RE: [fw-wiz] IPSEC behind 5XT

From: Ben Nagy (
Date: 08/29/03

  • Next message: Ben Nagy: "RE: [fw-wiz] An interesting VPN problem"
    To: "'Clark, Steve'" <>, <>
    Date: Fri, 29 Aug 2003 10:29:23 +0200

    Question one 'is are you using NAT?'. That can complicate things.

    Overall, I would make sure you aren't using NAT, and then make sure that
    your Netscreen is properly passing the traffic on the 'other' IP Protocols.
    You need GRE (47) for PPTP and ESP and AH (50 and 51) for IPSec.

    You can check this using traceroute with hping, and the --ipproto option.

    If the basic connectivity tests work out then it could be some weird
    in-protocol VPN chicanery, but it doesn't smell like it.

    I'd like to be more help, but there's really not enough info at this stage.



    > -----Original Message-----
    > From:
    > [] On Behalf
    > Of Clark, Steve
    > Sent: Friday, August 29, 2003 12:09 AM
    > To:
    > Good afternoon,
    > I am trying to figure out how to configure a 5XT to allow
    > other company's
    > remote VPN products to pass thru a 5XT. Two situations:
    > 1. SSH Sentinel connecting to a Linksys VPN - remove the NS
    > from in between
    > and the VPN works fine. Put SSH Sentinel behind the NS 5XT in
    > route mode and
    > the VPN will not build. The logs from SSH indicate:
    > Retransmitting packet,
    > retries = 5. First I thought it was the Linksys VPN, but...
    > 2. PPTP VPN on a XP laptop - outside the NS, works fine,
    > behind the NS, same
    > issue - will not build a tunnel to a different company's VPN router.
    > Have called NS support and they look at debug and say all is
    > well - however,
    > still can't connect and I don't think 2 company's devices are
    > failing ONLY
    > on me.
    > NS 5XT in route mode on OS 4.0.0r8
    > Any ideas of where to look or what direction to go?
    > TIA
    > Steve

    firewall-wizards mailing list

  • Next message: Ben Nagy: "RE: [fw-wiz] An interesting VPN problem"