RE: ISAKMP Ports blocked when using VPN client?

From: Joseph Ezerski (jezerski@xxxxxxxxxxxx)
Date: Wed Aug 29 2001 - 21:03:14 GMT-3

• Next message: Chuck Church: "RE: ISAKMP Ports blocked when using VPN client?"
• Previous message: Joseph McEvoy: "RE: ISAKMP Ports blocked when using VPN client?"
• Maybe in reply to: Joseph McEvoy: "ISAKMP Ports blocked when using VPN client?"
• Next in thread: Chuck Church: "RE: ISAKMP Ports blocked when using VPN client?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I am no expert, but we use the Cisco VPN Concentrator (formerly Altiga). When
we set up ACLs or work with firewalls, we learned that the VPN Client software
has to do its phase I negotiation over UDP port 500 (ISAKMP). Once that is com
plete and Phase II negotiation completes, the actual tunnel works over a differ
ent port that we specify in the concentrator. The range is anywhere from UDP 4
000-10000. Assuming your PIX works the same, some firewalls may block udp 500
or not allow higher end ports like 4000 and up, figuring that well known ports
should cover most of the users needs. Also, the nice thing about the VPN clien
t is that it will do IPSec over UDP and support NAT, given that IPSec has no la
yer 4 port associations normally (it has to use UDP or even TCP). With the Lin
ksys, we have seen some issues. It appears that the Linksys devices support IP
Sec pass-thru, thus getting around the NAT issue. The only problem with that i
s, you can only do it for one client at a time, per IP Sec tunnel destination.
 I see IP Sec pass-thru as a bit of a hack as it is doing "NAT-like" functions.
  Anyway, the long and the short of it is that you may wanna check your firewal
l rules and also see if your version of the client does IpSec over UDP, so you
can NAT properly.

-Joe

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Joseph McEvoy
Sent: Wednesday, August 29, 2001 2:46 PM
To: ccielab@groupstudy.com
Subject: ISAKMP Ports blocked when using VPN client?

Hello Group,

I have installed a PIX running 6.01 and configured it for Cisco's latest VPN
client 3.02. Anyway, it works like a charm except when the user is at a
remote location with firewall. I don't believe this is a NAT/PAT issue, as I
can connect from home using a Linksys router that is doing PAT. My only
guess is that our PIX (the VPN termination point) is initiating an ISAKMP
key exchange back to the client after the client goes through exchanging its
key.

Does anybody have a workaround, or at the very least can anybody confirm why
this is happening?
TIA -Joe McEvoy
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Chuck Church: "RE: ISAKMP Ports blocked when using VPN client?"
• Previous message: Joseph McEvoy: "RE: ISAKMP Ports blocked when using VPN client?"
• Maybe in reply to: Joseph McEvoy: "ISAKMP Ports blocked when using VPN client?"
• Next in thread: Chuck Church: "RE: ISAKMP Ports blocked when using VPN client?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:00 GMT-3