David_Wallis

Ive now got my hands on the software to connect to our work vpn... nortel contivity or summit... anyway I am using proxy server at the moment to provide our connection from our internal lan to our external lan... I want to be able to run vpn from behind here.. and Im sure it can be done with rras and proxy, but Im thinking of swapping to ISA server, anybody got any alternatives, preferably winnt 4 / 2k based but will go with others... must support port redirection inbound as well..

David

David_Wallis

ttt as its urgent...

David

ChrisB

"nortel contivity"

Argh! Run away!!!!!

Jeff Wiltshire

The Shasta's are OK......bit big for what David wants to do

roadrunner

Whats wrong with Nortel

Jeff Wiltshire

Hardly a financially viable company to start with....

roadrunner

True, but they are just going thru hard times at present. I like Nortel They do good products but they also do very ****e products. .... Ohhhh bring back the days of Bay Networks

ChrisB

I've been banging my head with a Contivity 600 Sun + Mon.

It was sent "pre-configured" by the IT people in Oz and does it work?

roadrunner

Chris, what is your problem with it. Haven't touched one for about 8mths but I can dig out my nortel site ID and research your problem for you

rr

David_Wallis

OOPS... That didnt really read very well... its a contivity 1600 and thats at work.

I run proxy server at home... And am considering replacing it with ISA... Sorry Jeff, bet you thought you could sell something then when I mentioned proxy to ISA....

My home network is 192.168.0.x

External Ip is x.x.x.x

My pc is 192.168.0.6 or whatever...

I want to run nortel client on mine and connect to x.x.x.x through my gateway...

What should i run on my 'home gateway' as proxy server is poo...
dont really want to run linux, but if someone wants to give me detailed instructions... Whats about... suppose I could err download a trial of firewall 1 / raptor (used at work)

David

dsmith

What's your home net connection - ADSL,ISDN,CABLE,USB,RJ45 etc.

Can the modem/router do f/w and NAT ?

Don't know what protocol the nortel thingy uses myself.

Deano

roadrunner

Deano - that nortel thingy uses all the industry standards.... not like Cisco, quick lets bring out our own enchanced protocol that only works with cisco

David_Wallis

My Connection is via tele2 terminated on rj45... im not up for changing to a hardware based hub / router... this must be software based to sit on my dedicated server... dont ask why... just must

Dont really care what the nortel uses, as I think the client software worries about that...

David

dsmith

If you want to NAT (as you do) then you have to worry about the protocol to ensure a) the device Natting understands it and b) the correct ports/protocols are permitted through your security.

e.g. MS PPTP VPN needs TCP Port 1723 and IP Protocol 47

David_Wallis

So what software would people recommend to do this then???

David

dsmith

Personally if you dont want a full linux distro then try smoothwall. Nice web interface takes all the linux hassle away.

Alternatively if you have access to an "eval" copy of fw-1 and your box is already NT,2K or Xp - stick that on. Very easy to configure fw-1 but make sure you lock the os down properly. plenty of articles around and its not my thing so cant advise exactly how.

Either would be streets ahead of a plain poxy server.

Deano

David_Wallis

NT / 2K is my thing so securing the box wouldnt be a problem... Ive heard that fw1 can be hard to config... just looking into isa at the moment... is smoothwall freeware / opensource or buy??? What does it run on RH 7.1 ?

Any sites to look at?

David

dsmith

for a one box solution, with firewall, management and client all on the same box merely to allow specific (or all) outbound services and deny inbound plus Nat behind the red-side address.

You're looking at 5 mins tops.

Oh and www.phoneboy.com it goes over that.

Firewall one with huge rulesets and myriad of objects maintained by different people all with their own naming convention = hard to configure
One box, 2 rules and some Nat = P*** easy

Deano

David_Wallis

Cheers Ill look at that..

David

Andrewza

If by industry standards they mean IPSec, IPSec doesn't go through NATs.

David_Wallis

Im Fairly sure it uses ipsec.... so how do I use IPSec from my own pc, apart from sticking the internet connection straight into this machine??

