RE: Nortel VPN Client
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 11 Jan 2006 08:38:00 -0500
Looking through the logs some more, it appears the program also attempts
to use the web proxy port (denied because it requires authentication)
and SNMP during the negotiation sessions.
Finally found that version of the clients on their website. It's only a
couple of months old, so might be why not too many people have run into
it yet. I was going to download it and try it on another computer, but
apparently you need an account to download.
Since this is the VPN setup used by our local university, I have the
nauseating feeling that this issue is going to keep coming up more often
as we start with them more often...
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tuesday, January 10, 2006 11:38 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Nortel VPN Client
http://www.ISAserver.org
Hi Dan,
There's no shortage of dolts in this business, though some more doltish
than others. :)
Since your seeing an IKE connection (UDP 500), the Nortel is using some
horkage called IPSec tunnel mode for remote access VPN client
connections. Of course, IIRC the RFC for IPSec tunnel indicates that it
should be used only for site to site VPNs, since user authentication
wasn't defined. That's why Microsoft decided to use L2TP and PPP/EAP
authentiation, because that was an Internet standard. But if you go with
standards, how to you lock someone into your horkage?
Anyhow, I'll bet a nickle that Nortel continues with their
non-compliance by not allowing the source port to be anything other than
UDP 500. The other possiblity is that there is a NAT relationship
between the source and destination, and either they use a non-standard
capsule or UDP 4500 isn't allowed outbound, or the client machine has
the Firewall client enabled.
You pick 'em :)
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Tuesday, January 10, 2006 10:20 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Nortel VPN Client
>
> http://www.ISAserver.org
>
> It's difficult to tell, there are 190 entries in the log, and
> I know she
> browsed the web for a moment or two to test that. So it's all jumbled
> together. From what I've been able to gleen from it so far is that it
> appears to be making web connections as part of the
> connection process.
>
> I see connections via HTTP, HTTPS, and UDP port 500. The
> contact person
> at the university said to open ipsec and ike ports, and if
> necessary to
> open all ports to their IP. Of course, that was an expected answer...
>
> OT: Reminds me of when we got a request a couple of months
> ago to open a
> port to get a client program working. They said "open port
> 2200", so I
> asked if this was TCP or UDP, outbound or inbound. You can guess the
> answer, they said open it for TCP AND UDP, inbound AND
> outbound.... Of
> course, I tested the client program out, and found it didn't even use
> port 2200 at all! It used an entire different port TCP outbound only.
> I told them that, but they still don't believe me, they insist that it
> started working once I opened port 2200...
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Tuesday, January 10, 2006 10:55 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Nortel VPN Client
>
> http://www.ISAserver.org
>
> Did you see any connections coming from the client?
>
> If Jim's right about it configured as a local proxy or LSP, then there
> could be a world of hurt ahead of you, but lets not jump to
> conclusions
> yet.
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Tuesday, January 10, 2006 9:44 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Nortel VPN Client
> >
> > http://www.ISAserver.org
> >
> > I was watching the live monitor, but didn't see anything out of the
> > ordinary. I saved a log of it, so will review it a bit more.
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Tuesday, January 10, 2006 3:51 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Nortel VPN Client
> >
> > http://www.ISAserver.org
> >
> > Hi Dan,
> >
> > Try to make a connection and see what appears in the ISA
> > firewall's log
> > files, watch in real time just for fun :)
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > > Sent: Tuesday, January 10, 2006 2:26 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Nortel VPN Client
> > >
> > > http://www.ISAserver.org
> > >
> > > I tried this afternoon to get a computer working on our
> network that
> > > needs to use the Nortel VPN Client. No success...
> > >
> > > Looks like I'll need to define the protocols in ISA for
> that client.
> > > I've tried searching Nortel.com, isaserver.org, and
> > > Microsoft's website
> > > for a port/protocol listing, but I can't even find the
> > version of the
> > > client they're using! Does anyone know what ports the VPN
> > > client uses?
> > >
> > > Client: Nortel Contivity VPN Client v06_01.014
> > > OS: Windows XP SP2
> > > ISA: 2004SE
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > dball@xxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
