I guess the question(s) is/are: 1. Are you performing NAT (I know the previous response mentioned it - just wasn't clarified)?
2. If you are doing NAT, is the contivity setup forcing just AH (not ESP) - AH won't work with NAT (AFAIK). I'm guessing this is the Nortel Contivity switch (Qwest rebranded). Do you see any failed IKE/ISAKMP attempts in the logs (you'll have to dig through the java GUI to find this stuff)? Run tcpdump on the external interface of the firewall and at least see if the traffic is traversing your fw properly. 3. Have you looked at the firewall logs? Maybe you're dropping traffic somewhere along the line? 4. I'm assuming proto 50 (51 for AH) and udp/500 are allowed in/out (see previous message re: logs)? I know this is obvious stuff - just helps for the troubleshooting :-) Cheers, Mike -----Original Message----- From: Todd Chandler [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 8:37 AM To: jolan Cc: [EMAIL PROTECTED] Subject: RE: Qwest Contivity VPN Client Behind PF Tried this rule but no dice. Still get message that server is not responding. Any other thoughts? TC -----Original Message----- From: jolan [mailto:[EMAIL PROTECTED]] Sent: Friday, January 31, 2003 11:52 AM To: Todd Chandler Cc: [EMAIL PROTECTED] Subject: Re: Qwest Contivity VPN Client Behind PF On Fri, Jan 31, 2003 at 08:43:06AM -0500, Todd Chandler wrote: > When I attempt to connect from the client, it simply times out. Any > ideas what I'm missing? i assume the client is behind nat. if you're using 3.2, try this rule: nat on $ext_if inet proto udp from any port = isakmp to any -> \ $ext_if port 500 problem is that the server is probably ignoring isakmp traffic that doesn't have a source port of 500. - jolan
