Contivity VPN woes
Thomas Charron
tcharron at ductape.net
Sat Nov 16 11:33:58 EST 2002
Quoting Michael O'Donnell <mod+gnhlug at std.com>:
> >Please inform your husband that his firewall
> >needs to allow outbound UDP port 50 and IP
> >protocol 500. If he is doing NAT, then there
> >needs to be a way to let an IPsec tunnel
> >through without manipulating the packet.
> Is my firewall scrogging us? I clearly need
> to learn more about IPsec and VPN stuff...
Yeppers, it sure is. It sounds like they have a fairly strict VPN policy,
and, more then likely, are detecting the fact that the firewall is manipulating
packets. Good news is, there is *PROBRABLY* a way around it.
Make sure you have the ip_masq_ipsec and ip_masq_pptp loaded on the firewall.
` This will sounds a bit strange, but the reason they are required is becouse
inbound data from a VPN connection, be it PPTP, IPSec, etc, *DOES NOT USE
TCP*. It uses IP, but it uses a different protocol then TCP. In this
case, 'protocol 500', which is basically just a numeric protocol ID within the
IP header. Becouse of this strait old port forwarding will not work.
--
Thomas Charron
-={ Is beadarrach an ni an onair }=-
More information about the gnhlug-discuss
mailing list