I had done one of the captures before (though I did not keep the capture). Without ISA (i.e., when I was using Linksys instead of ISA), it used UDP/500 and IP 50. However, I gather from the posts above that it can use UDP/10001 instead of IP 50.
Haven't analyzed the ISA logs yet, nor done the netmon trace with ISA. I guess that's next...
Apparently the early Nortel switches only did IP 50 and not UDP encapsulation, but the later ones did. (Not being a Nortel expert, I say "apparently"). In an earlier post in this thread, someone said the server needs to be at ver 4.0. I just found out our server is not at this rev level, so I think I'm OOL for the moment.
I'll try some of the other ideas; also, maybe I'll try to get them to upgrade our server! Thanks!
RE: Nortel Contivity through ISA - 29.May2002 7:19:00 PM
I have worked through the very same issue. I do not know the version of the remote Nortel server because it is a government site and they were unwilling to give me that information. None the less here is what I had to set up to get it to work.
UDP port 500 (Send) UDP port 10000 (Send)
I did not create any protocol rules. However, I did set up some packet filters.
- TCP, Direction = both, local port = ALL, remote port = 10000 - TCP, Direction = both, local port = ALL, remote port = 500 - UDP, Direction = both, local port = Fixed 10000, remote port = 10000 - UDP, Direction = both, local port = Fixed 500, remote port = 500 - Custom , Protocol #50 , Direction = both
I am not sure that this is the best solution but it does work. I am going to do some testing to ensure there is no glaring security holes. But for now it solves my problem.
this is *not* the optimum configuration. I would do it this way:
Create two protocol definitions: - UDP Port 500 Send Receive : this is for the IKE protocol (key negotiation). - UDP Port XXXX Send Receive : this is for the UDP encapsulated ESP packets. The administrator of the VPN gateway should be able to tell you the excat portnumber to use.
Next, create a proocol rule who allows those two created protocols.
Finally, get rid of all those ugly packet filters.
BTW --- I see often that people use packet filters when they are definitely not needed. So, if you don't need them, don't use them! Remember that packet filters are static. On the other hand, protocol rules opens only the necessary port when they are needed (dynamically).
RE: Nortel Contivity through ISA - 30.May2002 1:26:00 AM
I had a feeling I would get a response . Before I came to my Band-Aid solution I had attempted your solution and several variations with no success. I would love to axe the packet filters and stick with the more manageable protocol rules, but I have not been able to get that configuration running. From the look of some of the other post I am not alone. I have heard that there may be a trick to the send/receive receive/send combinations that will allow it to run. Unfortunately I donĘt have the ability to test/try any of these combinations as I am using a production ISA server for my testing (Again not ideal, but life is not ideal).
Well, I'm pretty sure the recommanded configuration is the good one. You don't need packet filters for that. Look again in the above posts and you will see that Isaac Martinez has got it running that way. Moreover, it is the same basic setup as for a Checkpoint, Cisco, Netscreen, ... VPN client with the NAT traversal feature.
One thing you must keep in mind is that the client must be a SecureNAT client and that the firewall client must be disabled when setting up the VPN connection. Also, when certificates are involved disable filtering of IP fragments on ISA.
Let me jump on the train and say that this is great reading. I have an ISA server at home as firewall and tried to use VPN through our Notel Contivity switch at corporate without success. I'm going to re-install the client tonight and give it a shot.
Ok guys, disappointing results. It connects half way and dies out when it says "checking for banner text from: xxx.xxx.xxx.xxx (ip address)". It gets an IP and name servers assignment, but the connection times out after the banner text message. Our Nortel switch has the latest firmware and I am using the latest client software trying to reach it from behind ISA server. I opened up UDP port 500 and 10001. It does not matter whether I use SecureNAT or Firewall client software. Neither worked for me. Any thoughts??
From: Oklahoma City, OK
Sorry, You'll have to pardon my frustration. My company seems to have an affinity for implementing software that doesn't work with the main streem. (go figure) Nortel has problems with other protocol construction concerning other things as well. We're tying to upgrade out Cell Relay equipment to new Cisco gear. Well, the Cisco cant talk to out nortel gear because of a poorly constructed protocol stack. This simply fits right in with your theory that it actually isn't Mickeysoft.
I am sorry that I haven't gotten back to this topic for a while. I gave up a while back because no matter what I tried, nothing worked. I do need to check the logs again and see what it tells me. At the Nortel Contivity switch, the log simply shows "Authentication failure", so it's not the switch. Obviously, the switch was waiting for a reponse from my end, but ISA was not allowing that response to pass through. Right now, if I need to get through my company's Nortel switch for VPN access, I use a laptop loaded with Zone Alarm directly connected to my broadband connection. (sad,..but it works!). Stay tuned...
Ok, below is what I get with default fields selected for Firewall log; all fields logged for IP packet filter log. The Nortel client software seems to try to ping the client if it realizes the conversation does not get through. I changed the firewall hostname and our Contivity switch's IP for security reason. 18.104.22.168 is the firewall IP. The client machine with Nortel client sofware installed has ISA as the default gateway with no firewall client software loaded.