RE: [fw-wiz] IPSEC behind 5XT

From: Ben Nagy (ben_at_iagu.net)
Date: 08/29/03

  • Next message: Ben Nagy: "RE: [fw-wiz] An interesting VPN problem"
    To: "'Clark, Steve'" <Steve@clarksupport.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 29 Aug 2003 10:29:23 +0200
    
    

    Question one 'is are you using NAT?'. That can complicate things.

    Overall, I would make sure you aren't using NAT, and then make sure that
    your Netscreen is properly passing the traffic on the 'other' IP Protocols.
    You need GRE (47) for PPTP and ESP and AH (50 and 51) for IPSec.

    You can check this using traceroute with hping, and the --ipproto option.

    If the basic connectivity tests work out then it could be some weird
    in-protocol VPN chicanery, but it doesn't smell like it.

    I'd like to be more help, but there's really not enough info at this stage.

    Cheers,

    ben

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of Clark, Steve
    > Sent: Friday, August 29, 2003 12:09 AM
    > To: firewall-wizards@honor.icsalabs.com
    >
    > Good afternoon,
    >
    > I am trying to figure out how to configure a 5XT to allow
    > other company's
    > remote VPN products to pass thru a 5XT. Two situations:
    >
    > 1. SSH Sentinel connecting to a Linksys VPN - remove the NS
    > from in between
    > and the VPN works fine. Put SSH Sentinel behind the NS 5XT in
    > route mode and
    > the VPN will not build. The logs from SSH indicate:
    > Retransmitting packet,
    > retries = 5. First I thought it was the Linksys VPN, but...
    > 2. PPTP VPN on a XP laptop - outside the NS, works fine,
    > behind the NS, same
    > issue - will not build a tunnel to a different company's VPN router.
    >
    > Have called NS support and they look at debug and say all is
    > well - however,
    > still can't connect and I don't think 2 company's devices are
    > failing ONLY
    > on me.
    >
    > NS 5XT in route mode on OS 4.0.0r8
    >
    > Any ideas of where to look or what direction to go?
    >
    > TIA
    > Steve

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Ben Nagy: "RE: [fw-wiz] An interesting VPN problem"

    Relevant Pages

    • Re: Nothing but win
      ... Steve de Mena wrote: ... it's inconceivable that there could be a problem with Lion. ... The part about having to downgrade to get a reliable VPN connection is ... You don't need Cisco's client software to use a Cisco VPN connection on ...
      (comp.sys.mac.advocacy)
    • Re: Nothing but win
      ... Steve de Mena wrote: ... Had to downgrade my MacBook Pro ... it's inconceivable that there could be a problem with Lion. ... The part about having to downgrade to get a reliable VPN connection is ...
      (comp.sys.mac.advocacy)
    • Re: Error 786: The L2TP connection attempt failed because...
      ... "steve" wrote in message ... > When i try to establish a vpn connection using smart card certificate to ...
      (microsoft.public.isaserver)
    • Re: Constant traffic on PPTP VPN Connection
      ... > server, and certaily not at theat level. ... >> Steve Duff, MCSE, MVP ... >>> PPTP VPN connections to a VPN server in our office. ... >>> office WINS servers and does not dynamically update the head office DNS. ...
      (microsoft.public.win2000.networking)
    • Re: restrict folder access while VPN is established
      ... Outlook there isn't really a need for remote logging with the same user ... Deny rights for "VPN Group" ... Should I deny any system's shared folder? ... Steve Foster ...
      (microsoft.public.windows.server.sbs)