RE: Nortel VPN Client

• From: "Ball, Dan" <DBall@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 11 Jan 2006 09:44:44 -0500

Thanks!  I wonder why that didn't show up when I did a search for
"Nortel" last night.  That just might do the trick!

-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] 
Sent: Wednesday, January 11, 2006 8:43 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Nortel VPN Client

http://www.ISAserver.org

Hi Dan, 

Check out http://www.isaserver.org/articles/IPSec_Passthrough.html to
see if
you can find something useful for your environment. 

HTH, 
Stefaan 

-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
Sent: woensdag 11 januari 2006 14:38
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Nortel VPN Client

http://www.ISAserver.org

Looking through the logs some more, it appears the program also attempts
to
use the web proxy port (denied because it requires authentication) and
SNMP
during the negotiation sessions.  

Finally found that version of the clients on their website.  It's only a
couple of months old, so might be why not too many people have run into
it
yet. I was going to download it and try it on another computer, but
apparently you need an account to download.  

Since this is the VPN setup used by our local university, I have the
nauseating feeling that this issue is going to keep coming up more often
as
we start with them more often...


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tuesday, January 10, 2006 11:38 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Nortel VPN Client

http://www.ISAserver.org

Hi Dan,

There's no shortage of dolts in this business, though some more doltish
than
others. :)

Since your seeing an IKE connection (UDP 500), the Nortel is using some
horkage called IPSec tunnel mode for remote access VPN client
connections.
Of course, IIRC the RFC for IPSec tunnel indicates that it should be
used
only for site to site VPNs, since user authentication wasn't defined.
That's
why Microsoft decided to use L2TP and PPP/EAP authentiation, because
that
was an Internet standard. But if you go with standards, how to you lock
someone into your horkage?

Anyhow, I'll bet a nickle that Nortel continues with their
non-compliance by
not allowing the source port to be anything other than UDP 500. The
other
possiblity is that there is a NAT relationship between the source and
destination, and either they use a non-standard capsule or UDP 4500
isn't
allowed outbound, or the client machine has the Firewall client enabled.

You pick 'em :)

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Tuesday, January 10, 2006 10:20 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Nortel VPN Client
> 
> http://www.ISAserver.org
> 
> It's difficult to tell, there are 190 entries in the log, and I know 
> she browsed the web for a moment or two to test that. So it's all 
> jumbled together.  From what I've been able to gleen from it so far is

> that it appears to be making web connections as part of the connection

> process.
> 
> I see connections via HTTP, HTTPS, and UDP port 500.  The contact 
> person at the university said to open ipsec and ike ports, and if 
> necessary to open all ports to their IP.  Of course, that was an 
> expected answer...
> 
> OT: Reminds me of when we got a request a couple of months ago to open

> a port to get a client program working.  They said "open port 2200", 
> so I asked if this was TCP or UDP, outbound or inbound.  You can guess

> the answer, they said open it for TCP AND UDP, inbound AND 
> outbound....  Of course, I tested the client program out, and found it

> didn't even use port 2200 at all!  It used an entire different port 
> TCP outbound only.
> I told them that, but they still don't believe me, they insist that it

> started working once I opened port 2200...
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Tuesday, January 10, 2006 10:55 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Nortel VPN Client
> 
> http://www.ISAserver.org
> 
> Did you see any connections coming from the client?
> 
> If Jim's right about it configured as a local proxy or LSP, then there

> could be a world of hurt ahead of you, but lets not jump to 
> conclusions yet.
> 
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
>  
> 
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Tuesday, January 10, 2006 9:44 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Nortel VPN Client
> > 
> > http://www.ISAserver.org
> > 
> > I was watching the live monitor, but didn't see anything out of the 
> > ordinary.  I saved a log of it, so will review it a bit more.
> > 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Tuesday, January 10, 2006 3:51 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Nortel VPN Client
> > 
> > http://www.ISAserver.org
> > 
> > Hi Dan,
> > 
> > Try to make a connection and see what appears in the ISA firewall's 
> > log files, watch in real time just for fun :)
> > 
> > Tom
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > > Sent: Tuesday, January 10, 2006 2:26 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Nortel VPN Client
> > > 
> > > http://www.ISAserver.org
> > > 
> > > I tried this afternoon to get a computer working on our
> network that
> > > needs to use the Nortel VPN Client.  No success...
> > > 
> > > Looks like I'll need to define the protocols in ISA for
> that client.
> > > I've tried searching Nortel.com, isaserver.org, and Microsoft's 
> > > website for a port/protocol listing, but I can't even find the
> > version of the
> > > client they're using!  Does anyone know what ports the VPN client 
> > > uses?
> > > 
> > > Client: Nortel Contivity VPN Client v06_01.014
> > > OS: Windows XP SP2
> > > ISA: 2004SE
> > > 
> > > 
> > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List

> > > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > dball@xxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List 
> > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client
• » RE: Nortel VPN Client

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---