| All Categories |
Primers
VPN, Firewall, Security ... |
Guides
HowTo, Choosing a VPN ... |
Reference
Articles, FAQs, Whitepapers ... |
Standards
Architectures, Protocols ... |
Downloads
VPN, Firewall, Security ... |
Products & Services
Hardware, Software, Services |
| Organizations |
Business
Market Research, Law ... |
| Forums |
News
Archive, Events, Newsletters ... |
|
|
| |
| VPN labs is an open community for researching, testing, reviewing, and discussing Virtual Private Networks. Get trusted, unbiased advice on just about everything related to VPN. For more detail check: How to use this site. VPN Labs - VIRTUAL PRIVATE NETWORKS - Free VPN Software and Virtual Private Network News. |
|
|
|
|
bigboy
Member since:
2001-11-29 16:16:45 |  posted: 2001-11-29 16:18:15
NetScreen 5 to Nortel
Extranet Access Client
----------
I looked around your site
but wasnt able to see
much about this topic,
hence I thought I might
ask.\n\nI have a
Netscreen 5 firewall, and
need to be able to use a
Nortel Extranet Access
Client to tunnel to a
private network. \n\nH
anybody successfully
managed to get Nortel and
Netscreen to coincide?
Any ideas on how to setup
the Netscreen to allow
the VPN to function
correctly? | dsmathews
Member since:
2002-01-11 09:23:36 |  posted: 2002-01-11 09:42:59
Netsceen & Nortel
----------
I'm assuming you are
trying to pass Nortel
IPSec traffic across a
Netscreen firewall, and
not build a VPN with the
Nortel Client to the
Netscreen
firewall...
There
are a few caveats with
NAT'ing devices and/or
firewalls with IPSec
VPN's:
1) If you
configure the VPN for AH
(Authentication Header) -
you will never get your
VPN to work if there is
NAT anywhere in the
network between your host
and client. This is ok,
because AH doesn't
encrypt your payload, so
most organizations don't
use it anyway.
2)
The Netscreen must be
able to pass the IKE
requests to both the
client and server on
TCP/UDP 500 - which is
different from many
services, as source and
destination port will
always be 500 - a new
"high" port is not
negotiated.
3) The
Netscreen must be able to
pass protocol 50 traffic
back to the client
(assuming the client is
behind the
firewall.)
This is
the biggest challenge for
most firewall/router/NAT
products, as they usually
only support port
forwarding, not protocol
forwarding. IPSEC ESP
uses protocol 50, which
does not equate to
TCP/UDP 50.
Good
luck!
Dan |
|
