• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SonicWall VPN Client

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> SonicWall VPN Client Page: [1]
Login
Message << Older Topic   Newer Topic >>
SonicWall VPN Client - 7.Jun.2003 6:01:00 AM   
scottpe

 

Posts: 3
Joined: 9.May2003
Status: offline
Hello,

Does anyone know how I can get the SonicWall VPN Client (SafeNet SoftRemote 8.0) working through a ISA Server. The Sonic Pro gateway endpoint has been upgraded to firmware 6.3. I have also configured protocol definitions for UDP ports 500 & 4500 - send/receive and a protocol rule to use the two custom definitions. I have tried to access the corp. network utilizing a SecureNAT and Firewall client with no success. Thanks in advance for the help.

Patrick
Post #: 1
RE: SonicWall VPN Client - 7.Jun.2003 2:06:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Patrick,

it sounds that you have already read my article http://www.isaserver.org/articles/IPSec_Passthrough.html . Good! So, I assume you understand why NAT-T is needed and how it works in general.

Unfortunately I haven't worked with the Sonic stuff. There were some post about it. The best I have found is http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001444 .

I would like to help as much as possible, but I think you should first contact the Sonic system administrator to see if the box is configured for NAT-T. Also, make sure you test first from a SecureNAT client only. So, disable the Firewall client if it is installed.

What is the firewall and packet filtering log telling you? Just make sure you enable on ISA the logging of all fields for good diagnose. To understand what is logged, check out the ISA helpfile. There is a section called Firewall and Web Proxy log fields, a must read. Additional information can be found in the article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q284818 . Also, are you able to take a network monitor trace on the ISA internal and external interface and interprete them?

HTH,
Stefaan

[ June 07, 2003, 02:10 PM: Message edited by: spouseele ]

(in reply to scottpe)
Post #: 2
RE: SonicWall VPN Client - 7.Jun.2003 5:50:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

I've had no problem getting the Win2k/WinXP NAT-T client working to connect to a Win2003 VPN server. Works on both Firewall and SecureNAT clients. ISA Server must allow outbound UDP 500 send/receive and UDP 4500 send/receive

Win2003 ISA firewall/VPN server needs packets filters for:

UDP 1701 receive/send
UDP 500 receive/send
UDP 4500 receive/send

Its interesting that the do not need a packet filter for IP Protocol 50 (ESP), even though the ESP header is exposed *before* the L2TP header is exposed. I have to assume that there is an "implicit" packet filter for ESP that allows it through the ISA firewall's packet filters (which is not documented, but it should be!)

HTH,
Tom

(in reply to scottpe)
Post #: 3
RE: SonicWall VPN Client - 8.Jun.2003 11:30:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

... but this is *not* a Microsoft VPN client! [Big Grin]

Cheers,
Stefaan

(in reply to scottpe)
Post #: 4
RE: SonicWall VPN Client - 9.Jun.2003 2:20:00 AM   
sniper

 

Posts: 687
Joined: 9.Aug.2001
From: OK, USA
Status: offline
MS uses 4500 for NAT-T Some still use 10000 so 10000 may have to be created as well. The sonic wall says it supports NAT-T so my guess in it uses 10000 for NAT T

(in reply to scottpe)
Post #: 5
RE: SonicWall VPN Client - 9.Jun.2003 11:17:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

according to the SonicWALL website, the implemententation should be IETF NAT-T complient. Therefore I assume it uses UDP port 500 and 4500. However, I've seen one post on the message board stating that the VPN client must be configured for aggressive mode, otherwise the IKE negotiation would not start on the standard UDP port 500 but on a high numbered UDP port. For more info, check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001444 .

HTH,
Stefaan

(in reply to scottpe)
Post #: 6
RE: SonicWall VPN Client - 9.Jun.2003 7:25:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

If Cisco doesn't use UDP 4500, its not RFC compliant, and it doesn't look like SonicWall is RFC compliant either if they are requiring Aggressive Mode and not using 4500 for NAT-T.

Thanks!
Tom

(in reply to scottpe)
Post #: 7
RE: SonicWall VPN Client - 9.Jun.2003 8:30:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

I don't know if you will like it, but Cisco is moving into the right direction! [Big Grin]

The latest firmware for the Cisco VPN Concentrator 3000 serie and the Cisco PIX support standard IPSec NAT-T on UDP port 500 and 4500. Don't know about the IOS VPN firmware for routers.

