• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Passing SonicWall Client

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Passing SonicWall Client Page: [1]
Login
Message << Older Topic   Newer Topic >>
Passing SonicWall Client - 3.Apr.2003 6:51:00 PM   
msonnentag

 

Posts: 63
Joined: 7.Jan.2002
From: Minneapolis, MN
Status: offline
There are quite a few posts here that deal with this, but nothing I have been able to glean from the forums has helped.

I am trying to put the sonicwall VPN client on a machine behind my ISA firewall and connect to a VPN hosted by my ISP. I can put this client on a machine outside ISA and get connected just fine, but not from inside the ISA server.

Can anyone help? "[Confused]"
Post #: 1
RE: Passing SonicWall Client - 4.Apr.2003 4:44:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi M,

What are the *exact* VPN protocols used by the client and server?

Thanks!
Tom

(in reply to msonnentag)
Post #: 2
RE: Passing SonicWall Client - 7.Apr.2003 5:11:00 PM   
msonnentag

 

Posts: 63
Joined: 7.Jan.2002
From: Minneapolis, MN
Status: offline
Hi Tom,

When I start the VPN client it goes throught the following steps:

Makes a UDP connection attempt from a dynamic port to port 62516 on the VPN server. That is all that I ever see behind ISA. It's almost like my initial requests never get out of the firewall. Nothing is logged on ISA that I can find.

I hooked this PC up outside the firewall and traced it as well. Here are the steps it goes through.

?First attempts to see if the connection is up?
My PC(1.1.1.1) broadcasts (255.255.255.255) on UDP port 62514 to 62516.

Figures out the connection isn't up.

Makes a UDP connection attempt from a dynamic port to port 62516 on the VPN server.

Server responds from port 62516 to port 62514 on my PC and the connection is established.

Hope this helps. My internal PC's are all secureNAT clients and firewall client is not used anywhere internally.

(in reply to msonnentag)
Post #: 3
RE: Passing SonicWall Client - 7.Apr.2003 7:52:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi msonnentag,

check out a draft of my new article over at http://users.skynet.be/spouseele/NAT-T/IPSec_NAT-T.htm .

HTH,
Stefaan

(in reply to msonnentag)
Post #: 4
RE: Passing SonicWall Client - 7.Apr.2003 10:56:00 PM   
msonnentag

 

Posts: 63
Joined: 7.Jan.2002
From: Minneapolis, MN
Status: offline
Thanks, it looks at least like some new material to read. I will review and post an update back here.

(in reply to msonnentag)
Post #: 5
RE: Passing SonicWall Client - 16.Apr.2003 5:26:00 PM   
msonnentag

 

Posts: 63
Joined: 7.Jan.2002
From: Minneapolis, MN
Status: offline
Thanks spouseele for the great article.

After much tugging of hair this finally is working and I do have the sonic client doing IPSEC via ISA without problem. Another big part of getting this all working is to have cooperation of the folks on the other side of the VPN. What we discovered is that the client needed to be setup in aggressive mode and that caused it to use port 500. I don't know the ins/outs of sonic vpns, but we eventually solved this by using the ethereal sniffer and just watching what the client did when it started up. (We did this both behind and in front of ISA). We discovered that it never tried to negotiate the ISAKMP session, just wanted to start working on the UDP port. Once we reconfigured everything it worked great.

In short this is what a good session looks like. We are trying to ping the server on other end of the vpn (10.0.0.2) my station is 192.168.0.1 vpn gateway is 1.1.1.1

1) ICMP PING request from 192.168.0.1 to 10.0.0.2
2) UDP from 127.0.0.1#62514 to 192.168.0.1#62516
3) UDP from 192.168.0.1#dynam1 to 1.1.1.1#62516
4) ISAKMP from 192.168.0.1#500 to 1.1.1.1#500 (Agressive)
5) ISAKMP from 1.1.1.1#500 to 192.168.0.1#500 (Agressive)
6) ISAKMP from 192.168.0.1#500 to 1.1.1.1#500 (Agressive)
7) ISAKMP from 192.168.0.1#500 to 1.1.1.1#500 (Quick Mode)
8) ISAKMP from 1.1.1.1#500 to 192.168.0.1#500 (Quick Mode)
9) ISAKMP from 192.168.0.1#500 to 1.1.1.1#500 (Quick Mode)
10) UDP from 192.168.0.1#dynam2 to 1.1.1.1#62516

After this point, 192.168.0.1 and 10.0.0.2 are talking and there is no problem.

One thing that we did find out is if packet's 5-9 are replaced by some kind of (Informational) message you have a problem in negotiating keys, session, etc. This is a configuration issue between the gateway and client rather than an ISA problem.

Thanks all for the fantastic help on this! [Cool] [Cool]

(in reply to msonnentag)
Post #: 6
RE: Passing SonicWall Client - 16.Apr.2003 8:44:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi msonnentag,

good to hear you have it working and thanks for the follow up! [Smile]

Did you see any communication on UDP port 4500? It is my understanding that if the IPSec implementation supports NAT Traversal, then after about 2 request/response pairs, the traffic should move to UDP port 4500. For more info, check out http://www.isaserver.org/articles/IPSec_Passthrough.html .

Thanks,
Stefaan

(in reply to msonnentag)
Post #: 7
RE: Passing SonicWall Client - 11.Nov.2003 8:04:00 PM   
HdeJong

 

Posts: 2
Joined: 11.Nov.2003
From: the Netherlands
Status: offline
Hello Stefaan

I created the protcol definitions and rule as described in your article, but instead of UDP port 4500 for the IPSec NAT-T rule I used UDP port 50 and it's working perfect.

At my site I'm using ISA on W2K with all the patches. The client has a Sonicwall soho3, on my laptop I'm using the softremote 8.0.0 build 10 client with the security policy phase 1 negotiation in aggressive mode

Regards
Herman

(in reply to msonnentag)
Post #: 8
RE: Passing SonicWall Client - 11.Nov.2003 9:09:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Herman,

thanks for the info! [Smile]

Stefaan

(in reply to msonnentag)
Post #: 9
RE: Passing SonicWall Client - 11.Dec.2003 9:06:00 PM   
Guest
I would love to find out how this might work with a firewall client and the sonicwall global vpn client. any ideas?

(in reply to msonnentag)
  Post #: 10
RE: Passing SonicWall Client - 11.Dec.2003 9:34:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Adam,

my advice is to test it first with the Firewall client disabled. Therefore, the internal host must be setted up as a SecureNAT client too. Once that is working, you can then start to play with the Firewall clients *local* LAT.

HTH,
Stefaan

(in reply to msonnentag)
Post #: 11
RE: Passing SonicWall Client - 6.Dec.2008 7:47:36 AM   
zevan4

 

Posts: 14
Joined: 16.Nov.2008
Status: offline
can you or someone explain in simple terms (like do this in ISA and do that) what can i do to solve this issue?

thanks

_____________________________

Evan Camilleri
Holistic Malta

(in reply to msonnentag)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Passing SonicWall Client Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts