VPN Client behind firewallam 09.05.2005 07:56:53 von vinod
I am trying to connect to the cisco VPN server from my network which
has linux firewall and windows 2000 systems. I have installed the Cisco
VPN Client on one of the windows 2000 pro system and trying to connect
and I am not able to connect with the error "Secure VPN Connection
terminated localy by the client Reason 412: The remote peer is no
When i went through some document in the net they say that
UDP port 500
UDP port 10000 (or any other port number being used for IPSec/UDP)
IP protocol 50 (ESP)
TCP port configured for IPSec/TCP
NAT-T port 4500
Should be open
I am not soo good at IPtables. Can any one tell me how to open this
ports in the iptables so that i can dial my vpn client
Plzz some one help me on this issue
Re: VPN Client behind firewallam 09.05.2005 18:12:59 von roberson
In article <firstname.lastname@example.org>,
:I am trying to connect to the cisco VPN server from my network which
:has linux firewall and windows 2000 systems.
:When i went through some document in the net they say that
:UDP port 500
Yes, always needed.
:UDP port 10000 (or any other port number being used for IPSec/UDP)
That's obsolete, ignore that one.
:IP protocol 50 (ESP)
That is used if NAT-T is not in effect, or if it is and the systems
discover that NAT-T is not needed. Or to phrase it another way,
traditionally you -always- needed IP protocol 50, but if you have NAT-T
turned on and it figures you need NAT-T then it will use a UDP port
:TCP port configured for IPSec/TCP
IPSec does not need any TCP ports in any Cisco implementation that I
:NAT-T port 4500
NAT-T negotiations are on UDP port 4500. If NAT-T is turned on,
the sequence is UDP 500, then UDP 4500, and then either ESP -or- a
negotiated UDP port.
When NAT-T is on and is negotiated, the dynamic UDP port used is
a -source- port, with the destination port always being UDP 4500
[and in this case ESP is not used.] This applies both ways:
one end will send to UDP 4500 of the other, and the other will
send to UDP 4500 of the first.
Sorry, I can't help with the iptables part.
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
Re: VPN Client behind firewallam 10.05.2005 23:33:21 von Wolfgang Kueter
Walter Roberson wrote:
> In article <email@example.com>,
> Vinod wrote:
> :I am trying to connect to the cisco VPN server from my network which
> :has linux firewall and windows 2000 systems.
> [good explanation deleted]
> Sorry, I can't help with the iptables part.
Watching the logfile and reading the iptables docmentation should help.
Apart from that I'd recommend for that scenario to forget using the
Cisco VPN client behind the Linux NAT box but to build a site to site VPN
between the Cisco and the Linux box instead unsing OpenSwan on the Linux