VPN Connection using Billion 7402 VGP

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
User avatar
SyBorg
Ex RouterTech Team
Ex RouterTech Team
Posts: 1621
Joined: Mon Apr 17, 2006 4:09 pm
Location: Berkshire
Contact:

VPN Connection using Billion 7402 VGP

Post by SyBorg » Tue Apr 25, 2006 9:55 am

Guys,

I’m having issues configuring the Firewall on my Billion 7402VGP to allow me to connect to work via VPN :cry: . Although the router has an SPI Firewall it does not permit the connections. This was handled fine by the Origo ASR-8400 that was my previous router.

So, as the Firewall is not allowing the connection by default I have tried to find the correct Port combinations to allow access.
The VPN connection is controlled by Software on my laptop. It comprises two parts – RSA Keon Desktop (credential store login) and Nortel Contivity VPN Client. The process is that you log-on to the Keon Desktop and then use the credentials gained to connect the VPN using the Contivity Client.
Log-on on to the Keon Desktop now works as I have opened port 2478 for this purpose :thumb: but for the Contivity Client I am struggling.
By enabling the Firewall Filtering log I can see failed connection attempts and I’ve spent some time adding the ports listed to the access rules but everytime I add make additions I find it is trying to connect to even more ports.
So I changed tack. I have then tried adding the IP Address of the destination device with all ports open. This doesn’t work either.
Any thoughts? Attached is the default ports blocked by the Firewall for the different preset security settings.
Attachments
ports.jpg
Predefined Port Filter Rules for Billion 7402
(102.19 KiB) Downloaded 764 times
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
User avatar
Steve
Ex RouterTech Team
Ex RouterTech Team
Posts: 980
Joined: Fri Jan 27, 2006 2:34 am

Post by Steve » Tue Apr 25, 2006 11:14 am

What protocol are you forwarding? Seems that some routers only give you the option ot TCP or UDP. No expert on this but it has caused me difficulties with a BT/2wire clone.
He ached all over. It wasn't just that his brain was writing cheques that his body couldn't cash. It had gone beyond that. Now his feet were borrowing money that his legs hadn't got, and his back muscles were looking for loose change under the sofa cushions.
- Terry Pratchett

www.bliss.org.uk
User avatar
SyBorg
Ex RouterTech Team
Ex RouterTech Team
Posts: 1621
Joined: Mon Apr 17, 2006 4:09 pm
Location: Berkshire
Contact:

Post by SyBorg » Tue Apr 25, 2006 11:22 am

JAFO wrote:What protocol are you forwarding? Seems that some routers only give you the option ot TCP or UDP. No expert on this but it has caused me difficulties with a BT/2wire clone.
An interesting point :idea: I had assumed TCP but perhaps I should have thought UDP. I will give it a go.
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
User avatar
SyBorg
Ex RouterTech Team
Ex RouterTech Team
Posts: 1621
Joined: Mon Apr 17, 2006 4:09 pm
Location: Berkshire
Contact:

Post by SyBorg » Tue Apr 25, 2006 11:52 am

I've now found the following article on IPSec port requirements from MS -How IPSec Works
Mr Gates wrote:In order for IPSec-secured communications to take place through a firewall or other filtering device, you must configure the firewall to permit IPSec traffic on UDP source and destination port 500 (ISAKMP) and IP Protocol 50 (ESP). You might also need to configure the firewall to permit IPSec traffic on IP protocol 51 (AH) to permit troubleshooting by IPSec administrators and to allow the traffic to be inspected while it is still IPSec-encapsulated.
This implies that a combination of Raw IP Filters for Protocols 50 & 51 plus packet filter for UDP port 500 should do the trick. This is a little complex for something that the ASR-8400 did out of the box, no?
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
User avatar
Neo
RouterTech Team
RouterTech Team
Posts: 3586
Joined: Thu Jan 26, 2006 1:09 pm
Contact:

Post by Neo » Tue Apr 25, 2006 11:58 am

SyBorg wrote:This is a little complex for something that the ASR-8400 did out of the box, no?
I seem to recall that the ASR-8400 has some inherent VPN support so maybe that's what they were referring to? :?
RouterTech Team and Founding Member
Image
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
User avatar
Steve
Ex RouterTech Team
Ex RouterTech Team
Posts: 980
Joined: Fri Jan 27, 2006 2:34 am

Post by Steve » Tue Apr 25, 2006 12:06 pm

This is as far as I got with the 2wire piece of ****. How do you allow protocols other than TCP and UDP to pass through the firewall/router.

I have seen and can do it on an ISA firewall easy enough, but have no idea with routers. My SWAMR fortunately has a predefined rule set for it for L2TP/IPSec passthrough.
He ached all over. It wasn't just that his brain was writing cheques that his body couldn't cash. It had gone beyond that. Now his feet were borrowing money that his legs hadn't got, and his back muscles were looking for loose change under the sofa cushions.
- Terry Pratchett

www.bliss.org.uk
User avatar
SyBorg
Ex RouterTech Team
Ex RouterTech Team
Posts: 1621
Joined: Mon Apr 17, 2006 4:09 pm
Location: Berkshire
Contact:

Post by SyBorg » Tue Apr 25, 2006 12:20 pm

JAFO wrote:How do you allow protocols other than TCP and UDP to pass through the firewall/router.
For the 7402VGP there is a section in the Firewall configuration that claims to do it :D I would have put the screenshot in the post but I can't FTP to anywhere from here :roll:

I'll let you know if it works.
Attachments
Packet Filter.jpg
Screen shot of Raw packet filter screen on Billion 7402VGP
(21.61 KiB) Downloaded 475 times
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
User avatar
SyBorg
Ex RouterTech Team
Ex RouterTech Team
Posts: 1621
Joined: Mon Apr 17, 2006 4:09 pm
Location: Berkshire
Contact:

Post by SyBorg » Tue Apr 25, 2006 7:21 pm

Well, it looks like my suggestion worked :D
Adding UDP port 500 and protocols 50 and 51 as per the screenshot below has worked. I'm not convinced this is as 'tight' as it could be so I will play around with it and post the best results. This does at least allow me to get my work mail while my daughter is on the desktop upstairs playing on the 'Barbie' site :pukes:
Attachments
IPSec Ports.jpg
IPSec Ports
(36.97 KiB) Downloaded 538 times
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
Post Reply