VPN Client behind firewall

Hi,


I am trying to connect to the cisco VPN server from my network which
has linux firewall and windows 2000 systems. I have installed the Cisco
VPN Client on one of the windows 2000 pro system and trying to connect
and I am not able to connect with the error "Secure VPN Connection
terminated localy by the client Reason 412: The remote peer is no
longer responding"


When i went through some document in the net they say that


UDP port 500
UDP port 10000 (or any other port number being used for IPSec/UDP)
IP protocol 50 (ESP)
TCP port configured for IPSec/TCP
NAT-T port 4500


Should be open


I am not soo good at IPtables. Can any one tell me how to open this
ports in the iptables so that i can dial my vpn client


Plzz some one help me on this issue


Regards


Vinod

Re: VPN Client behind firewall

In article <1115618213.404115.144680@z14g2000cwz.googlegroups.com>,
Vinod wrote:
:I am trying to connect to the cisco VPN server from my network which
:has linux firewall and windows 2000 systems.

:When i went through some document in the net they say that

:UDP port 500

Yes, always needed.

:UDP port 10000 (or any other port number being used for IPSec/UDP)

That's obsolete, ignore that one.

:IP protocol 50 (ESP)

That is used if NAT-T is not in effect, or if it is and the systems
discover that NAT-T is not needed. Or to phrase it another way,
traditionally you -always- needed IP protocol 50, but if you have NAT-T
turned on and it figures you need NAT-T then it will use a UDP port
instead.

:TCP port configured for IPSec/TCP

IPSec does not need any TCP ports in any Cisco implementation that I
know of.

:NAT-T port 4500

NAT-T negotiations are on UDP port 4500. If NAT-T is turned on,
the sequence is UDP 500, then UDP 4500, and then either ESP -or- a
negotiated UDP port.

When NAT-T is on and is negotiated, the dynamic UDP port used is
a -source- port, with the destination port always being UDP 4500
[and in this case ESP is not used.] This applies both ways:
one end will send to UDP 4500 of the other, and the other will
send to UDP 4500 of the first.


Sorry, I can't help with the iptables part.
--
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec

Re: VPN Client behind firewall

Walter Roberson wrote:

> In article <1115618213.404115.144680@z14g2000cwz.googlegroups.com>,
> Vinod wrote:
> :I am trying to connect to the cisco VPN server from my network which
> :has linux firewall and windows 2000 systems.

> [good explanation deleted]
>
> Sorry, I can't help with the iptables part.

Watching the logfile and reading the iptables docmentation should help.

;-)

Apart from that I'd recommend for that scenario to forget using the
Cisco VPN client behind the Linux NAT box but to build a site to site VPN
between the Cisco and the Linux box instead unsing OpenSwan on the Linux
side.

Wolfgang