On 11/24/2010 6:00 PM, Kevin Pickard wrote:
Thank you for the response Matthew.
I could not find any VPN passthru mode on the client side router.
Forwarding port 500 is not an option for different reasons. My Netgear router
is already at the latest firmware version for my hardware version unfortunately
and it does not look as though any further changes will be forthcoming.
I am guessing there is nothing in the ISAKMP message telling the
Netgear how to respond or which port to use. Oh well it was worth a try I guess.
Thanks Alexis for all your help and thank you Matthew as well of
course.
Hi Kevin,
The source port value of the packet is read from the UDP header in the
IP packet. Sending a response to a different port value than the one
used in the UDP header is a serious problem with the Netgear code. I can
tell you that the Netgear gateway that I have in my lab does not exhibit
this behavior. Its a fundamental flaw in the Netgear IKE daemon
implementation, so your only recourse is to open a ticket with Netgear
support and hope they fix it in the next release. A packet dump showing
the response on port 500 should be enough evidence to get a high level
support tech or maybe a firmware engineer involved. If they as why you
believe it's a firmware problem, point them to this RFC and reference
page 2 section 3 that states ...
3. Phase 1
The detection of support for NAT-Traversal and detection of NAT along
the path between the two IKE peers occurs in IKE [RFC2409] Phase 1.
The NAT may change the IKE UDP source port, and recipients MUST be
able to process IKE packets whose source port is different from 500.
The NAT does not have to change the source port if:
o only one IPsec host is behind the NAT, or
o for the first IPsec host, the NAT can keep the port 500, and the
NAT will only change the port number for later connections.
Recipients MUST reply back to the source address from the packet (see
[RFC3715], section 2.1, case d). This means that when the original
responder is doing rekeying or sending notifications to the original
initiator, it MUST send the packets using the same set of port and IP
numbers used when the IKE SA was last used.
Sorry I can't be more help.
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
