[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec Pass-Through
 Date:  Tue, 16 Jan 2007 18:46:28 +0000

In message <002501c7391e$ef148510$c719a8c0 at TheDempsNetwork dot com>, Brad D.
<Support at TheDempsNetwork dot com> writes
>Thanks for the input Chris. I tried your suggestion and it did not have any
>effect on the VPN client. What it did though was greatly reduce the time it
>takes for me to load webpages. Very odd, since all I did in advanced NAT was
>create rules to allow the entire internal subnet to be NATted when going out
>the WAN port.
>Regardless, now I am really in trouble. I was able to get the lead network
>engineer to enable NAT-T on the Nortel VPN concentrator and I'm still not
>passing data the way I should be. The Nortel client on my laptop is even
>showing that NAT-T is enabled. I'll try and explain what I am doing and see
>if any of you guys can lend a hand.
>I'm using the Nortel Contivity VPN client (set up to run as the Windows
>GINA) to allow me to bring up my VPN tunnel prior to logging into my Windows
>XP laptop. I am hard wired into my switch which is connected to my monowall.
>When I use a generic 4 port Linksys router (BEFSR41 v2) in place of my
>monowall, I am able to bring up the VPN and log into my laptop. The whole
>process to get the machine fully up and running takes about 30 second total.
>To make this work, I have to check off a box on the Linksys called "Allow
>IPSec Pass-through".
>My monowall is a generic PC image Pentium II 400 (2gb HD, 256MB RAM, 4
>NICs). NICs are made by 3com, Intel and Broadcom. Currently running 1.3b2
>(symptoms were the same with 1.22 and 1.23b2). My interfaces are WAN, LAN,
>Vonage and Extranet. Laptop is connected to the Extranet interface which has
>the following 3 firewall rules:
>DENY Protocol-Any Source-Any Port-Any Destination-Vonage Port-Any DENY
>Protocol-Any Source-Any Port-Any Destination-LAN Port-Any ALLOW Protocol-Any
>Source-Extranet Port-Any Destination-Any Port-Any
>On the ALLOW rule I added "Allow fragmented packets" as suggested by some
>other members. I also enabled Advanced Outbound NAT as suggested by Chris
>and created the following rule:
>Interface-WAN Source-Extranet Destination-Any Target-Any (with no
>So here is what happens. Note that the symptoms have been constant even with
>all the changes listed above. I fire up the laptop and log into the VPN
>client. It authenticates me and begins to log me in. Once Windows starts to
>load, this is where the fun begins. It will take a minimum of 20 minutes
>before I get to the desktop. Remember I said earlier that this takes 30
>seconds with the Linksys. Once I finally reach my desktop, the VPN client is
>still active but I am unable to access certain things such as my Exchange
>e-mail via Outlook. The odd thing is that I can ping the mail server by IP
>and by name. I can TermServ into boxes as well. So apparently the connection
>is up, just not completely working.
>I check the firewall states and see what looks to me like the connections
>being established. I see my laptop's IP connecting to my work's IP (over ESP
>packets without NAT-T and with UDP packets with NAT-T).
>On a similar note, I have in the past tried to do this the other way. That
>is, I have been outside my home network and brought up a VPN tunnel in (I
>use PPTP) and then tried to log into my Windows 2003 domain. The symptoms
>are actually very similar. Boot up take almost 30 minutes and only certain
>things work. Maybe monowall dislikes certain kinds of packets (like
>Kerberos) encapsulated in any sort of tunnel such as IPSec or PPTP?
>I really REALLY don't want to have to end up running my monowall behind some
>piece of crap Linksys but having full VPN access into work isn't really
>something I can be without either. As always, any help is appreciated.
>Brad D.
>Network Administrator
>-----Original Message-----
>From: Chris Buechler [mailto:cbuechler at gmail dot com]
>Sent: Sunday, January 14, 2007 3:31 PM
>Cc: m0n0wall at lists dot m0n0 dot ch
>Subject: Re: [m0n0wall] IPSec Pass-Through
>On 1/14/07, Brad D. <Support at thedempsnetwork dot com> wrote:
>> #4 Checked and saw that NAT-T is NOT enabled on the Nortel
>> concentrator at my work. From what I have read, if this was on I would
>have no troubles.
>Yes, the ideal solution, and maybe the only one that'll work, is to enable
>NAT-T on the concentrator.
>The other thing I'd suggest trying is enabling advanced outbound NAT and
>creating a NAT rule using the "disable port mapping" option so the source
>ports don't get re-mapped.  Some VPN concentrators don't work unless you do

OK, my situation is nothing like yours - I use SecuRemote to a
Checkpoint firewall but had problems initially.

Try enabling 'allow fragmented packets' against the rule that allows
your LAN client out to WAN.  It resolved my problem, hopefully it'll do
the same for you.



Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk