|
|
Question : Problem: Allowing VPN Pass Through in a Nortel VPN/FireWall Connectivity Device
|
|
I use two types of VPN Clients, Microsoft VPN and Checkpoint VPN to access external sites. Both of these connections work from one of my networks, lets call it OFFICE1, which uses SmoothWall FireWall.
When I try to use the Microsoft VPN from the network OFFICE2, which uses Nortel VPN/FireWall Connectivity 1050, it does not work, but the Checkpoint VPN does. So, the problem has to be with the Nortel Device. I'm am a little familiar with the Nortel Device, but not sure how to allow the MS VPN connection going outbound.
There aren't any outbound Filters set up (that I know of), and I have 3 VPN Tunnels set up with offsite companies. Is there some option I have to turn on that allows VPN Pass Through? (The Nortel Device has Software Version V04_80.124) It's my understanding that MS VPN uses LT2P/IPsec. I'm not sure what Checkpoint uses.
To clarify, the VPN Client Connections have nothing to do with the VPN Tunnels, and the Tunnels may be unimportant information. This may or may not be an easy question, but I have employees waiting to work from OFFICE2 that need to use the MS VPN Client.
Thanks for your help in advanced.
|
Answer : Problem: Allowing VPN Pass Through in a Nortel VPN/FireWall Connectivity Device
|
|
Dang. The MS patch would have been the low-hanging-fruit answer :P
so: it looks like the nortel box's debug output shows the beginning of the failure here: 04/19/2005 16:00:36 0 CSFW [03] Drop packet 6a1d390:(172.25.0.143:0-202.87.18.196:0,gre), reason 1
Showing that it's dropping the GRE packet (IP Protocol 47, part of the pptp specification) due to 'reason 1'
Inlooking through the nortel documentation: http://www116.nortelnetworks.com/docs/bvdoc/contivity/doc_html/315896D00/firewall_book.html
I found this: IPsec-aware NAT
" IPsec-aware NAT provides a means of protecting against the alteration of TCP/IP headers, usually performed by NAT. IPsec-aware NAT is used when an IPsec tunnel passes through a Contivity gateway performing NAT translation, but does not terminate at the Contivity gateway. This allows inter operability with IPsec implementations that do not support the UDP wrapper solution to perform NAT on IPsec traffic. Unlike NAT traversal, IPsec-aware NAT is always on and cannot be configured. "
It doesn't appear that they make any provision for pptp, which uses GRE as it's encapsulating protocol, rather than ESP, which shares very similar characteristics (stateless, portless).
So, you are indeed correct. It's definitely how the Nortel handles the natting of stateless/portless protocols...they've made a special accommodation for IPSec, but not PPTP.
Suggestions at this point: Either
a) Open a case with Nortel to see if they have some sort of workaround (I can't find mention of PPTP in the docs, but I don't have a support logon, which may provide you more access) b) Use secpol.msc to build secure, IPSec connections from the clients to the server. c) burn an additional public IP address or range for 1-1 nat from the client to the server - perhaps utilizing a application-mode server at the client site so that the clients could RDP into it and use it's statically natted 1-1 nat translation to get to the MS Server. d) get a different firewall/vpn solution.
Probably not the news you wanted to hear, but it's a direction :-/
|
|
|
|