1. IP-Filter, NAT, IPSEC and Nortel Extranet Access Client question
I was wondering if anybody out there could give me some advice?
I've got Nortel Extranet Access Client installed on a Win2k machine that
sits on a private address behind a FreeBSD gateway/firewall. I need to be
able to run this client through the firewall, and am having difficulty
getting a connection to the Nortel server.
I have IP-Filter 3.4.20, and have applied the patch (originally intended for
2.4.14 but still seems ok with 3.4.20) listed at
http://www.cs.ndsu.nodak.edu/~davlarso/ipf/, recompiled kernel and modules
The topology of my network is as follows:
ed0 is configured with the outside IP address (220.127.116.11 in this example)
dc0 is the dummy address 10.0.0.1
The client is installed on machine 10.0.0.2. The server I'm trying to
contact is at 18.104.22.168
Following the directions in the link above, I added the following entries to
/etc/ipnat.conf and ran ipnat with "-f /etc/ipnat.conf" as arguments:
map ed0 10.0.0.1/16 -> 0/32 proxy port 500 udp
rdr ed0 0/32 port 0 -> 10.0.0.2 port 0 esp
I'm getting a message returned that the server is simply not contactable.
Running tcpdump -i ed0 on the gateway, I get the following when attempting
to connect using the client:
23:01:07.957446 22.214.171.124.40004 > 126.96.36.199.isakmp: isakmp: phase 1 I agg: [|sa]
23:01:15.204103 188.8.131.52.40004 > 184.108.40.206.isakmp: isakmp: phase 1 I agg: [|sa]
23:01:23.213835 220.127.116.11.40004 > 18.104.22.168.isakmp: isakmp: phase 1 I agg: [|sa]
23:01:31.228269 22.214.171.124.40004 > 126.96.36.199.isakmp: isakmp: phase 1 I agg: [|sa]
There appears to be no response from the server; however I know that it is
up because I can connect to it from the outside of the firewall. The Nortel
client simply says "Login Failure due to: Remote host not responding". This
leads me to believe that the outgoing packets are not being translated
correctly, and the replies are being lost in the ether.
Can anybody help me with this, or point me in the direction of somebody who
Thanks in advance!
Fat Canary Software
Web - fatcanary.com.au/dan
NetMeeting - callto:dan.fatcanary.com.au
ICQ - 1308090
2. Time Syncing
3. IP Filter/IP NAT vs IPFW/NATD
4. Yahoo article on Open Source software (and Linux)
5. Filters, Filters, where are you Filters...
6. MPD error
7. HELP!! with ip accessing (remote access)
8. Security Holes in Linux
9. access.conf IP-access prob.
10. Forwarding of an IP address for Audio/IP external access
11. IP Access lists with dtnamic IP addresses?
12. Restricted Host IP to access internal for IP Forwarding
13. IP Masquerade Question: Local Access to Server on Ext. IP