From: Chris Johnston (chris@routerguy.com)
Date: Thu May 15 2003 - 13:34:34 GMT-3
Thanks Sam for the thought. The 4.x client on 6.3.1 seems to be panning
out well and the customer doesn't gripe that his "fast switch(?)" on XP
is broken any more. Furthermore, I have not had the timeout issue yet.
My big problem is the customer has dialup through AT&T. Dialup users
are assigned all sorts of weird addresses but will always appear as
12.x.x.x on the dial-up client. The VPN may be coming from a dial-pool
partner.
Well what this means is there is NAT going on somewhere. If the NAT
blocks certain traffic and unless it is true 1:1 NAT and not PAT you are
not going to get a traditional IPSEC connnection. Generally this is why
I make exceptions in my pix configs for the UDP/500 and IP/50.
This was the very big selling point of the VPN 3000 series boxes, we
could do the IPSEC over UDP.
This is why I was looking to find if anyone found the explicit "turn
this on" switch.
ONE BIG PROBLEM I DID RUN ACROSS. In the PIX you build your SA's in
access lists. This gets sent to the client and your ip pool and its
subnet come across just fine. However, the 4.x client assigns a
classful subnetmask to you.
So for example, I had 172.23.230.192 255.255.255.192 as my subnet in the
SA. I receive an ip address from the pool - 172.12.230.193 with a
netmask of 255.255.0.0. You too can see this if you do an ipconfig
/all.
Thanks for listening.
-----Original Message-----
From: Sam Munzani [mailto:sam@munzani.com]
Sent: Thursday, May 15, 2003 7:23 AM
To: Chris Johnston; ccielab@groupstudy.com
Cc: cciesecurity@yahoogroups.com
Subject: Re: OT - UDP1000 VPN on PIX 6.3.1
Chris,
I have configured NAT-T on 6.3.1 and it uses UDP/4000. Worked great with
3.6.4 client. Recently I upgraded my client to 4.01 under w2k and
upgraded PIX to AES license. Ever since I am having weird issues. After
first few minutes of passing traffic across the VPN, it stops and VPN
times out. I didn't have time to go back to my old client. I tried going
back to PIX with DES license and it didn't solve my problem.
I will let you know how it goes with old client. 4.01 might work well
under XP but don't have XP on my laptop.
Thanks,
Sam Munzani
CCIE # 6479 (R&S, Security)
> Hello everyone;
>
> Has anyone tinkered with the NAT Transversal VPN on the new PIX 6.3.1
> release? It's supposed to be in there (somewhere) but I'll be danged
> if I can find explicit documentation on how to enable it.
>
> Have you also noticed that the new VPN client 4.01 is out? It
> actually works with the WinXP easy login since it installs a driver
> vs. a shim into the OS.
>
> Chris Johnston
> 714-306-5746
> 949-653-8819 (fax)
>
> Cannot find REALITY.SYS. Universe halted.
> -------------------------------------------------------------------
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:43 GMT-3