Happy Holidays to all, I have a 2 part question concerning my particular use of vpns. I have a home network behind a Linksys firewall/router and am technically incompetent when it comes to vpn's. Part 1: The company my wife works for has upgraded her vpn software and it no longer plays well with firewalls at the client end. I have an appointment with her tech support Thursday morning but would appreciate it if anyone could give me some clues or at least some intelligent questions to ask so that I might make this thing work. It is sometimes necessary to "help" the help desk in order that they can help you. :) Part 2: I am planning to fire up a vpn connection to my employer on Thursday for the first time. Are there any issues running 2 vpn connections behind a firewall. Thanks, Mike
On Tue, Dec 24, 2002 at 05:58:15PM -0500, Michael Long wrote: mlong> it if anyone could give me some clues or at least some intelligent mlong> questions to ask so that I might make this thing work. It is sometimes mlong> necessary to "help" the help desk in order that they can help you. :) "VPN" can mean many things... but usually it means a PPTP or IPsec encrypted tunnel. IPsec wasn't designed to work with the hack that is NAT (Network Address Translation, Internet Connection Sharing), so if you are sharing one real IP address with a Linksys o mlong> mlong> Part 2: I am planning to fire up a vpn connection to my employer on mlong> Thursday for the first time. Are there any issues running 2 vpn mlong> connections behind a firewall. mlong> mlong> Thanks, mlong> Mike mlong> mlong> _______________________________________________ mlong> Wlug mailing list mlong> Wlug@mail.wlug.org mlong> http://mail.wlug.org/mailman/listinfo/wlug -- Charles R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Key ID: 49BB5886 Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886
Well, my editor ate that one... Let's try this again. On Tue, Dec 24, 2002 at 05:58:15PM -0500, Michael Long wrote: mlong> it if anyone could give me some clues or at least some intelligent mlong> questions to ask so that I might make this thing work. It is sometimes mlong> necessary to "help" the help desk in order that they can help you. :) "VPN" can mean many things... but usually it means a PPTP or IPsec encrypted tunnel. IPsec uses port 500/udp for ISAKMP key exchange, and IP Protocol number 50/51 for ESP/AH encryption/authentication (i.e., not TCP or UDP). IPsec wasn't designed to work with the hack that is NAT (Network Address Translation, Internet Connection Sharing), so if you are sharing one real IP address to multiple computers with a Linksys, you can run into issues. Basically, vendors like Linksys have hacked around the IPsec limitation to make it sort of work through the NAT. Make sure you have turned on the "IPsec passthrough" features of your router (NOT IPsec/VPN endpoint). You should also look for an upgrade to the Linksys firmware to see if it addresses your issue... It is hit-or-miss often times with these SOHO routers. Good luck. mlong> Part 2: I am planning to fire up a vpn connection to my employer on mlong> Thursday for the first time. Are there any issues running 2 vpn mlong> connections behind a firewall. The IPsec through NAT hack I mentioned above usually only works with ONE IPsec session at a time, so if both VPN's use IPsec, you may be out of luck unless you take turns using the VPN software. On the other hand, some vendors have figured out a way to allow multiple IPsec sessions to work through NAT at once... It could be that one or both VPN's are using a technology other than IPsec, in which case, the issues are completely different. PPTP usually works fine through NAT, for example. There are other protocols as well, which may or may not work through NAT. In addition, if they are using IPsec with a Nortel Networks Contivity VPN switch on their end, it may have a feature called "NAT Traversal" which wraps the entire IPsec flow in UDP packets (the administrator chooses the port number, but Nortel recommends 10001/udp). If this is the case, it might make sense to turn OFF any IPsec-passthrough features of your router, so that the NAT Traversal kicks in. -- Charles R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Key ID: 49BB5886 Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886
participants (2)
-
Charles R. Anderson -
Michael Long