RE: [fw-wiz] IPSEC behind 5XT
From: Ben Nagy (ben_at_iagu.net)
To: "'Clark, Steve'" <Steve@clarksupport.com>, <firstname.lastname@example.org> Date: Fri, 29 Aug 2003 10:29:23 +0200
Question one 'is are you using NAT?'. That can complicate things.
Overall, I would make sure you aren't using NAT, and then make sure that
your Netscreen is properly passing the traffic on the 'other' IP Protocols.
You need GRE (47) for PPTP and ESP and AH (50 and 51) for IPSec.
You can check this using traceroute with hping, and the --ipproto option.
If the basic connectivity tests work out then it could be some weird
in-protocol VPN chicanery, but it doesn't smell like it.
I'd like to be more help, but there's really not enough info at this stage.
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org] On Behalf
> Of Clark, Steve
> Sent: Friday, August 29, 2003 12:09 AM
> To: email@example.com
> Good afternoon,
> I am trying to figure out how to configure a 5XT to allow
> other company's
> remote VPN products to pass thru a 5XT. Two situations:
> 1. SSH Sentinel connecting to a Linksys VPN - remove the NS
> from in between
> and the VPN works fine. Put SSH Sentinel behind the NS 5XT in
> route mode and
> the VPN will not build. The logs from SSH indicate:
> Retransmitting packet,
> retries = 5. First I thought it was the Linksys VPN, but...
> 2. PPTP VPN on a XP laptop - outside the NS, works fine,
> behind the NS, same
> issue - will not build a tunnel to a different company's VPN router.
> Have called NS support and they look at debug and say all is
> well - however,
> still can't connect and I don't think 2 company's devices are
> failing ONLY
> on me.
> NS 5XT in route mode on OS 4.0.0r8
> Any ideas of where to look or what direction to go?
firewall-wizards mailing list