Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

docmd.close 2585, WWWXXXAPC, WWWXXXDOCO, nu vot, dhcpd lease file "binding state", WWWXXXDOCO, how to setup procmail to process html2text, how to setup procmail html2text, WWWXXXAPC., XXXCNZZZ

Links

XODOX
Impressum

#1: VPN Client behind firewall

Posted on 2005-05-09 07:56:53 by vinod

Hi,


I am trying to connect to the cisco VPN server from my network which
has linux firewall and windows 2000 systems. I have installed the Cisco
VPN Client on one of the windows 2000 pro system and trying to connect
and I am not able to connect with the error "Secure VPN Connection
terminated localy by the client Reason 412: The remote peer is no
longer responding"


When i went through some document in the net they say that


UDP port 500
UDP port 10000 (or any other port number being used for IPSec/UDP)
IP protocol 50 (ESP)
TCP port configured for IPSec/TCP
NAT-T port 4500


Should be open


I am not soo good at IPtables. Can any one tell me how to open this
ports in the iptables so that i can dial my vpn client


Plzz some one help me on this issue


Regards


Vinod

Report this message

#2: Re: VPN Client behind firewall

Posted on 2005-05-09 18:12:59 by roberson

In article <1115618213.404115.144680@z14g2000cwz.googlegroups.com>,
Vinod <vinwin@gmail.com> wrote:
:I am trying to connect to the cisco VPN server from my network which
:has linux firewall and windows 2000 systems.

:When i went through some document in the net they say that

:UDP port 500

Yes, always needed.

:UDP port 10000 (or any other port number being used for IPSec/UDP)

That's obsolete, ignore that one.

:IP protocol 50 (ESP)

That is used if NAT-T is not in effect, or if it is and the systems
discover that NAT-T is not needed. Or to phrase it another way,
traditionally you -always- needed IP protocol 50, but if you have NAT-T
turned on and it figures you need NAT-T then it will use a UDP port
instead.

:TCP port configured for IPSec/TCP

IPSec does not need any TCP ports in any Cisco implementation that I
know of.

:NAT-T port 4500

NAT-T negotiations are on UDP port 4500. If NAT-T is turned on,
the sequence is UDP 500, then UDP 4500, and then either ESP -or- a
negotiated UDP port.

When NAT-T is on and is negotiated, the dynamic UDP port used is
a -source- port, with the destination port always being UDP 4500
[and in this case ESP is not used.] This applies both ways:
one end will send to UDP 4500 of the other, and the other will
send to UDP 4500 of the first.


Sorry, I can't help with the iptables part.
--
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec

Report this message

#3: Re: VPN Client behind firewall

Posted on 2005-05-10 23:33:21 by Wolfgang Kueter

Walter Roberson wrote:

> In article <1115618213.404115.144680@z14g2000cwz.googlegroups.com>,
> Vinod <vinwin@gmail.com> wrote:
> :I am trying to connect to the cisco VPN server from my network which
> :has linux firewall and windows 2000 systems.

> [good explanation deleted]
>
> Sorry, I can't help with the iptables part.

Watching the logfile and reading the iptables docmentation should help.

;-)

Apart from that I'd recommend for that scenario to forget using the
Cisco VPN client behind the Linux NAT box but to build a site to site VPN
between the Cisco and the Linux box instead unsing OpenSwan on the Linux
side.

Wolfgang

Report this message