[ previous ] [ next ] [ threads ]
 From:  "Brad D." <Support at TheDempsNetwork dot com>
 To:  "'Chris Buechler'" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSec Pass-Through
 Date:  Mon, 15 Jan 2007 22:32:20 -0500
Thanks for the input Chris. I tried your suggestion and it did not have any
effect on the VPN client. What it did though was greatly reduce the time it
takes for me to load webpages. Very odd, since all I did in advanced NAT was
create rules to allow the entire internal subnet to be NATted when going out
the WAN port. 

Regardless, now I am really in trouble. I was able to get the lead network
engineer to enable NAT-T on the Nortel VPN concentrator and I'm still not
passing data the way I should be. The Nortel client on my laptop is even
showing that NAT-T is enabled. I'll try and explain what I am doing and see
if any of you guys can lend a hand.

I'm using the Nortel Contivity VPN client (set up to run as the Windows
GINA) to allow me to bring up my VPN tunnel prior to logging into my Windows
XP laptop. I am hard wired into my switch which is connected to my monowall.
When I use a generic 4 port Linksys router (BEFSR41 v2) in place of my
monowall, I am able to bring up the VPN and log into my laptop. The whole
process to get the machine fully up and running takes about 30 second total.
To make this work, I have to check off a box on the Linksys called "Allow
IPSec Pass-through".

My monowall is a generic PC image Pentium II 400 (2gb HD, 256MB RAM, 4
NICs). NICs are made by 3com, Intel and Broadcom. Currently running 1.3b2
(symptoms were the same with 1.22 and 1.23b2). My interfaces are WAN, LAN,
Vonage and Extranet. Laptop is connected to the Extranet interface which has
the following 3 firewall rules:

DENY Protocol-Any Source-Any Port-Any Destination-Vonage Port-Any DENY
Protocol-Any Source-Any Port-Any Destination-LAN Port-Any ALLOW Protocol-Any
Source-Extranet Port-Any Destination-Any Port-Any

On the ALLOW rule I added "Allow fragmented packets" as suggested by some
other members. I also enabled Advanced Outbound NAT as suggested by Chris
and created the following rule:

Interface-WAN Source-Extranet Destination-Any Target-Any (with no

So here is what happens. Note that the symptoms have been constant even with
all the changes listed above. I fire up the laptop and log into the VPN
client. It authenticates me and begins to log me in. Once Windows starts to
load, this is where the fun begins. It will take a minimum of 20 minutes
before I get to the desktop. Remember I said earlier that this takes 30
seconds with the Linksys. Once I finally reach my desktop, the VPN client is
still active but I am unable to access certain things such as my Exchange
e-mail via Outlook. The odd thing is that I can ping the mail server by IP
and by name. I can TermServ into boxes as well. So apparently the connection
is up, just not completely working.

I check the firewall states and see what looks to me like the connections
being established. I see my laptop's IP connecting to my work's IP (over ESP
packets without NAT-T and with UDP packets with NAT-T).

On a similar note, I have in the past tried to do this the other way. That
is, I have been outside my home network and brought up a VPN tunnel in (I
use PPTP) and then tried to log into my Windows 2003 domain. The symptoms
are actually very similar. Boot up take almost 30 minutes and only certain
things work. Maybe monowall dislikes certain kinds of packets (like
Kerberos) encapsulated in any sort of tunnel such as IPSec or PPTP?

I really REALLY don't want to have to end up running my monowall behind some
piece of crap Linksys but having full VPN access into work isn't really
something I can be without either. As always, any help is appreciated.

Brad D.
Network Administrator

-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com]
Sent: Sunday, January 14, 2007 3:31 PM
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] IPSec Pass-Through

On 1/14/07, Brad D. <Support at thedempsnetwork dot com> wrote:
> #4 Checked and saw that NAT-T is NOT enabled on the Nortel 
> concentrator at my work. From what I have read, if this was on I would
have no troubles.

Yes, the ideal solution, and maybe the only one that'll work, is to enable
NAT-T on the concentrator.

The other thing I'd suggest trying is enabling advanced outbound NAT and
creating a NAT rule using the "disable port mapping" option so the source
ports don't get re-mapped.  Some VPN concentrators don't work unless you do


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.12/628 - Release Date: 1/15/2007
11:04 AM

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.12/628 - Release Date: 1/15/2007
11:04 AM