Dear guru,
I'm pretty new to NS, we have configured the Lan-to-lan VPN as per the
instruction in the manual, however, the tunnel failed and inactive by
"get sa". Wondering it would be blocked by the ISP-router, we have
asked our ISP to open the "VPN" ports. we are using g2-esp-3des-sha
for P2 and Pre-g2-3des-sha for P1.

What ports are required on my router to allow such connection.
udp/500 for ipsec?

Any ideas?

Mr_Huang <mr.huang.hk [at] gmail.com> writes:

> Dear guru,
> I'm pretty new to NS, we have configured the Lan-to-lan VPN as per the
> instruction in the manual, however, the tunnel failed and inactive by
> "get sa". Wondering it would be blocked by the ISP-router, we have
> asked our ISP to open the "VPN" ports. we are using g2-esp-3des-sha
> for P2 and Pre-g2-3des-sha for P1.
>
> What ports are required on my router to allow such connection.
> udp/500 for ipsec?

You'll have to open 500/udp for negociations, and ESP protocol for
encapsulated traffic (unless there is NAT on the way and NAT-T
extension used, in that case, you'll have to open 4500/udp).


Yvan.

thank you for your valurable information,
Is there a way to telnet to the remote device/gateway from my NS25 to
see if those ports is opening or not.

On Aug 27, 4:17 pm, VANHULLEBUS Yvan <vanhu [at] nospam_free.fr> wrote:
> Mr_Huang <mr.huang... [at] gmail.com> writes:
> > Dear guru,
> > I'm pretty new to NS, we have configured the Lan-to-lan VPN as per the
> > instruction in the manual, however, the tunnel failed and inactive by
> > "get sa". Wondering it would be blocked by the ISP-router, we have
> > asked our ISP to open the "VPN" ports. we are using g2-esp-3des-sha
> > for P2 and Pre-g2-3des-sha for P1.
>
> > What ports are required on my router to allow such connection.
> > udp/500 for ipsec?
>
> You'll have to open 500/udp for negociations, and ESP protocol for
> encapsulated traffic (unless there is NAT on the way and NAT-T
> extension used, in that case, you'll have to open 4500/udp).
>
> Yvan.

Also how can I remove those VPN setting/gateway? from the Web
interface or CommandLine?
"unset ike gateway name" didn't work

On Aug 27, 7:07 pm, Mr_Huang <mr.huang... [at] gmail.com> wrote:
> thank you for your valurable information,
> Is there a way to telnet to the remote device/gateway from my NS25 to
> see if those ports is opening or not.
>
> On Aug 27, 4:17 pm, VANHULLEBUS Yvan <vanhu [at] nospam_free.fr> wrote:
>
>
>
> > Mr_Huang <mr.huang... [at] gmail.com> writes:
> > > Dear guru,
> > > I'm pretty new to NS, we have configured the Lan-to-lan VPN as per the
> > > instruction in the manual, however, the tunnel failed and inactive by
> > > "get sa". Wondering it would be blocked by the ISP-router, we have
> > > asked our ISP to open the "VPN" ports. we are using g2-esp-3des-sha
> > > for P2 and Pre-g2-3des-sha for P1.
>
> > > What ports are required on my router to allow such connection.
> > > udp/500 for ipsec?
>
> > You'll have to open 500/udp for negociations, and ESP protocol for
> > encapsulated traffic (unless there is NAT on the way and NAT-T
> > extension used, in that case, you'll have to open 4500/udp).
>
> > Yvan.- Hide quoted text -
>
> - Show quoted text -

Hi,

Mr_Huang wrote:
> Also how can I remove those VPN setting/gateway? from the Web
> interface or CommandLine?
> "unset ike gateway name" didn't work
>

1st you have to unset the dynamic protocols from the tunnel interface
(in case you are using this).
Then unset the tunnel interface from the vpn.
Then unset the vpn from the ike gateway.
Now itīs possible to unset the ike gateway.

Regards,

Carsten
JNCIS-FWV

--

# Use ROT13 to see my e-mail address