Forefront Edge Security TechCenter >
Forefront Edge Security Forums
>
Forefront Edge Security - Internet Access
>
Howto tunnel Zyxel ZyWall client through ISA 2006?
Howto tunnel Zyxel ZyWall client through ISA 2006?
- Hi,
I have a challenge in tunnelling a ZyWall clint throuig the ISA server!
I have done this before with a Cisco VPN client, which was "piece of cake", but this is driving me crazy.
On the inside network we have a computer installed with ZyWall IPSec VPN client version 2.4, that should connect to a customer site - they have a Zyxel "something" router.
Connecting from home is OK, the client connects as supposed, so config should be fine.
I have created a rule on the ISA Server which allows "IKE Client" and "IPSec NAT-T Client".
When initiating a connection from inside network, I see the connection is initated on port 500 UDP and the "IKE Client" rule is used to allow traffic.
A little later the remote site resonds to a high number port like 30158 but the response is rejected as "Unidentified IP traffic", which end the session.
Hope some of you clever people have a suggestion, I am stuck on this.
SW: Isa 2006 SP1 on Windows 2003 - all updates applied
BR Torben
All Replies
- Can you get a network capture and ISA log set of this process?
From your description, it sounds as if:
1. the ZyWall lcient isn't NAT-T compatible
2. the conncetion is broken by the client or ISA, but the remote is not behaving properly
Also, there are some articles Zytel has on the subject:
http://www.zyxel.com/web/support_knowledgebase_detail_zip.php?pid=20040908175941&KnowledgeBaseID=9659
Jim Harrison Forefront Edge CS - Hi Jim,
We can rule out 1, at least the configuration says NAT-T.
2. - not sure, but reading the article you suggested, made me aware of some differences between current and suggested configuration.
I will try to have those changes implemented, it is on both the Zyxel router and in the VPN client.
Will let you know if we succeed.
BR
Torben - Torben, any update?
Keith
Moderator No news yet - the Zywall is located in Russia, communication as a bit difficult.
- Torben- tslaikjer, did you ever find a fix for your problem?
I am experiencing the same issue but with the Sonicwall VPN Client. I have been using this Sonicwall client for years and have never had a problem until recently setting up a Windows Essential 2008 Server/s and trying to create a VPN connection from behind this Forefront TMF Security server to a couple of Sonicwall Firewall applicances.
I have opened up ports 500 and 4500 as per Sonicwall technical support and other research I have done on the Internet but the Sonicwall appliance logs reveal the problem you are talking of. Below are Sonicwall log entries (xx Source, zz Destination) from a successful connection (source and destination ports are 500 at Phase 1) and unsuccessful (source port is changing) when behind the Forefront firewall:
Unsuccessful:
32 10/29/2009 20:02:19.352 Info VPN IKE IKE negotiation aborted due to timeout zz.zz.zz.zz, 61934 xx.xx.xx.xx, 500, CPE-xx-xx-xx-xx.wi.res.rr.com VPN Policy: WAN GroupVPN 33 10/29/2009 20:01:46.352 Info VPN IKE IKE Responder: Remote party timeout - Retransmitting IKE request. zz.zz.zz.zz, 61934 xx.xx.xx.xx, 500, CPE-xx-xx-xx-xx.wi.res.rr.com VPN Policy: WAN GroupVPN 34 10/29/2009 20:01:27.352 Info VPN IKE IKE Responder: Remote party timeout - Retransmitting IKE request. zz.zz.zz.zz, 61934 xx.xx.xx.xx, 500, CPE-xx-xx-xx-xx.wi.res.rr.com VPN Policy: WAN GroupVPN 35 10/29/2009 20:01:16.352 Info VPN IKE IKE Responder: Remote party timeout - Retransmitting IKE request. zz.zz.zz.zz, 61934 xx.xx.xx.xx, 500, CPE-xx-xx-xx-xx.wi.res.rr.com VPN Policy: WAN GroupVPN 36 10/29/2009 20:01:09.720 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) xx.xx.xx.xx, 61934, CPE-xx-xx-xx-xx.wi.res.rr.com zz.zz.zz.zz, 500
Successful:
... ... ... 38 10/29/2009 15:42:16.368 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) xx.xx.xx.xx, 4500, CPE-xx-xx-xx-xx.wi.res.rr.com zz.zz.zz.zz, 4500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs 39 10/29/2009 15:42:16.368 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device 40 10/29/2009 15:42:16.096 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) xx.xx.xx.xx, 500, CPE-xx-xx-xx-xx.wi.res.rr.com zz.zz.zz.zz, 500
Anyone? - It seems clear from the failed logging that the client and server fail to recognize the NAT device (ISA) in the path.
Do you have concurrent network captures from these tests?
Jim Harrison Forefront Edge CS - No news here - Sibiria is far away and we dont get there very often.
/torben
