RE: Interesting VPN Access Issue

From: Matthew Long (mlong@comms-care.com)
Date: Thu Sep 20 2007 - 12:45:45 ART

• Next message: Ronnie Angello: "Re: match-any vs match all"
• Previous message: tveillette: "Re: WEBVPN login page Cerrtificate Error"
• Maybe in reply to: Mohammad Saeed: "Interesting VPN Access Issue"
• Next in thread: Mohammad Saeed: "Re: Interesting VPN Access Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This problem often occurs where your office firewall is blocking the esp
protocol (50).

My understanding of how this works (I think, please someone correct me
if I am wrong) is that your pc makes a connection using ISAKMP on UDP500
outbound to setup the connection, this works fine the connection is
setup and you get an IP. Because ISAKMP is a 2 way connection the return
traffic is passed back through your office firewall.
When you try to send data this uses the ESP protocol, this is 2 x one
way connections (2 SAs) the outbound connection works fine but your
office firewall blocks the return connection, hence no data.

Why does it work at home, most home router/ firewalls support IPSEC pass
through and avoid this issue by allowing the ESP traffic back through,
and mapping the ESP protocol directly to your PC. On an office firewall
this doesn't happen because they may be terminating a different VPN or
because the IPSEC pass through is not scalable to many users.

There are a number of ways that may allow you to work around this, IPSEC
over UDP or TCP may help. The most reliable way I have found is to have
static nat for your PC on the office firewall and allow inbound on
UDP500, Proto50, Proto51

Anyone else found a way round this on an ASA as there is no "inspect
IPSEC"?

Matt

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Mohammad Saeed
Sent: 20 September 2007 15:13
To: Joseph Brunner
Cc: Cisco certification
Subject: Re: Interesting VPN Access Issue

Let me clarify the situation a little bit.

I am in my office and have no idea what type of FW/Router is used in
my office. So, I connect my laptop to office network get a unique IP,
open up Cisco VPN Client, establish the tunnel to a PIX FW somewhere
on the internet to its external interface which has a Public IP,
tunnel is established and my VPN Adapter gets IP from 10.0.0.0 network
as configured on PIX FW of our client. Now trunnel is stable but I can
not reach any device on 10.0.0.0 network.

Now I just took my laptop home, connected to my home internet
connection, where I have LinkSys Wireless router connecting to cable
modem, Now my laptop got the 192.168.1.100 IP from wireless router.
Now I can browse the internet. I establish the VPN tunnel exactly same
way as I establish in office without any change, tunnel is established
and stable. My VPN Adapter received IP from same 10.0.0.0 network. I
can ping/telnet to almost any device on the 10.0.0.0 network.

Now my suspicion is that as IPSec uses just three packets in AGRESSIVE
Mode for key exchange and probably after that tunnel is established,
may be there is some IDS in our office network which does not detect
that some thing suspecious is going on for first few packets and
tunnel is established, and then it sees some unusual behaviour and
block that connection???

Secondly, my thoughts go to two phases that IPSec uses, can anyone
tell what destination port numbers are used in both phases, may be in
office the FW is blocking the second TCP session that is used to
transfer data after tunnel being established????

Any thoughts????

Regards,

Mohammad Zahed Saeed

On 9/19/07, Joseph Brunner <joe@affirmedsystems.com> wrote:
> Yes, the pix does not do same interface routing. So inside the network
it
> wont route on your behalf, as it does from the outside interface
towards the
> inside interface from home
>
> You can fix with pix 7 / asa code.
>
> -joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Mohammad Saeed
> Sent: Wednesday, September 19, 2007 9:40 PM
> To: Cisco certification
> Subject: Interesting VPN Access Issue
>
> Hello Every body,
>
> I have Ciisoc VPN Cleint insttaled on my laptop windowsXP. Now if I
> use this VPN Client from myhome Internet connection to establish VPN
> Tunnel to the destination which is a PIX firewall from home, it gets
> connected, and I can reach ping/telnet any device on remote side
> network.
>
> But when I take my system to my office, hook my laptop to office
> network, VPN Cleints gets authenticated and tunnel is established, VPN
> Adapter gets the same IP that its gets when I establish tunnel from
> home, but I can't ping/telnet to any deivces on the remotre network
> that I used to ping/telnet when I am connecting from my home network.
> If I say ping, it just times out, traceroute doesn't even show first
> hop which shall be the other end of the tunnel and telnet times out.
>
> What can be the reason????
>
> If routing on remote end or firewall on the laptop would be issue,
> then how VPN Tunnel is established on the first step?
>
> I will appreciate if any one can hint....
>
> Regards,
>
>
> Mohammad Zahed Saeed
>
>

• Next message: Ronnie Angello: "Re: match-any vs match all"
• Previous message: tveillette: "Re: WEBVPN login page Cerrtificate Error"
• Maybe in reply to: Mohammad Saeed: "Interesting VPN Access Issue"
• Next in thread: Mohammad Saeed: "Re: Interesting VPN Access Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:14 ART