#2: Re: VPN Client behind firewall
Posted on 2005-05-09 18:12:59 by roberson
In article <1115618213.404115.144680@z14g2000cwz.googlegroups.com>,
Vinod <vinwin@gmail.com> wrote:
:I am trying to connect to the cisco VPN server from my network which
:has linux firewall and windows 2000 systems.
:When i went through some document in the net they say that
:UDP port 500
Yes, always needed.
:UDP port 10000 (or any other port number being used for IPSec/UDP)
That's obsolete, ignore that one.
:IP protocol 50 (ESP)
That is used if NAT-T is not in effect, or if it is and the systems
discover that NAT-T is not needed. Or to phrase it another way,
traditionally you -always- needed IP protocol 50, but if you have NAT-T
turned on and it figures you need NAT-T then it will use a UDP port
instead.
:TCP port configured for IPSec/TCP
IPSec does not need any TCP ports in any Cisco implementation that I
know of.
:NAT-T port 4500
NAT-T negotiations are on UDP port 4500. If NAT-T is turned on,
the sequence is UDP 500, then UDP 4500, and then either ESP -or- a
negotiated UDP port.
When NAT-T is on and is negotiated, the dynamic UDP port used is
a -source- port, with the destination port always being UDP 4500
[and in this case ESP is not used.] This applies both ways:
one end will send to UDP 4500 of the other, and the other will
send to UDP 4500 of the first.
Sorry, I can't help with the iptables part.
--
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
Report this message |
#3: Re: VPN Client behind firewall
Posted on 2005-05-10 23:33:21 by Wolfgang Kueter
Walter Roberson wrote:
> In article <1115618213.404115.144680@z14g2000cwz.googlegroups.com>,
> Vinod <vinwin@gmail.com> wrote:
> :I am trying to connect to the cisco VPN server from my network which
> :has linux firewall and windows 2000 systems.
> [good explanation deleted]
>
> Sorry, I can't help with the iptables part.
Watching the logfile and reading the iptables docmentation should help.
;-)
Apart from that I'd recommend for that scenario to forget using the
Cisco VPN client behind the Linux NAT box but to build a site to site VPN
between the Cisco and the Linux box instead unsing OpenSwan on the Linux
side.
Wolfgang
Report this message |