I've got the Contivity VPN client working with no problems from a home DSL line. When I try to use it from behind a customer's firewall (which I'm pretty sure is a Contivity), I can't get a connection. I've got this much figured out:
- The IKE exchange starts on port 500 from my VPN client
- The firewall I'm behind NATs the request to port 54919 (for example) and this is what the BCM sees
- The BCM was listening for UDP on port 500 only, so it was being blocked
- I updated the rule filters and opened up all ports for inbound UDP on the existing rule instead of only port 500, but the response from the BCM goes back out to the source IP address on port 500, even though it came in on 54919
The manual says: "Business Communications Manager does not support NAT on the Local Endpoint of an IPSec
Tunnel."
Does this mean I can't VPN in from behind another NATted firewall? Can I create some inboud NAT rules to get around this? What would they look like?
I'm running the BCM with my DSL line on LAN1, with outbound NAT enabled. The six default rules for inbound VPN were created by the BCM on first user account creation. This setup works fine, just not when my VPN connection request comes in on a port other than 500.
Thanks!
eagano
- The IKE exchange starts on port 500 from my VPN client
- The firewall I'm behind NATs the request to port 54919 (for example) and this is what the BCM sees
- The BCM was listening for UDP on port 500 only, so it was being blocked
- I updated the rule filters and opened up all ports for inbound UDP on the existing rule instead of only port 500, but the response from the BCM goes back out to the source IP address on port 500, even though it came in on 54919
The manual says: "Business Communications Manager does not support NAT on the Local Endpoint of an IPSec
Tunnel."
Does this mean I can't VPN in from behind another NATted firewall? Can I create some inboud NAT rules to get around this? What would they look like?
I'm running the BCM with my DSL line on LAN1, with outbound NAT enabled. The six default rules for inbound VPN were created by the BCM on first user account creation. This setup works fine, just not when my VPN connection request comes in on a port other than 500.
Thanks!
eagano