We've cracked it!

I will try to explain what we have done, and what problems we encountered.

Firstly, the main problem was that the local fixed machine was trying to connect to the remote VPN through a Firewall / NAT configuration. This meant that the connection was not reaching the remote VPN server through the same port, and was being rejected.

We had to set the NAT to allow pass-through of the fixed IP, translating it to a single external IP address, keeping the ports the same, this allowed the VPN client to connect to the remote server.

The draw-back of this is that you need an external IP address for each VPN connection through the Firewall / NAT. I have been told that to provide greater flexibility, a 'NAT reversal' is required on the remote VPN server end to translate the translated IP/Ports back to the original ones - if that makes sense!

In case anyone is interested, we had to open UDP port 500 and ESP protocol 50 (and possibly 51) to allow the connection to be made, and everything worked.

Hope this helps anyone,

Dave.

Some additional notes about IPSec and NAT/PAT devices:

1. If the vpn client is behind the pix fw, code the fixup protocol ike-esp command to allow the vpn to traverse a nat/pat device if native ike is used. Otherwise define the client connection to use nat-t over tcp or udp. The ietf udp dest port will be 4500 so that will need to be opened in the fw. It tcp is used is it is a configureable port on the gateway, so whatever port is opened needs to be allowed thru.

2. If the vpn gateway is behind a nat/pat device, or if it expects clients to be behind a nat/pat device, then configure the gateway to allow nat-t, which means nat transversal. This will allow the gateway to strip off the process ipsec properly and to encap the ipsec traffic in a tcp or udp frame. The pix and ios based devices only work with udp, the vpn 3000 concentrator can work with udp or tcp.