Matthew Lowe wrote:
>
>
> I am having problems with getting an IPSEC tunnel going with
> ADSL/M1122
> at one end and at the other I have a clear frame connection.
>
> This is what I am trying.
>
> LRP box at both ends, using IPSEC without ADSL works (ie
> frame to frame
> ok)
>
> Connected one LRP box to an ADSL connection does not work.
>
> I have changed to ESP with IPSEC and this did not help.
>
> Next I tried pinholes on ports 50 and 500 TCP and UDP and this did not
> help. (even tried pinholes for just about all ports and still no joy)
>

UDP 500 is required for IKE authentication and key exchange.

For ESP IPSec encapsulation you need IP TYPE 50 pinholed.

This is not a TCP or UDP pinhole, it is a numeric IP protocol number. Port
numbers are irrelevant, ESP doesn't use them.

On the MW1122, instead of choosing TCP or UDP from the protocol type
drop-down list, keep scrolling down to protocol 50.

> My understanding is this should work but as per usual my lack of
> expertise is getting in the way.
>
> I am struggling. Has anyone got this going? Am I wasting my time?
>

Maybe...some IPSec implementations work, depends on the vendor. Some don't
like NAT, it screws up the IKE Authentication.

Client/Server (eg Checkpoint Securemote clients) seems to work OK, Server to
Server is what seems to give grief.

You can have success using 'Manual IPSec', an ESP tunnel with no
authentication header. You have to manually set up the SPI and keys at both
ends though.

I'm told you can get an IKE session going across ADSL between two Sonicwall
firewalls.

Rob

This message is part of the NZ Broadband mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message
Received on Mon Oct 16 10:24:50 2000