Thanks,
Stefaan

[ June 09, 2003, 09:26 PM: Message edited by: spouseele ]

(in reply to scottpe)
Post #: 8
RE: SonicWall VPN Client - 10.Jun.2003 2:44:00 AM   
scottpe

 

Posts: 3
Joined: 9.May2003
Status: offline
Thanks for the resonses to my original message. Although everyone has provided some helpful information, I have not been able to get this to work. Just some background, I have been able to get the Cisco vpn client to work from behind my isa server with out any major problems, by simply allowing UDP ports 500 and 10000. Before I posted my message concerning the sonic wall client I tried opening UDP ports 500, 4500 and 10000. In addition due to some informatoin I received on the board I have also opened ports 62516 and 62514. I have confirmed through a network sniffer that sonic is transmitting packets with these( 62514 & 62516) UDP port numbers. I have also seen some random UDP ports sonics is trying to use; such as 2016, but this seems to change on each atempt. It consistantly tries UDP ports 62514 and 62516. I'm trying to help a friend who just started his new job with this problem, we've all been there. He has contacted sonic and received the following information:
"The following services need to be opened on any router or firewall in front
of the VPN client:
UDP port 500 for IKE
IP protocol 50 for IPSec
If these services are open on the local firewall or router and you still
have problems, check with your ISP to see if they are supporting IKE and
IPsec. They may be blocking these protocols."

Again, thanks for everyones help thus far, I hope someone comes up with an answer soon.

Patrick,

(in reply to scottpe)
Post #: 9
RE: SonicWall VPN Client - 10.Jun.2003 2:46:00 PM   
sniper

 

Posts: 687
Joined: 9.Aug.2001
From: OK, USA
Status: offline
Its all in the version of the NAT T draft that they support!

(in reply to scottpe)
Post #: 10
RE: SonicWall VPN Client - 10.Jun.2003 8:53:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by P. Scott:
Thanks for the resonses to my original message. Although everyone has provided some helpful information, I have not been able to get this to work. Just some background, I have been able to get the Cisco vpn client to work from behind my isa server with out any major problems, by simply allowing UDP ports 500 and 10000. Before I posted my message concerning the sonic wall client I tried opening UDP ports 500, 4500 and 10000. In addition due to some informatoin I received on the board I have also opened ports 62516 and 62514. I have confirmed through a network sniffer that sonic is transmitting packets with these( 62514 & 62516) UDP port numbers. I have also seen some random UDP ports sonics is trying to use; such as 2016, but this seems to change on each atempt. It consistantly tries UDP ports 62514 and 62516. I'm trying to help a friend who just started his new job with this problem, we've all been there. He has contacted sonic and received the following information:
"The following services need to be opened on any router or firewall in front
of the VPN client:
UDP port 500 for IKE
IP protocol 50 for IPSec
If these services are open on the local firewall or router and you still
have problems, check with your ISP to see if they are supporting IKE and
IPsec. They may be blocking these protocols."

Again, thanks for everyones help thus far, I hope someone comes up with an answer soon.

Patrick,

Hi Patrick,

That might be the problem right there! If their tech support says to open the IKE port and the ESP IP Protocol number listener, then they aren't even supporting NAT-T!

HTH,
Tom

(in reply to scottpe)
Post #: 11
RE: SonicWall VPN Client - 10.Jun.2003 9:12:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Chris,

quote:
Originally posted by cgregory:
Its all in the version of the NAT T draft that they support!

The UDP port 4500 was already defined in draft 2 of the NAT-T specifications, dated 10 April 2002. Most implementations today I know of uses at minimum this one.

HTH,
Stefaan

(in reply to scottpe)
Post #: 12
RE: SonicWall VPN Client - 10.Jun.2003 9:19:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Patrick,

as Tom mentioned, if Sonic said it requires IP protocol 50 for IPSec, then they do not know their own products! [Razz]

Check out the other post http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001444 I already mentioned. It sounds like you have exactly the same problem as Matt had. So, I think it as a configuration problem on the Sonic VPN gateway or client, not ISA server. Just keep in mind that the IPSec implementation MUST support NAT-T in order to pass through ISA server.

HTH,
Stefaan

(in reply to scottpe)
Post #: 13
RE: SonicWall VPN Client - 10.Jun.2003 9:22:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

Good point! That is what is so frustrating. All the lower level tech support people think of firewalls as:

www.tacteam.net/openport.htm

[Smile]

Thanks!
Tom

(in reply to scottpe)
Post #: 14
RE: SonicWall VPN Client - 10.Jun.2003 9:26:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
HI Tom,

you really love that diagram, isn't it! [Cool]

Cheers,
Stefaan

(in reply to scottpe)
Post #: 15
RE: SonicWall VPN Client - 10.Jun.2003 9:28:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

Yes! [Eek!]

Tom

(in reply to scottpe)
Post #: 16
RE: SonicWall VPN Client - 29.Apr.2016 7:22:19 AM   
anmol77

 

Posts: 1
Joined: 29.Apr.2016
Status: offline
thanks for everything..

_____________________________

NOOR

(in reply to tshinder)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> SonicWall VPN Client Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts