Thanks for your input Neil. I do have "allow fragmented packets" on my allow
rule for my LAN internface. The interface has 3 rules:
Deny * to LAN1
Deny * to LAN2
Allow LAN3 to * (fragmented packets allowed)
And yet, I AM able to connect to my VPN but cannot pass certain types of
traffic, specifically those that Windows uses for authentication. I can ping
a client inside my work network but cannot open my Exchange e-mail via
So I don't think this is a "VPN passthrough" issue anymore. Because SOME but
not ALL traffic gets by. Something in the firewall is stripping out certain
packets and not others. The "fragmented packets" rule being enabled sounds
like the perfect answer, yet I still can't pass certain types of traffic
over the VPN.
On a similar note, in the past I had my wireless access point connected to
LAN2 on its own subnet and my domain controller connected to LAN1 on a
different subnet. LAN2 was granted full access to LAN1. Wired clients on
LAN2 were able to talk to the domain controller on LAN1 on all protocols.
Wireless clients on LAN2, however, could not access LAN1 using Windows
protocols used for authentication. The only thing different is that the
packets were formed differently because they are coming over a wireless
Anyone else ever do something similar?
From: Neil A. Hillard [mailto:m0n0 at dana dot org dot uk]
Sent: Tuesday, January 16, 2007 1:46 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] IPSec Pass-Through
In message <002501c7391e$ef148510$c719a8c0 at TheDempsNetwork dot com>, Brad D.
<Support at TheDempsNetwork dot com> writes
>Thanks for the input Chris. I tried your suggestion and it did not have
>any effect on the VPN client. What it did though was greatly reduce the
>time it takes for me to load webpages. Very odd, since all I did in
>advanced NAT was create rules to allow the entire internal subnet to be
>NATted when going out the WAN port.
>Regardless, now I am really in trouble. I was able to get the lead
>network engineer to enable NAT-T on the Nortel VPN concentrator and I'm
>still not passing data the way I should be. The Nortel client on my
>laptop is even showing that NAT-T is enabled. I'll try and explain what
>I am doing and see if any of you guys can lend a hand.
>I'm using the Nortel Contivity VPN client (set up to run as the Windows
>GINA) to allow me to bring up my VPN tunnel prior to logging into my
>Windows XP laptop. I am hard wired into my switch which is connected to my
>When I use a generic 4 port Linksys router (BEFSR41 v2) in place of my
>monowall, I am able to bring up the VPN and log into my laptop. The
>whole process to get the machine fully up and running takes about 30 second
>To make this work, I have to check off a box on the Linksys called
>"Allow IPSec Pass-through".
>My monowall is a generic PC image Pentium II 400 (2gb HD, 256MB RAM, 4
>NICs). NICs are made by 3com, Intel and Broadcom. Currently running
>1.3b2 (symptoms were the same with 1.22 and 1.23b2). My interfaces are
>WAN, LAN, Vonage and Extranet. Laptop is connected to the Extranet
>interface which has the following 3 firewall rules:
>DENY Protocol-Any Source-Any Port-Any Destination-Vonage Port-Any DENY
>Protocol-Any Source-Any Port-Any Destination-LAN Port-Any ALLOW
>Protocol-Any Source-Extranet Port-Any Destination-Any Port-Any
>On the ALLOW rule I added "Allow fragmented packets" as suggested by
>some other members. I also enabled Advanced Outbound NAT as suggested
>by Chris and created the following rule:
>Interface-WAN Source-Extranet Destination-Any Target-Any (with no
>So here is what happens. Note that the symptoms have been constant even
>with all the changes listed above. I fire up the laptop and log into
>the VPN client. It authenticates me and begins to log me in. Once
>Windows starts to load, this is where the fun begins. It will take a
>minimum of 20 minutes before I get to the desktop. Remember I said
>earlier that this takes 30 seconds with the Linksys. Once I finally
>reach my desktop, the VPN client is still active but I am unable to
>access certain things such as my Exchange e-mail via Outlook. The odd
>thing is that I can ping the mail server by IP and by name. I can
>TermServ into boxes as well. So apparently the connection is up, just not
>I check the firewall states and see what looks to me like the
>connections being established. I see my laptop's IP connecting to my
>work's IP (over ESP packets without NAT-T and with UDP packets with NAT-T).
>On a similar note, I have in the past tried to do this the other way.
>That is, I have been outside my home network and brought up a VPN
>tunnel in (I use PPTP) and then tried to log into my Windows 2003
>domain. The symptoms are actually very similar. Boot up take almost 30
>minutes and only certain things work. Maybe monowall dislikes certain
>kinds of packets (like
>Kerberos) encapsulated in any sort of tunnel such as IPSec or PPTP?
>I really REALLY don't want to have to end up running my monowall behind
>some piece of crap Linksys but having full VPN access into work isn't
>really something I can be without either. As always, any help is
>From: Chris Buechler [mailto:cbuechler at gmail dot com]
>Sent: Sunday, January 14, 2007 3:31 PM
>Cc: m0n0wall at lists dot m0n0 dot ch
>Subject: Re: [m0n0wall] IPSec Pass-Through
>On 1/14/07, Brad D. <Support at thedempsnetwork dot com> wrote:
>> #4 Checked and saw that NAT-T is NOT enabled on the Nortel
>> concentrator at my work. From what I have read, if this was on I
>have no troubles.
>Yes, the ideal solution, and maybe the only one that'll work, is to
>enable NAT-T on the concentrator.
>The other thing I'd suggest trying is enabling advanced outbound NAT
>and creating a NAT rule using the "disable port mapping" option so the
>source ports don't get re-mapped. Some VPN concentrators don't work
>unless you do this.
OK, my situation is nothing like yours - I use SecuRemote to a Checkpoint
firewall but had problems initially.
Try enabling 'allow fragmented packets' against the rule that allows your
LAN client out to WAN. It resolved my problem, hopefully it'll do the same
Neil A. Hillard E-Mail: m0n0 at dana dot org dot uk
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.14/637 - Release Date: 1/18/2007