David

dsmith

Ahhhh IPSEC and NAT.

very tricky but can be done.

Depends on method used for exchanging keys I recall.

David_Wallis

?? Anybody got any ideas?? just doing an install of ISA.. but dont think this supports it looking on isaserver.org

David

Andrewza

it's the AH (authentication header) bit that's the problem, it's a encrypted hash to make sure the packet hasn't been tampered with, unfortunately NAT tampers with it

David_Wallis

the client mentions traversing nat with ip/sec.. any ideas / other protocols? l2tp??

David

dsmith

There is a very good article here on IPSEC/Nat issues. VPNs do not have implement the AH mentioned by Andrew above. If its purely payload encryption then it can traverse NAT.

If the client you have is designed for home working its likely to be able to be configured to work through NAT. I'd stick with FW-1 have an "Any-Inside to Internet, Permit" rule and see how you get on.

Deano

Andrewza

As long as it doesn't use AH no reason it shouldn't work with NAT

As for firewalling you're probably wanting to let esp and ipecnap out.

Jeff Wiltshire

David

I wasn't trying to sell you something......although I will if you want me too....

If your connection outbound is NAT'd then you need to use aggresive mode set-up which only relies on the outbound connection rather than trying to connect another session from the called VPN device.

Seriously, call me and we'll discuss your options (at no charge !)



Jeff

David_Wallis

couldnt find an eval of fw1

Jeff Ill give you a call in a bit... just sorting some other problems.

David

David_Wallis

After an enlightening... (almost confusing ) conversation with jeff, I think I should be able to get this working... Just checked on the box and it looks like it does use agressive mode... heres a bit of the log..

06/11/2002 22:49:46 0 ISAKMP [02] Oakley Aggressive Mode proposal accepted from dw3101 (x.x.x.x)
06/11/2002 22:49:47 0 Security [12] Session: IPSEC[dw3101]:411 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:49:47 0 ISAKMP [02] ISAKMP SA established with dw3101 (x.x.x.x)
06/11/2002 22:49:47 0 Security [12] Session: IPSEC[dw3101]:411 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:49:48 0 Security [12] Session: IPSEC[dw3101]:411 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:49:48 0 Outbound ESP from x.x.x.x to x.x.x.x SPI 0x000f60c9 [03] ESP encap session SPI 0xc9600f00 bound to cpu 0
06/11/2002 22:49:48 0 Inbound ESP from x.x.x.x to x.x.x.x SPI 0x00061802 [03] ESP decap session SPI 0x2180600 bound to cpu 0
06/11/2002 22:49:48 0 ISAKMP [03] Established IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:51:21 0 ISAKMP [03] Deleting IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:51:21 0 ISAKMP [02] Deleting ISAKMP SA with dw3101 (x.x.x.x)
06/11/2002 22:57:59 0 ISAKMP [02] Oakley Aggressive Mode proposal accepted from dw3101 (x.x.x.x)
06/11/2002 22:57:59 0 Security [12] Session: IPSEC[dw3101]:412 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:58:00 0 ISAKMP [02] ISAKMP SA established with dw3101 (x.x.x.x)
06/11/2002 22:58:00 0 Security [12] Session: IPSEC[dw3101]:412 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:58:01 0 Security [12] Session: IPSEC[dw3101]:412 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:58:01 0 Outbound ESP from x.x.x.x to x.x.x.x SPI 0x000ad1bb [03] ESP encap session SPI 0xbbd10a00 bound to cpu 0
06/11/2002 22:58:01 0 Inbound ESP from x.x.x.x to x.x.x.x SPI 0x0020485e [03] ESP decap session SPI 0x5e482000 bound to cpu 0
06/11/2002 22:58:01 0 ISAKMP [03] Established IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:59:41 0 ISAKMP [03] Deleting IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:59:41 0 ISAKMP [02] Deleting ISAKMP SA with dw3101 (x.x.x.x)


David