Re: [pfSense Support] Solution: Re: [pfSense Support] VPN & NAT Traversal (CISCO VPN Client)
On 11/18/05, Chris <[EMAIL PROTECTED]> wrote: > It did not work with IPSec Passthrough disabled. I must have tested too > quickly after disabling it. I tried again an hour later and I could not > connect to the office. I enabled passthrough and I was fine. > > Sorry for any confusion. That kinda makes sense :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN & NAT Traversal (CISCO VPN Client)
It did not work with IPSec Passthrough disabled. I must have tested too quickly after disabling it. I tried again an hour later and I could not connect to the office. I enabled passthrough and I was fine. Sorry for any confusion. Chris wrote: I banged my head on this for a while before I realized our network admin probably had the Cisco PIX VPN config to only work with UDP, not TCP. Our default config is to use UDP, but that didn't work for me on pfsense v.86. After I read the e-mail below I stopped trying to connect over UDP. (Stupid me. I'm a sysadmin, not a netadmin.) While I was typing up the "please help me" e-mail I realized that TCP was not configured at the endpoint in the office, and for giggles I tried UDP. I was amazed at how fast it connected. It worked with IPSec Passthrough disabled and enabled. This was killing me because pfsense was noticeably faster than my old LinkSys, but VPN had to work so I could connect to my office. Thanks for a fast and easy firewall! Chris stephan schneider wrote: > i am trying to get a (NATed) connection to an external VPN using > > the cisco vpn client. Unfortunately it just doesn't work - > > no connection. I added the port 500 (isakmp) and allowed ESP to pass > > the firewall. But I think there's more to do to get NAT-Traversal > > to work :-( Got the solution. In the vpn client connection configuration you have to choose "IPSec over TCP" and of course "Enable Transparent Tunnel". No custom rules, no "IPSec passthru" (that's a different approach), no custom nat rules (only the default: nat all lan) are needed. Thanks Bill! Have a nice day. Stefan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN & NAT Traversal (CISCO VPN Client)
I banged my head on this for a while before I realized our network admin probably had the Cisco PIX VPN config to only work with UDP, not TCP. Our default config is to use UDP, but that didn't work for me on pfsense v.86. After I read the e-mail below I stopped trying to connect over UDP. (Stupid me. I'm a sysadmin, not a netadmin.) While I was typing up the "please help me" e-mail I realized that TCP was not configured at the endpoint in the office, and for giggles I tried UDP. I was amazed at how fast it connected. It worked with IPSec Passthrough disabled and enabled. This was killing me because pfsense was noticeably faster than my old LinkSys, but VPN had to work so I could connect to my office. Thanks for a fast and easy firewall! Chris stephan schneider wrote: > i am trying to get a (NATed) connection to an external VPN using > > the cisco vpn client. Unfortunately it just doesn't work - > > no connection. I added the port 500 (isakmp) and allowed ESP to pass > > the firewall. But I think there's more to do to get NAT-Traversal > > to work :-( Got the solution. In the vpn client connection configuration you have to choose "IPSec over TCP" and of course "Enable Transparent Tunnel". No custom rules, no "IPSec passthru" (that's a different approach), no custom nat rules (only the default: nat all lan) are needed. Thanks Bill! Have a nice day. Stefan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN & NAT Traversal (CISCO VPN Client)
On 10/18/05, Chris Buechler <[EMAIL PROTECTED]> wrote: In the case of VPN's that are terminated on pfsense boxes, it is racoon,and very recently a kernel patch was added to test NAT-T support withipsec-tools. I'm not sure if it's even made it into a public release yet. It'll be there soon if not, but needs testing. Thank you very much. If you like, I will try to do some tests (not now, but in the near future), and will share my results. Tom
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN & NAT Traversal (CISCO VPN Client)
Tommaso Di Donato wrote: Maybe I explained myself not very well: ipsec natively do not permit to bypass NAT gateway. So few solutions have been adopted, uone of them is NAT-T (that is, ipsec over UDP). I do not mean that it is pfsense that must do this: generally it is the OS ipsec implementation that takes it into account (during the very fist exchanges between the thwo parties, and so on). I only would like to know if racoon (I think racoon is the one that manage ipsec VPNs) uses NAT-T or another mechanism for bypassing NAT limitation... In the case of VPN's that are terminated on pfsense boxes, it is racoon, and very recently a kernel patch was added to test NAT-T support with ipsec-tools. I'm not sure if it's even made it into a public release yet. It'll be there soon if not, but needs testing. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN & NAT Traversal (CISCO VPN Client)
On 10/18/05, Bill Marquette <[EMAIL PROTECTED]> wrote: On 10/18/05, Tommaso Di Donato <[EMAIL PROTECTED]> wrote:> Mmmh, sounds very strange.. IPsec NAT-T usually is achieved as IPsec over> UDP.. > (http://wiki.openswan.org/index.php/Firewalls)> ...and from what I know, Cisco VPN is using exaclty this.>> What kind of implementation is currently used? >> Please, could someone check if pfSense is really encapsulating over> 4500/UDP, or smthg different?pfSense isn't encapsulating anything, that's the job of the client.In this case it sounds like the client needed some extra config to do NAT-T correctly. Maybe I explained myself not very well: ipsec natively do not permit to bypass NAT gateway. So few solutions have been adopted, uone of them is NAT-T (that is, ipsec over UDP). I do not mean that it is pfsense that must do this: generally it is the OS ipsec implementation that takes it into account (during the very fist exchanges between the thwo parties, and so on). I only would like to know if racoon (I think racoon is the one that manage ipsec VPNs) uses NAT-T or another mechanism for bypassing NAT limitation... Sorry Tom
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN & NAT Traversal (CISCO VPN Client)
On 10/18/05, Tommaso Di Donato <[EMAIL PROTECTED]> wrote: > Mmmh, sounds very strange.. IPsec NAT-T usually is achieved as IPsec over > UDP.. > (http://wiki.openswan.org/index.php/Firewalls) > ...and from what I know, Cisco VPN is using exaclty this. > > What kind of implementation is currently used? > > Please, could someone check if pfSense is really encapsulating over > 4500/UDP, or smthg different? pfSense isn't encapsulating anything, that's the job of the client. In this case it sounds like the client needed some extra config to do NAT-T correctly. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN & NAT Traversal (CISCO VPN Client)
On 10/16/05, stephan schneider <[EMAIL PROTECTED]> wrote: Got the solution.In the vpn client connection configuration you have to choose"IPSec over TCP" and of course "Enable Transparent Tunnel".No custom rules, no "IPSec passthru" (that's a different approach), no custom nat rules (only the default: nat all lan) are needed. Mmmh, sounds very strange.. IPsec NAT-T usually is achieved as IPsec over UDP.. (http://wiki.openswan.org/index.php/Firewalls) ...and from what I know, Cisco VPN is using exaclty this. What kind of implementation is currently used? Please, could someone check if pfSense is really encapsulating over 4500/UDP, or smthg different? TIA Tom
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN & NAT Traversal (CISCO VPN Client)
Any chance of someone writing this up as a faq at http://faq.pfsense.org/index.php?sid=1615&lang=en&action=add ? That would be really helpful! Thanks for the follow up stephan. Scott On 10/16/05, stephan schneider <[EMAIL PROTECTED]> wrote: > > i am trying to get a (NATed) connection to an external VPN using > > > the cisco vpn client. Unfortunately it just doesn't work - > > > no connection. I added the port 500 (isakmp) and allowed ESP to pass > > > the firewall. But I think there's more to do to get NAT-Traversal > > > to work :-( > > Got the solution. > > In the vpn client connection configuration you have to choose > "IPSec over TCP" and of course "Enable Transparent Tunnel". > > > No custom rules, no "IPSec passthru" (that's a different approach), > no custom nat rules (only the default: nat all lan) are needed. > > > Thanks Bill! > Have a nice day. > Stefan. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Solution: Re: [pfSense Support] VPN & NAT Traversal (CISCO VPN Client)
> i am trying to get a (NATed) connection to an external VPN using > > the cisco vpn client. Unfortunately it just doesn't work - > > no connection. I added the port 500 (isakmp) and allowed ESP to pass > > the firewall. But I think there's more to do to get NAT-Traversal > > to work :-( Got the solution. In the vpn client connection configuration you have to choose "IPSec over TCP" and of course "Enable Transparent Tunnel". No custom rules, no "IPSec passthru" (that's a different approach), no custom nat rules (only the default: nat all lan) are needed. Thanks Bill! Have a nice day. Stefan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
