Software602 Home . products . download . support . register . how to buy . . view cart . . . contact us . . . .
Software602 Home . . . . . .
. .
Software602 Login
Support Home .
User Forum .
Knowledge Base .
Submit Ticket .
View My Tickets .
. .
602Pro LAN SUITE 2003 User Forumforum home | rss | search | terms of use
BackBack to 602Pro LAN SUITE 2003 Forum
Add New TopicAdd New Topic
Post ReplyPost Reply
Using Contivity VPN client behind 602ls
  Posted by  Leander Vanderbijl  on Saturday, October 04, 2003 at 9:20:15 AM (EST)
I'm trying to connect to my work VPN server from home. I'm behind a 602ls2003 using the Nortel Contivity VPN client 4.60.
I've mapped ports (udp and tcp) 47, 50, 51 - although apparently VPN doesn't actually use them, and port UDP 500. The client seems to make the connection but then the connection gets dropped near the end of the handshake. The last message I get in the VPN log is:
"Isakmpd : F : The secure Contivity VPN connection has been lost.
Click Connect to re-establish the connection."
From looking at VPN requirements it appears that the firewall needs to allow NAT Traversal; does anyone know if 602ls2003 supports this or if there's a workaround solution?
The error message I'm getting now is the same message that appeared when trying to connect through MS ICS (before I switched to 602ls2003).
Any suggestions?
  Posted by Leander Vanderbijl  on Tuesday, October 07, 2003 at 4:01:14 PM (EST)
Just in case anyone else encounters this problem... I've solved it!
The VPN server needs to be set to accept NAT traversal on a given port (you can pick anyone, just make sure you use a high numbered one). Then map that port number in the "Proxy>Mapped Links" section. You should then be able to connect to the vpn server.
So in total, you need to map a minimum of 2 ports: 500 and a nat traversal port that is specified at the VPN server/firewall level.
Although now I'm stumped at getting to the internet while connected to the VPN server but I'll leave that problem to another day :)
If anyone else wants further instructions, reply to this post and I will attempt to help.
  Posted by Joseph Lamvohee  on Monday, November 10, 2003 at 8:19:12 PM (EST)
Which protocol should I used ? UDP or TCP? I am using VPN / IPSec.

  Posted by Leander Vanderbijl  on Tuesday, November 11, 2003 at 3:45:07 AM (EST)
Port 500 is udp
I opened both tcp and udp for 10000 (my NAT traversal port).
  Posted by Joseph Lamvohee  on Tuesday, November 11, 2003 at 10:39:57 PM (EST)
Still trying and does not work.
Here is what I am receiving
MAP 1904 Connect ->

MAP 1904 Transfer ->

MAP 1904 846B/21s

I am using CISCO VPN client (4.2)

I have opened as you sugested port 10000 (TCP) 500 (UDP).
and mapped accordingly.

Help, please.
  Posted by Leander Vanderbijl  on Wednesday, November 12, 2003 at 5:14:49 AM (EST)
Ok, let me see if this rundown of your network is correct:

Client machine with Cisco VPN Client (a):

Gateway machine using 602ls (b):

VPN server on the internet that you're trying to connect to (c):

Double check the following settings:

Machine a: make sure the vpn client software is trying to connect to machine b (so the address of the VPN server should read - NOT

Machine b (the ls machine): Map UDP 500 to Machine C, map tcp 10000 to machine C, map udp 10000 to machine c

Machine c: this is the VPN server/firewall, somewhere in the configuration settings should be a NAT traversal setting - this needs to be set to 10000 (in fact you could use any port you wanted but 10000 is easy) - this is important because it tells the VPN how LS wants to communicate with it otherwise you'll end up getting connection settings (over UDP 500) and everything will look like it connects but then the connection will time out.

If this still doesn't work, take a look at your VPN client logs they should tell you at which point the connection is dropping.

Let me know if this helps

  Posted by Leander Vanderbijl  on Wednesday, November 12, 2003 at 5:25:25 AM (EST)
Another note, on our VPN server (nortel contivity 600) the Nat Traversal settings are in with the IPSec properties.

Though if you are using a cisco router/firewall you'll probably need to add in a rule for nat traversal (unless Cisco has developed a gui interface!!!)
  Posted by keith Page  on Tuesday, February 03, 2004 at 5:40:22 AM (EST)
Hi There,
I've tried all these settings and cannot get a connection to the remote site. Any more idea's?

BackBack to 602Pro LAN SUITE 2003 Forum
Add New TopicAdd New Topic
Post ReplyPost Reply
. . .
  © 2009 Software602, Inc. All rights reserved.