Guys,
I’m having issues configuring the Firewall on my Billion 7402VGP to allow me to connect to work via VPN . Although the router has an SPI Firewall it does not permit the connections. This was handled fine by the Origo ASR-8400 that was my previous router.
So, as the Firewall is not allowing the connection by default I have tried to find the correct Port combinations to allow access.
The VPN connection is controlled by Software on my laptop. It comprises two parts – RSA Keon Desktop (credential store login) and Nortel Contivity VPN Client. The process is that you log-on to the Keon Desktop and then use the credentials gained to connect the VPN using the Contivity Client.
Log-on on to the Keon Desktop now works as I have opened port 2478 for this purpose but for the Contivity Client I am struggling.
By enabling the Firewall Filtering log I can see failed connection attempts and I’ve spent some time adding the ports listed to the access rules but everytime I add make additions I find it is trying to connect to even more ports.
So I changed tack. I have then tried adding the IP Address of the destination device with all ports open. This doesn’t work either.
Any thoughts? Attached is the default ports blocked by the Firewall for the different preset security settings.
VPN Connection using Billion 7402 VGP
VPN Connection using Billion 7402 VGP
- Attachments
-
- ports.jpg
- Predefined Port Filter Rules for Billion 7402
- (102.19 KiB) Downloaded 764 times
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan
What protocol are you forwarding? Seems that some routers only give you the option ot TCP or UDP. No expert on this but it has caused me difficulties with a BT/2wire clone.
He ached all over. It wasn't just that his brain was writing cheques that his body couldn't cash. It had gone beyond that. Now his feet were borrowing money that his legs hadn't got, and his back muscles were looking for loose change under the sofa cushions.
- Terry Pratchett
www.bliss.org.uk
- Terry Pratchett
www.bliss.org.uk
An interesting point I had assumed TCP but perhaps I should have thought UDP. I will give it a go.JAFO wrote:What protocol are you forwarding? Seems that some routers only give you the option ot TCP or UDP. No expert on this but it has caused me difficulties with a BT/2wire clone.
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan
I've now found the following article on IPSec port requirements from MS -How IPSec Works
This implies that a combination of Raw IP Filters for Protocols 50 & 51 plus packet filter for UDP port 500 should do the trick. This is a little complex for something that the ASR-8400 did out of the box, no?Mr Gates wrote:In order for IPSec-secured communications to take place through a firewall or other filtering device, you must configure the firewall to permit IPSec traffic on UDP source and destination port 500 (ISAKMP) and IP Protocol 50 (ESP). You might also need to configure the firewall to permit IPSec traffic on IP protocol 51 (AH) to permit troubleshooting by IPSec administrators and to allow the traffic to be inspected while it is still IPSec-encapsulated.
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan
I seem to recall that the ASR-8400 has some inherent VPN support so maybe that's what they were referring to?SyBorg wrote:This is a little complex for something that the ASR-8400 did out of the box, no?
RouterTech Team and Founding Member
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
This is as far as I got with the 2wire piece of ****. How do you allow protocols other than TCP and UDP to pass through the firewall/router.
I have seen and can do it on an ISA firewall easy enough, but have no idea with routers. My SWAMR fortunately has a predefined rule set for it for L2TP/IPSec passthrough.
I have seen and can do it on an ISA firewall easy enough, but have no idea with routers. My SWAMR fortunately has a predefined rule set for it for L2TP/IPSec passthrough.
He ached all over. It wasn't just that his brain was writing cheques that his body couldn't cash. It had gone beyond that. Now his feet were borrowing money that his legs hadn't got, and his back muscles were looking for loose change under the sofa cushions.
- Terry Pratchett
www.bliss.org.uk
- Terry Pratchett
www.bliss.org.uk
For the 7402VGP there is a section in the Firewall configuration that claims to do it I would have put the screenshot in the post but I can't FTP to anywhere from hereJAFO wrote:How do you allow protocols other than TCP and UDP to pass through the firewall/router.
I'll let you know if it works.
- Attachments
-
- Packet Filter.jpg
- Screen shot of Raw packet filter screen on Billion 7402VGP
- (21.61 KiB) Downloaded 475 times
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan
Well, it looks like my suggestion worked
Adding UDP port 500 and protocols 50 and 51 as per the screenshot below has worked. I'm not convinced this is as 'tight' as it could be so I will play around with it and post the best results. This does at least allow me to get my work mail while my daughter is on the desktop upstairs playing on the 'Barbie' site
Adding UDP port 500 and protocols 50 and 51 as per the screenshot below has worked. I'm not convinced this is as 'tight' as it could be so I will play around with it and post the best results. This does at least allow me to get my work mail while my daughter is on the desktop upstairs playing on the 'Barbie' site
- Attachments
-
- IPSec Ports.jpg
- IPSec Ports
- (36.97 KiB) Downloaded 538 times
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan