[wellylug] DSE XH1151 router/firewall and VPN

Pete Black pete at marchingcubes.com
Tue Dec 14 09:42:48 NZDT 2004 

Not quite correct.

PPTP uses port 1723 for connection setup, and *protocol* 47 (GRE or 
General Routing Encapsulation) for traffic - this is an important 
distinction.

Also, the Cisco client is an IPSEC VPN client - which uses a different 
set of ports. (UDP 500 and 1701) IPSEC uses  protocol 50 for its ESP 
(Encapsulated Secure? Payload) instead of protocol 47.

It is quite likely your network setup does not support protocol 47 
connectivity and is getting past the connection negotiation phase, but 
then dropping the actual traffic that appears using protocol 47.

For IPSEC you may also need protocol 51 to support AH (Authentication 
Header) packets.

NAT Traversal can be an issue with IPSEC - it was never really designed 
with NAT in mind. I believe the windows implementation of IPSEC NAT-T 
uses an additional port (UDP 4500?) to accomplish this.

Also, to address a previous posters comment that the siting of a VPN 
gateway in front of a firewall might be due to their inability to 
'configure things correctly' - it is very difficult to do NAT-to-NAT 
connections, especially with IPSEC, so VPN gateways will almost always 
be situated in front of the firewall.

This is why the previous poster assumed this would be the case.

-Pete

>Ahh.... that sounds exactly what I needed to know, thanks very much
>for your help.
>Bill
>
>
>On Tue, 14 Dec 2004 08:39:28 +1300, Jonathan Brewer
><jon.brewer at worldnet.att.net> wrote:
>  
>
>>1. What ports are used by the VPN? If it is PPTP then TCP 1723 for setup
>>and 47 for traffic.
>>2. Have you configured the firewall to allow these to pass through?
>>3. If the firewall gets them, will it know where to send them?
>>
>>One trick is to keep a second ethernet interface around for home use of
>>the laptop. (an extra PCMCIA card, wired or wireless) Then you can set
>>up a static private IP in Windows for this particular interface. Tell
>>your firewall to forward traffic from the VPN ports to this particular
>>static IP. Then you have the protection of your firewall with just the
>>particular VPN ports you need, as opposed to using DMZ, which just
>>forwards any old request through, and leaves your laptop vunerable to
>>attacks.
>>
>>
>>
>>-----Original Message-----
>>From: wellylug-admin at lists.wellylug.org.nz
>>[mailto:wellylug-admin at lists.wellylug.org.nz] On Behalf Of Bill
>>Christiansen
>>Sent: Tuesday, 14 December 2004 7:56 a.m.
>>To: WellyLUG
>>Subject: [wellylug] DSE XH1151 router/firewall and VPN
>>
>>I connect to Paradise and use a DSE X1151 router/firewall to connect my
>>Linux boxes on my home network, but I also need to plug in my work's
>>laptop to connect to the corporate lan over VPN. I found it works fine
>>if I configure the IP for the laptop as a DMZ, otherwise I can't get a
>>reliable VPN connection (just keeps dropping out). My work's IT guy is
>>not too happy about using a DMZ as he said it defeats the purpose of
>>having a firewall. Just thought there maybe someone with a similar setup
>>that's beenn down this road before.
>>
>>Bill
>>
>>--
>>Wellington Linux Users Group Mailing List:
>>wellylug at lists.wellylug.org.nz To Leave:
>>http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>>
>>--
>>Wellington Linux Users Group Mailing List: wellylug at lists.wellylug.org.nz
>>To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>>
>>    
>>
>
>
>  
>

More information about the wellylug mailing list