[ previous ] [ next ] [ threads ]
 
 From:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  Manuel Kasper <mk at neon1 dot net>
 Subject:  Re: [m0n0wall] m0n0wall settings to allow IPSEC
 Date:  Tue, 14 Nov 2006 21:23:36 -0800
At 11:18 PM +0100 11/14/06, Manuel Kasper wrote:
>
>Not as far as I know, but one thing comes to mind: somebody once
>reported that the remote Cisco VPN concentrator they were trying to
>connect to didn't like the fact that the port number of the packets
>that their VPN client sent got translated to something else than the
>default (probably 500 for IKE and 4500 or so for UDP/NAT-T
>encapsulated ESP packets) by m0n0wall. Maybe that's the problem (the
>Cisco VPN concentrators that I connect to don't mind) - m0n0wall will
>always translate ports when doing "outbound NAT". Try giving your VPN
>client a one-to-one mapped IP address to find out - there won't be
>any port translation then.

Just a quick follow-up for the list archives, to report that Manuel's
suggestion worked perfectly. I simply:

1. Verified that I had a free IP address assigned to me by my ISP.

2. In m0n0wall's DHCP Server section, assigned a specific (private,
192.168.x.x) IP address to the MAC address of my laptop.

3. Created a 1:1 NAT mapping between the public IP address that I got from
my ISP and the DHCP-assigned private IP address my laptop was getting.

4. Allowed the 1:1 NAT mapping to automatically add a Proxy ARP entry for
the IP address. (Not sure if this last step was required, but it was the
default, so I took it.)

Once m0n0wall refreshed itself, I tried the Cisco VPN Client software
again, and it worked quickly and as expected.

I'm sure you could skip the DHCP step, and just give your laptop a static
IP address, but since the internal IP address needs to be the same in two
places, I like having all the configuration in m0n0wall.

Thanks again, Manuel!

Michael
-- 

_____________________________________________________________
Michael A. Alderete           <mailto:lists dash 2003 at alderete dot com>
                                     <http://www.alderete.com>