IPSEC uses the GRE, but also traverse UDP.  CISCO VPN clints do use UDP,
they use GRE to do the establishment sometimes as well.    The Cisco VPN
client is a pain, regardless, but there is a option for TCP connectivity.

Dennis


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Frank
Sent: Monday, January 15, 2007 5:05 PM
To: 'WISPA General List'
Subject: RE: [WISPA] IPsec/UDP and my border NAT gateway


A "Standard" Ipsec VPN will use GRE, protocol 47:
http://www.iana.org/assignments/protocol-numbers

It's not UDP.

It appears that CenterBeam VPN uses Cisco gear:
http://newsroom.cisco.com/dlls/prod_121201.html

If this is the case, then they should be able to encapsulate this into UDP
or IP and this should allow the client inside your network to connect. You
may need to verify that your iptables rules are allowing "any" UDP traffic.

The Cisco PIX firewalls and their VPN hardware support this type of
encapsulation expressly for the purpose of passing through NAT gateways.

If the VPN client is not configured for UDP or TCP then there is likely
nothing you can do since GRE and NAT are not always friendly to each other.
Verify that the Cisco Software VPN client on your customer's PC is set to
encapsulate (tunnel) within UDP.

You may need some diagnostic tools like a sniffer (ethereal.com) or use
tcpdump within your Linux firewall. Also, logging dropped packets in your
iptables firewall may also be of assistance.


Thank you

Frank Keeney
Pasadena Networks, LLC
Antennas, Cables and Equipment:
http://www.wlanparts.com 


 

> -----Original Message-----
> From: rabbtux rabbtux
> 
> Anyone have suggestions on what I need to do to allow my customer to
> do this type of VPN.  I currently have customers behind my
> linux/iptables firewall that masquerades them out a single IP.   This
> is the first customer who is having problems.  Do I need a special
> rule to accomodate them??
> 
> The customer is using CenterBeam VPN services, and they tell him that,
> "your isp is blocking VPN pass thru".   I'm not blocking anything.
> help!
> 
> Thank you kindly,
> marshall

-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

Reply via email to