Contivity VPN client to BCM200 from inside another firewall?

[eagano]

I've got the Contivity VPN client working with no problems from a home DSL line. When I try to use it from behind a customer's firewall (which I'm pretty sure is a Contivity), I can't get a connection. I've got this much figured out:

- The IKE exchange starts on port 500 from my VPN client
- The firewall I'm behind NATs the request to port 54919 (for example) and this is what the BCM sees
- The BCM was listening for UDP on port 500 only, so it was being blocked
- I updated the rule filters and opened up all ports for inbound UDP on the existing rule instead of only port 500, but the response from the BCM goes back out to the source IP address on port 500, even though it came in on 54919

The manual says: "Business Communications Manager does not support NAT on the Local Endpoint of an IPSec
Tunnel."

Does this mean I can't VPN in from behind another NATted firewall? Can I create some inboud NAT rules to get around this? What would they look like?

I'm running the BCM with my DSL line on LAN1, with outbound NAT enabled. The six default rules for inbound VPN were created by the BCM on first user account creation. This setup works fine, just not when my VPN connection request comes in on a port other than 500.

Thanks!
eagano

 

[3Sixty]

How are you connecting the BCM to the DSL line?

I have set this up but I have been using the BCM as the adsl router with an adsl bridge and the PPPOE keycode for the BCM.

I think you have answered you own question.

Marshall

http://www.marshallshouse.co.uk