RE: IPSEC (Nortel Client behind V4.05 BEHIND NAT)

  • From: Scott Sandeman <sandeman@xxxxxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 08 Apr 2002 13:56:56 -0500

Ah... Ok . I'll try that...

Thx Greg... 

Cheers

-- Scott Sandeman
Operations Manager
Northern Media Solutions
sandeman@xxxxxxxxxxxxxxxxxxxx

> http://www.ISAserver.org
> 
> 
> Not port 50
> 
> I mean enable protocol 50
> 
> Sorry!
> 
> -----Original Message-----
> From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
> Sent: Monday, April 08, 2002 2:44 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: IPSEC (Nortel Client behind V4.05 BEHIND NAT)
> 
> 
> http://www.ISAserver.org
> 
> 
> IPSEC does not like traffic that has been NAT'd
> 
> You can remove port 51. You only need to enable port 50 this is what is used
> to authenticate to switch via IKE
> 
> You can't communicate past the switch because NAT traversal is not setup to
> allow the ISA server to send it's data using UDP.
> 
> I've been thru this heart ache.. It took a couple of months to get everything
> figured out. Once I upgraded the switch and client,
> enabled NAT traversal, defined the port to use for UDP and set up the split
> tunnel to secure the switch it all works as advertised.
> 
> Greg
> 
> 
> -----Original Message-----
> From: Scott Sandeman [mailto:sandeman@xxxxxxxxxxxxxxxxxxxxx]
> Sent: Monday, April 08, 2002 2:35 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: IPSEC (Nortel Client behind V4.05 BEHIND NAT)
> 
> 
> http://www.ISAserver.org
> 
> 
> Hmm,
> 
>   Though I am not using ISA the new software might help. They have an
> upgrade policy with Nortel, so perhaps I can get the new software for client
> and switch.
> 
>   However in  the current config (Switch 2.6 and client 2.62) I can get
> authentication from behind the NAT.. But again I get no traffic after that.
> So if I set up for "split tunneling"  & "nat traversal" perhaps that might
> alleviate the prob.
> I am mapping ports 50 and 51... Any idea if this is right... ?.. Is it that
> the NAT it "tagging" all traffic and the Contivity doesn't like that.. ?
> 
> I dunno.. Just grasping at straws I guess.
> 
> -- Scott Sandeman
> Operations Manager
> Northern Media Solutions
> sandeman@xxxxxxxxxxxxxxxxxxxx
> 
> 
> 
>> http://www.ISAserver.org
>> 
>> 
>> You'll need to upgrade to 4_15.03 client and load the latest version 4
>> software on the switch.
>> 
>> Then you'll need to configure "split tunneling" and "nat traversal" on the
>> switch. The Nortel doc's are well written with
>> instructions on doing this.
>> 
>> Keep in mind that the port your decided to use for "nat traversal" on the
>> switch must be opened on the ISA for you to connect. This
>> could explain why you can authenticate but can't communicate.
>> 
>> 
>> Greg
>> 
>> 
>> -----Original Message-----
>> From: Scott Sandeman [mailto:sandeman@xxxxxxxxxxxxxxxxxxxxx]
>> Sent: Monday, April 08, 2002 2:07 PM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] IPSEC (Nortel Client behind V4.05 BEHIND NAT)
>> 
>> 
>> http://www.ISAserver.org
>> 
>> 
>> Hello all
>> 
>>   I have been a member of this list for a while and it has proven
>> informative. Though this question is not directly associated with ISA, I
>> thought that there was no better list to post this question.
>> 
>> Now that the buttering up is done.. Here we go.
>> 
>> I have a small client that uses the Nortel VPN Client against a Nortel
>> Contivity  1500 "switch". The client tests many platforms from home and use
>> WinRoute Pro v4.1 at each employee's home to enable them to connect to the
>> internet from several machines at once. They would like to be able to
>> connect to the Contivty from behind a NAT from each Home Office.
>> 
>> Do you have any suggestions. WinroutePro is capable of  Packet filtering and
>> port mappings to specific internal IP's.
>> 
>> Currently I am able to connect to the "server" and get an IP assigned to the
>> client though I can transmit no traffic to the server after authentication.
>> 
>> Any ideas..
>> 
>> Cheers
>> Scott
>> 
>> -- Scott Sandeman
>> Operations Manager
>> Northern Media Solutions
>> sandeman@xxxxxxxxxxxxxxxxxxxx
>> 
>> 
>> 
>> 
>> 
>> 
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List as:
>> greg.foulks@xxxxxxxx
>> To unsubscribe send a blank email to $subst('Email.Unsub')
>> 
>> 
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List as:
>> sandeman@xxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send a blank email to $subst('Email.Unsub')
>> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg.foulks@xxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg.foulks@xxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> sandeman@xxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 








Other related posts: