Tom,
Glad it works.  Those commands also work on a Cisco PIX firewall using
access lists but you need to do it on both interfaces.  I believe that is
because ESP and ISAKAMP are not trackable protocols like say... FTP

As far as a kernel module (like ftp-control and ftp-data) I don't think one
exists yet for this application or at least I have not found one for Linux
anyways.

Anyone else know of one?

Thank you,
Jake 


-----Original Message-----
From: Tom Obermayr [mailto:to at bla dot net] 
Sent: Thursday, November 18, 2004 7:43 AM
To: Jake S; 'Jake S'; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Cisco VPN Client behind m0n0wall

Jake,

thanks, that actually works (at least as a temporary workaround). What I 
had to do is allow ESP in, allow dest port 500/UDP in, and do inbound NAT 
for port 500/UDP to my internal system.

Of course this only works for a single internal IP address, but at least it 
allows me to access the VPN concentrator for now.

Again for all on the list: I can't turn on tunneling on the concentrator, 
that's why I was looking for some kind of intelligent solution (something 
like the ftp module comes to mind).

tom.

At 04:34 PM 11/18/2004, Jake S wrote:
>You will also need the following too:
>
>concentrator IP/src port 500udp to your IP/dst port 500udp and vise versa
>(also known as ISAKAMP)
>
>I believe that the VPN client uses ISAKAMP for phase I keying and then ESP
>for phase II xauth.
>
>Thank you,
>Jake
>
>-----Original Message-----
>From: Jake S [mailto:jake at agatestreet dot com]
>Sent: Thursday, November 18, 2004 7:21 AM
>To: 'Tom Obermayr'; m0n0wall at lists dot m0n0 dot ch
>Subject: RE: [m0n0wall] Cisco VPN Client behind m0n0wall
>
>I see.
>
>Perhaps you could open up the following rule on your mono box:
>
>concentrator IP to your IP and vise versa.  Use the protocol ESP for this.
>
>
>Thank you,
>Jake
>
>-----Original Message-----
>From: Tom Obermayr [mailto:to at bla dot net]
>Sent: Thursday, November 18, 2004 7:16 AM
>To: Jake S; m0n0wall at lists dot m0n0 dot ch
>Subject: RE: [m0n0wall] Cisco VPN Client behind m0n0wall
>
>I have no control over that Concentrator whatsoever, which is the reason
>why I'm asking. the others are fine, but the one apparently doesn't have
>that setting for whatever reason, and I have no chance of changing that.
>
>tom.
>
>At 04:12 PM 11/18/2004, Jake S wrote:
> >Or you could turn on NAT traversal (NAT-T) on your concentrator which
would
> >encapsulate IPSec traffic on UDP 4500 outbound.
> >
> >
> >
> >Thank you,
> >Jake Seitz
> >
> >
> >-----Original Message-----
> >From: Tom Obermayr [mailto:to at bla dot net]
> >Sent: Thursday, November 18, 2004 7:05 AM
> >To: m0n0wall at lists dot m0n0 dot ch
> >Subject: [m0n0wall] Cisco VPN Client behind m0n0wall
> >
> >hi,
> >
> >I do have a problem with a client system using Cisco VPN client behind
> >m0n0wall. Apparently there are different settings on the Cisco
Concentrator
> >that change the way the VPN connection is established.
> >
> >I have 3 different VPN entries in the Cisco client, two of which work
just
> >fine behind m0n0wall, whereas the 3rd one only works without the
firewall.
> >Looking at the firewall log, it seems that the VPN Concentrator is trying
> >to connect to the client on port 500/UDP, which fails, of course.
> >
> >Maybe some kind of VPN client detection could be integrated, which
> >automatically detects internal VPN clients trying to establish VPN
> >sessions, and then allows the separate connection back in to go through?
> >
> >regards, tom.
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch