out. Once I upgraded the switch and client, enabled NAT traversal, defined the port to use for UDP and set up the split tunnel to secure the switch it all works as advertised. Greg -----Original Message----- From: Scott Sandeman [mailto:sandeman@xxxxxxxxxxxxxxxxxxxxx] Sent: Monday, April 08, 2002 2:35 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: IPSEC (Nortel Client behind V4.05 BEHIND NAT) http://www.ISAserver.org Hmm, Though I am not using ISA the new software might help. They have an upgrade policy with Nortel, so perhaps I can get the new software for client and switch. However in the current config (Switch 2.6 and client 2.62) I can get authentication from behind the NAT.. But again I get no traffic after that. So if I set up for "split tunneling" & "nat traversal" perhaps that might alleviate the prob. I am mapping ports 50 and 51... Any idea if this is right... ?.. Is it that the NAT it "tagging" all traffic and the Contivity doesn't like that.. ? I dunno.. Just grasping at straws I guess. -- Scott Sandeman Operations Manager Northern Media Solutions sandeman@xxxxxxxxxxxxxxxxxxxx > http://www.ISAserver.org > > > You'll need to upgrade to 4_15.03 client and load the latest version 4 > software on the switch. > > Then you'll need to configure "split tunneling" and "nat traversal" on the > switch. The Nortel doc's are well written with > instructions on doing this. > > Keep in mind that the port your decided to use for "nat traversal" on the > switch must be opened on the ISA for you to connect. This > could explain why you can authenticate but can't communicate. > > > Greg > > > -----Original Message----- > From: Scott Sandeman [mailto:sandeman@xxxxxxxxxxxxxxxxxxxxx] > Sent: Monday, April 08, 2002 2:07 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] IPSEC (Nortel Client behind V4.05 BEHIND NAT) > > > http://www.ISAserver.org > > > Hello all > > I have been a member of this list for a while and it has proven > informative. Though this question is not directly associated with ISA, I > thought that there was no better list to post this question. > > Now that the buttering up is done.. Here we go. > > I have a small client that uses the Nortel VPN Client against a Nortel > Contivity 1500 "switch". The client tests many platforms from home and use > WinRoute Pro v4.1 at each employee's home to enable them to connect to the > internet from several machines at once. They would like to be able to > connect to the Contivty from behind a NAT from each Home Office. > > Do you have any suggestions. WinroutePro is capable of Packet filtering and > port mappings to specific internal IP's. > > Currently I am able to connect to the "server" and get an IP assigned to the > client though I can transmit no traffic to the server after authentication. > > Any ideas.. > > Cheers > Scott > > -- Scott Sandeman > Operations Manager > Northern Media Solutions > sandeman@xxxxxxxxxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > greg.foulks@xxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > sandeman@xxxxxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')