New Zealand ADSL Mailing List


Re: ADSL, IPSEC , LRP, and pinholes

From: Matthew Lowe <matthew.lowe_at_ignite.net.nz>
Date: Tue, 17 Oct 2000 07:33:43 +1300
Message-ID: <39EB4A07.6C4E6449@ignite.net.nz>

rob.edkins@axon.co.nz wrote:

> Matthew Lowe wrote:
> >
> >
> > I am having problems with getting an IPSEC tunnel going with
> > ADSL/M1122
> > at one end and at the other I have a clear frame connection.
> >
> > This is what I am trying.
> >
> > LRP box at both ends, using IPSEC without ADSL works (ie
> > frame to frame
> > ok)
> >
> > Connected one LRP box to an ADSL connection does not work.
> >
> > I have changed to ESP with IPSEC and this did not help.
> >
> > Next I tried pinholes on ports 50 and 500 TCP and UDP and this did not
> > help. (even tried pinholes for just about all ports and still no joy)
> >
>
> UDP 500 is required for IKE authentication and key exchange.
>
> For ESP IPSec encapsulation you need IP TYPE 50 pinholed.
>
> This is not a TCP or UDP pinhole, it is a numeric IP protocol number. Port
> numbers are irrelevant, ESP doesn't use them.
>
> On the MW1122, instead of choosing TCP or UDP from the protocol type
> drop-down list, keep scrolling down to protocol 50.
>
> > My understanding is this should work but as per usual my lack of
> > expertise is getting in the way.
> >
> > I am struggling. Has anyone got this going? Am I wasting my time?
> >
>
> Maybe...some IPSec implementations work, depends on the vendor. Some don't
> like NAT, it screws up the IKE Authentication.
>
> Client/Server (eg Checkpoint Securemote clients) seems to work OK, Server to
> Server is what seems to give grief.
>
> You can have success using 'Manual IPSec', an ESP tunnel with no
> authentication header. You have to manually set up the SPI and keys at both
> ends though.
>
> I'm told you can get an IKE session going across ADSL between two Sonicwall
> firewalls.
>
> Rob
>
>

I have managed to get it all going to a point.

I added a pinhole on protocal 50 and all stated working one way. I can now get
from the adsl end to the frame end and not the other way.

Any ideas?

Is this normal?

Matthew

This message is part of the NZ Broadband mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message
Received on Tue Oct 17 08:16:46 2000


This archive was generated by hypermail 2.2.0 : Thu Nov 30 11:48:06 2006 EST