Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nortel VPN Behind FW1

Status
Not open for further replies.
mvnssa

mvnssa

Technical User
Jan 23, 2003
4
AU
I'm trying to move a Nortel Contivity switch behind our firewall & NAT the connection through.

Service = IPSEC ( AH, ESP, IKE, ISAKMP, SKIP)

Authentication works, but it fails when the contivity tries to send configuration information... such as IP address to the client,so then the Contivity times out and logs me out.

Contivity client Error message = Failed to get DNS & WINS configuration information through the Contivity VPN connection, Connection closed.

The only information I can find on the error is to use static nat, which I am.

The FW1 log does not show any drops.

FW monitor show the Contivity switch sending to the client on IP 50 & UDP 500 which is allowed.

Any ideas..... Thank you


 
Sort by date Sort by votes
If you were to open the rule up to any, would you receive drops? We have it working, we have a specific rule which is PC(nortel VPN) => (VPN network)=> IPSEC = allow, form what I see above you have the same type of rule, I would suggest confirm IP's for the VPN server and open the rule up for any, to see if it work. Play with different filters to see if there is another port that is needed.

hope this helps
 
Upvote 0 Downvote
rn4it - Thanks for the reply. I have tried 'Any' with no drops listed in the log, same as the current IPSEC rule. I have also accounted for the ICMP from the client to VPN switch.

Server IP address is correct as Authentication works.

Is it possible for you to list on this Web site, the rule from the your Objects.c showing the config allowing your VPN to work (changing Ip address's for security) so that I can compare against my config?

Thank You
 
Upvote 0 Downvote
mvnssa, I pretty much did, but I will make up a similiar rule.
Source Dest serv action
PC1 vpnsvr ipsec encrypt

PC1= vpnclient
vpnsvr=vpnsvr

also there is a single static NAT rule for the PC1 => vpnsvr.

that's it.Did it work when you allowed any through?
 
Upvote 0 Downvote
rn4-t - A few more questions if you don't mind?

1: Does your clients use the Nortel IPSEC client (ours do)?
2: If yes, what options have you selected under Actions = Encrypt... I tried all possible options & none worked!

** Using 'Any' did not work.

Thanks...
 
Upvote 0 Downvote
mvnssa
yes, we use the nortel client, someone is in the FW so I'll have to check on question #2 a little later. Do a filter on IPSEC and if you have many VPN tunnels then filter on the destination site see if keys are being exchanged, what Phase is being established 1 or 2 or both. What msgs you get when Phase is failing if it's failing. This will help answer what you need added in the accept field or if the tunnel is fine but the problem is on one of the devices.
this way u don't need to wait for me.
ttyl
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
611
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
216
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
754
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
165
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
145
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top