Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
7
Replies

VPN through a NAT

sword7575
Level 1
Level 1

‎09-07-2005 05:51 AM

Hi

I managed to open a VPN connection IPsec on UDP (the client says it is connected) but I cannot ping anything.

The weird thing is that I managed to open the connection and ping whatever i wanted when using a wireless network with the exact same configuration. When I did that I was not behind any firewall. I thought that if my firewall had a problem, I shouldn t be able to even open the connection.

What can be the problem? is because of the NAT?

I can t send the concentrator configuration because I don t have any access to it.

my client version: Cisco client 4.0.3

Labels:
0 Helpful
7 Replies 7

mostiguy
Level 6
Level 6

‎09-07-2005 06:25 AM

It could be that the concentrator does not have nat traversal enabled.

Is there any chance the ip address ranges overlap? When you connect successfully via wireless - what is your ip address before you connect, and what address do you get assigned via the vpn? If the address you get assigned via the vpn is in the same subnet as the ones in use behind the firewall doing nat, then you will have problems. In such a scenario, the easiest solution is to change the local ip addressing.

0 Helpful

jackko
Level 7
Level 7

‎09-07-2005 04:10 PM

providing it works fine when your connection is not behind a firewall. it's likely that the nat traversal needs to be enabled.

go configuration>tunneling and security>ipsec>nat transparency

select the option "ipsec over nat-t"

0 Helpful

shijogeorge
Level 1
Level 1
In response to jackko

‎09-07-2005 10:59 PM

Hi,

From what I understand, you are only able to 'open' the connection while you are behind firewall, but everything works fine if you are not behind the firewall.

If this is the case find the 'IPSec over UDP' port used from the remote VPN Concentrator admin and make sure that this UDP port is open in your firewall. 'Opening' of connection works on ISAKMP (UDP500) port which may be already open in your firewall.

HTH

Regards,

Shijo George.

0 Helpful

sword7575
Level 1
Level 1
In response to shijogeorge

‎09-08-2005 12:33 AM

Hi

Thank you all for your answers.

to mostiguy:

>>Is there any chance the ip address ranges overlap?

That was my first thought too but no. My sunbet is 192.*.*.* and the VPN gives me a 10.*.*.* one.

to jackko:

On this forum someone was advising to set this on the vpn concentrator: "isakmp nat-traversal"

I know isakmp is a communication protocol between the vpn client and the server. But does it do exactly.

Does your option "ipsec over nat-t" also includes the the acceptance of all the different type of packets used for estavlishing and maintaining a VPN connection?

to shijogeorge:

>>From what I understand, you are only able to 'open' the connection while you are behind firewall,

Yes but I can t ping anything.

>>but everything works fine if you are not behind the firewall.

exaclty.

>>'Opening' of connection works on ISAKMP (UDP500) port which may be already open in your firewall.

I manage to open the connection. And the log of the client confirms that is managed to open the connection using the port 500.

I already asked the guy in charge to check the udp port used for the vpn communication. Is there only one port? Or do I have to check if the application needs other ports?

Do I have a mean to see if my packets or blocked? and if so which firewall (i have to go through 2 firewalls) is blocking them? If i was network administrator maybe I could monitor this but I am not. And the log window of the cisco client is a little light even with all the options enabled.

0 Helpful

shijogeorge
Level 1
Level 1
In response to sword7575

‎09-08-2005 12:56 AM

IPSec over UDP uses only one port (other than UDP500 ofcourse). There is no need to open different ports for different applications.

If 'IPSec over NAT-T' is enabled at the VPN Concentrator, the UDP port in use will be 4500.

And if 'IPSec iver UDP' is the one which is enabled, the UDP port varies as per how it is configured on the Concentrator.

Regards,

Shijo George.

0 Helpful

jackko
Level 7
Level 7
In response to shijogeorge

‎09-18-2005 10:31 PM

just wondering how you go

0 Helpful

sword7575
Level 1
Level 1
In response to jackko

‎09-18-2005 11:18 PM

I m doing good.

Actually the udp port was blocked by the firewall on the concentrator side. The Administrator had open the port just for a group of people. So He opened it for everyone and it works. the only remaining issue is that although it works I don t understand why I was blocked before. Because I was a member of the group that had access to the udp port.

Anyway thank you for the support.

0 Helpful
Customers Also Viewed These Support Documents