PROBLEM: Nortel Contivity VPN Client from behind a PIX 501 1

[mcreedjr]

I'm having some trouble getting the Contivity software VPN client to work from a Cisco PIX. The Contivity VPN client is terminating its tunnel on another Contivity VPN server. The PIX and client PC are under my control, however the Contivity VPN server where we're terminating the tunnel is not. The PIX which it passes through is doing PAT. The Contivity client seems like it's connecting, goes through the first few screens, then hangs and says something about it losing the tunnel. I know the software will work from behind PAT because I plugged a cheap D-Link router inplace of the PIX and the tunnel opens just fine. I'm sure its just a config command I'm missing in the PIX.

For further information, please visit

http://www.gottum.com/vpn/

Thanks in advance,
Mike

 

[themut]

Well you need to open UDP port 500 and IP protocol 50 on the PIX. Since you are using PAT you need to either upgrade the PIX to 6.3.X and enable fixup protocol esp-ike or configure a static translation for the VPN client. Another option is to enable NAT-T on the contivity server if it supports NAT-T.

 

[mcreedjr]

As outline in the configuration posted to the web earlier (

http://www.gottum.com/vpn),

I currently run 6.3.x and I have NAT-T enabled. Apparently the Nortel client requires something more.

Other than a static-NAT, have you any other suggestions?

Thanks for your help,
--Mike

 

[themut]

NAT-T should be configured on the contivity server not the PIX. On the PIX you either enable fixup protocol esp-ike or configure a static translation.

 

[vemuru]

I have the same issue. How should I configure htePIX 501

 

[bytehd]

sysopt connection permit-ipsec

http://www.insyncva.com