[ previous ] [ next ] [ threads ]
 
 From:  "Polus, Tomasz" <tomek at polvision dot com dot pl>
 To:  <mk at neon1 dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>, "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 Subject:  RE: [m0n0wall] FW: m0n0wall blocks incoming UDP 500
 Date:  Wed, 15 Mar 2006 14:08:37 +0100 
> -----Original Message-----
> From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be] 
> Sent: Wednesday, March 15, 2006 1:57 PM
> To: Manuel Kasper; Polus, Tomasz
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] FW: m0n0wall blocks incoming UDP 500
> 
> All Nortel Contivity VPN Clients work too behind M0n0wall
> 
> J.
> 
> -----Oorspronkelijk bericht-----
> Van: Manuel Kasper [mailto:mk at neon1 dot net]
> Verzonden: woensdag 15 maart 2006 13:54
> Aan: Polus, Tomasz
> CC: m0n0wall at lists dot m0n0 dot ch
> Onderwerp: RE: [m0n0wall] FW: m0n0wall blocks incoming UDP 500
> 
> On 15.03.06 09:27 +0100, Polus, Tomasz wrote:
> 
> > IMO this is a huge issue for all clients using simple VPN-IPSEC 
> > outgoing connections.... Is there anyone (m0n0wall developer
maybe) 
> > who can make more thorough troubleshooting?
> 
> If you'd like to contribute to a solution, you should provide 
> more information - the output from http://m0n0wall/status.php 
> after a failed VPN connection attempt would be very helpful, 
> as it would allow us to determine which rule caused the 
> packets to be blocked and what the state of the NAT table was.

OK. I will send you neccessary data very soon, but be aware that I
don't have any fw/nat rules defined. Only default rules.

> I've used the following VPN clients successfully behind 
> m0n0wall with various remote VPN gateways, some of which 
> didn't support NAT-T (and it worked anyway, as is to be 
> expected with ESP in tunnel mode):
> 
> - SafeNet SoftRemote
> - Cisco VPN client
> - TheGreenBow VPN client
> - Equinux VPN Tracker
> - SonicWall Global VPN client
> 
> One thing that should be noted is that m0n0wall doesn't 
> attempt to preserve the LAN host's source port when doing 
> outbound NAT. If you have a remote VPN device that insists on 
> the VPN client's port being 500, then it won't work. Some 
> other firewalls attempt to preserve the port for the first 
> connection, and some don't.

Well, from what I know, IKE negotiation is a connection From UDP 500
To 500. If m0n0wall changes the source port, then IKE won't work for
some VPN gateways...
Is there any solution to preserve the port in m0n0wall?

-- 
Tomasz Polus