IP-Filter, NAT, IPSEC and Nortel Extranet Access Client question

IP-Filter, NAT, IPSEC and Nortel Extranet Access Client question

Post by Dan Makove » Tue, 16 Oct 2001 22:41:25

Hi there,

I was wondering if anybody out there could give me some advice?

I've got Nortel Extranet Access Client installed on a Win2k machine that
sits on a private address behind a FreeBSD gateway/firewall.  I need to be
able to run this client through the firewall, and am having difficulty
getting a connection to the Nortel server.

I have IP-Filter 3.4.20, and have applied the patch (originally intended for
2.4.14 but still seems ok with 3.4.20) listed at
http://www.cs.ndsu.nodak.edu/~davlarso/ipf/, recompiled kernel and modules

options         IPSEC
options         IPSEC_ESP
options         IPSEC_DEBUG

The topology of my network is as follows:
ed0 is configured with the outside IP address ( in this example)
dc0 is the dummy address

The client is installed on machine  The server I'm trying to
contact is at

Following the directions in the link above, I added the following entries to
/etc/ipnat.conf and ran ipnat with "-f /etc/ipnat.conf" as arguments:

map ed0 -> 0/32 proxy port 500 udp
rdr ed0 0/32 port 0   -> port 0 esp

I'm getting a message returned that the server is simply not contactable.

Running tcpdump -i ed0 on the gateway, I get the following when attempting
to connect using the client:
23:01:07.957446 > isakmp: phase 1 I agg: [|sa]
23:01:15.204103 > isakmp: phase 1 I agg: [|sa]
23:01:23.213835 > isakmp: phase 1 I agg: [|sa]
23:01:31.228269 > isakmp: phase 1 I agg: [|sa]

There appears to be no response from the server; however I know that it is
up because I can connect to it from the outside of the firewall.  The Nortel
client simply says "Login Failure due to: Remote host not responding".  This
leads me to believe that the outgoing packets are not being translated
correctly, and the replies are being lost in the ether.

Can anybody help me with this, or point me in the direction of somebody who

Thanks in advance!



Dan Makovec
Fat Canary Software

Web - fatcanary.com.au/dan
NetMeeting - callto:dan.fatcanary.com.au
ICQ - 1308090


1. Nortel Extranet VPN client (IPSec) through OpenBSD2.7 w/ ipf and ipnat ??

Has anyone succesfully configured an OpenBSD NAT/firewall to allow an
IPSec-based VPN client on the LAN side to pass through NAT and connect
to the remote server successfully?

I'm attempting to use Nortel Extranet Acccess Client to connect to a
remote VPN server at my employer via cable modem--but I've been
unsuccessful thus far.  I'm not sure of the hardware on my employer's
end, but the client-side software is Nortel Extranet Access Client
(V02_62.33 Sep 8 2000).

All other NAT seems to work fine.  I've added "log" directives to all
my ipf rules and even disabled them all and find no indication that
the IPSec traffic is even being forwarded.  I've tried enabling ESP in
/etc/sysctrl.conf to no avail.  

Based on a lot of net.digging of the ng's, it appears thus far that
OpenBSD's ipnat is not capable of dealing with the IPSec correctly.
What confuses me is that the inexpensive Linksys cable-modem router
(BEFSR41) can handle this--they've recently released a BIOS update
that touts "IPSec passthru now supported" which coworkers have used
successfully.  I understand that there's been a Linux patch for this
as well, and even the CoyoteLinux router supports this arrangement.

Is there an equivalent patch for OpenBSD that allows ipnat to
appropriately handle ESP (port 50) translation that's evidently needed
for this to work?

|Win2k box |         +----------------+   +-----------+

|Nortel    |         +----------------+   +-----------+
|Extranet  |
|Client    |

I've been scouring the 'net trying to find a fix to no avail.  I'm
having religious difficutly thinking that there is something a Linksys
BEFSR41 router ($160) can do that OpenBSD can't!

Thank you in advance for any assistance or advice.

Best Regards,

2. "." in csh summary and more

3. IP Masquerading with Bay Networks/Nortel Networks Extranet Client

4. Security issue with Napster?

5. Access to Nortel Extranet VPN

6. Problem compiling mcrypt

7. Alternate character modes on magic_cookie_glitch terminals (long)

8. Nortel - Contivity Linux client - VPN - IPSec

9. Connecting a Nortel VPN client through OpenBSD (2.9) to Nortel VPN Switch

10. VPN to Bay Networks/Nortel Extranet

11. Extranet Access Client

12. IP Filter/IP NAT vs IPFW/NATD