[ previous ] [ next ] [ threads ]
 
 From:  "Gregory Abbott" <blondguyg at seezar dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  "Peter Allgeyer" <allgeyer at web dot de>
 Subject:  Re: [m0n0wall] VPN client trouble behind m0n0wall
 Date:  Sat, 19 Nov 2005 15:42:13 -0500 (EST)
On Sat, November 19, 2005 3:35 pm, Gregory Abbott wrote:
> Peter Allgeyer wrote:
>> Am Samstag, den 19.11.2005, 11:36 -0500 schrieb Gregory Abbott:
>>
>>
>>>Anyway, I noticed in my m0n0wall logs that when I try to connect I see
>>> the
>>>WAN interface blocking UDP from the concentrator IP address to the nat
>>> IP
>>>of my machine the client is running on.
>>
>> Can you be a little more specific on this point? Cisco IPSec normally
>> uses port 4500/udp for tunneling NAT devices. There shouldn't be any
>> problems with m0n0wall and/or NAT on this point.
>>
>> BR,
>>    PIT
>>
>
> Well, thats whats odd. I've been using VPN from behind my m0n0wall for
> about 6 months with no problem. The issue just started yesterday. Since
> the fact that another coworker started to have the same problem behind
> their router which is not m0n0wall, the problem sounds like it isnt
> anything on the client end but on the VPN server but at work they arent
> finding a problem.
>
> Here is what I see being blocked in my logs after trying to connect with
> the client(I blocked out the whole IP of the VPN server):
>
>
> 15:24:27.989306  WAN  	66.133.x.x   10.5.27.21  	UDP
> 15:24:22.987884  WAN 	66.133.x.x   10.5.27.21 	UDP
> 15:24:21.015540  WAN 	66.133.x.x   10.5.27.21 	UDP
> 15:24:13.016823  WAN 	66.133.x.x   10.5.27.21 	UDP
>
>
> I added a rule in my firewall on the WAN to allow all UDP traffic from
> source 66.133.x.x. Here is what my rule looks like:
>
> Proto      Source           Port    Destination   Port
>   UDP    66.133.x.x          *  	 *  	    *
>
>

I should also mention the error the client is giving is:

Secure VPN Connection terminated locally by the Client. Reson 403: Unable
to contact the security gateway.
> I would think that even if this rule doesnt fix the issue at the very
> least m0n0wall wouldnt be blocking the incoming UDP.
>
> -Greg
>