VPN through DSL

["Harris, John P" <John.Harris () usa xerox com>]

Hi Stephanie,

If you are running an older Nortel client (older than version 4.x) and the
servers you are connecting to are older than server version 4.x, you will
need to open a "back connect" port on your NAT router. What happens is that
the session gets established between you and the server and as part of the
authentication scheme, the Contivity VPN server will actually send some
packets back to verify you are who you are. Since this is not part of the
established connection, most firewalls will dopr the packets, especially
most out of the box NAT devices. Try opening this up from your VPN servers
back to your client:

IP protocol 50 IP Security Encapsulating Security Payload (ESP)
IP protocol 51 IP Security Authentication Header (AH)

Remember these are IP protocols like TCP/IP and NOT TCP/UDP port numbers. I
think the older clients just used one of these, but at this time I don't
remember which one it is! :-) (my gut is screaming 50 at me though).

> From the client to the VPN server you will need to have open the following:
TCP > 1023 (I know it's alot, back to the comment about matching your VPN
server IP)
UDP = isakmp (500)
Ip Protocol 50 (ESP)

These may not be a accurate down to the port list, it's just what I think I
remember from the manual long long ago  :-)

Later versions of the server and client software allow you to "Disable
Keepalives" which greatly reduces this traffic. They have even implemented a
solution in version 4.x that will pass all this traffic encapsulated in UDP
(I believe). This has good and bad points and the fact they made it so you
have to enable it for the whole server or nothing at all makes it a big
choice for someone running these servers. 

Remember to specify this to only be allowed from your VPN servers IP's as
you don't want the extra holes to exist. Other things to check are:

Group ID and Group Password - Some providers use a GID and GP to
differentiate between different clients groups with different network access
privilages. If this information is wrong you will also get a authentication
failure.

SecureID - Make sure it is not locked, they have your PIN set right AND your
card is synced to the SecureID server. Any one of these will make your card
not function properly.

The other folks are correct about the SID auth feature. If they are running
the earlier server code, they have to use Radius authentication from the VPN
server to the SecureID server and enabling this usually just shows you a
different login page with seperate fields for PIN and PASSCODE. It may work
either way depending upon how they have their infrastructure set up.

Ping and traceroute may not be good tools to see if the server is there as
they are not used by the client or server so they can be shut off for
tighter security. 

The best advice is to try and contact the administrators of the servers
themselves and see if they would be willing to assist you. There should be
some additional connection information in the logs on the server.
Particularly line that show you start to connect, then the server all of a
sudden saying your not there anymore which is the result of the "keep-alive"
function. 

First start by allowing any traffic from your VPN server back through your
NAT router/firewall. If you are getting an error back you are reaching the
server initially which tells you that it's actually there without using ping
and traceroute anyway.

I hope this helps.

John


John P. Harris Jr.  SANS GSEC
Engineering Solutions & Tech Competencies 
EDS Northeast Region I.Solutions 
E-Mail: John.Harris () usa xerox com
Buick Club of America # 37854


Original Message Follows
-----snip-----



-----Original Message-----
From: Neverdowski [mailto:nevers () swbell net]
Sent: Tuesday, March 12, 2002 9:58 AM
To: firewall-wizards () nfr com
Subject: [fw-wiz] VPN through DSL


I am desparate. I have been trying to connect to my office's VPN through my 
DSL connection at home for months now. In order to connect to my VPN, my 
office has provided an RSA SecurID token, which generates a random passcode 
at periodic intervals. I installed the Nortel Extranet client required by 
my office to connect and I run it after I have already established a DSL 
connection to the internet (with Enternet 300). However, the Extranet 
client always tells me that my login was unsuccessful, check my id and 
password. I have done so, and each time, my office says that both are in 
working order. I then contacted my ISP, who supplied the Enternet 300 
software with which I establish my connection to the internet. They are 
clueless (Southwestern Bell - go figure).

If I look at the details of my connection with in the Enternet 300 
software, I see "SecurID disabled". No one can tell me why it says this, or 
how to enable SecurID. The furthest I got with any of the techs who tried 
to help, was to run Tracert, which showed that everything was peachy until 
we hit the tenth address which states "Request timed out", even though the 
11th-14th still return replies (with the 14th being the address I want to 
reach).

Someone at one point suggested I get a router. Is that my only option? Why 
would having a router on the external DSL modem on my home PC help?

Any suggestions, help etc. would be greatly appreciated.

Thanks,

Stephanie


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

-----snip-----


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards