Forum Replies Created
-
Posts
-
A colleague of mine, who initially setup our ZeroShell appliance, would like to know how to aquire registration keys for Graphics and Monitoring.
I have a user that is able to connect to a CISCO concentrator successfully using Zs but the VPN profile is configured to allow split tunneling.
The organizatin I work for will not allow split tunning (or Local Lan access) when their connect with VPN.
Duh! Sorry Fulvio… I live in the US and have family in Basilicata that I visit on occasion. What part of Italy are you from?
Ricardo,
Thank you for the article. I did find the following info on the site:
I do speak some italian that’s why I was able to reconize it:
http://www.zeroshell.net/faq/vpn/#vpn.faq0b
ZeroShell, se abilitato, è in grado di negoziare con i client L2TP/IPSec l’utilizzo del NAT-T.
How can I enable NAT-T in this manner on Zs?
Yes Transport Tunneling and IPSec over UDP is Selected on the VPN client.
I found this article : http://security-blog.netcraftsmen.net/2009/01/tcp-and-udp-ports-used-for-cisco-vpn.html
It talks about the three different methods for IPSec to work.
NAT Traversal is said to be the default method for UDP tunneling with the Cisco VPN Client.
How do I know if Zs is configured for NAT Traversal?
Sorry for the delay:
This is what the Zs log shows:udp 17 17 src=192.168.10.69 dst=161.11.120.182 sport=10000 dport=10000 [UNREPLIED] src=161.11.120.182 dst=68.236.159.167 sport=10000 dport=10000 mark=0 use=1
It looks like my CISCO client (192.168.10.69) is sending the request to my ASA (161.11.120.182) on port 1000.
Go Figure!
What do you think?
Not a problem. I really appreciate the help.
Zs is going to be used to authenticate users on a local Lan, who want to use our DSL connection to connect to the internet.
This connection works no problem:
User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 68.236.159.167) — DSL –> http://www.google.comSome users will need to connect to the internet to initiate a VPN connection with our ASA firewall at another geographical location(asa is on a public ip address).
This is the path of the traffic that does not work:
User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 68.236.159.167) — DSL –> ASA (xxx.xxx.xxx.xxx:500)
User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 68.236.159.167) — DSL –> ASA (xxx.xxx.xxx.xxx:4500)Instead, Zs is using port 10000 for IKE. I’ll represent it like this:
User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 68.236.159.167) — DSL –> ASA (xxx.xxx.xxx.xxx:10000)
Our ASA is not configured to listen on port 10000 for cTCP.What do you think?
Thanks for follow up.
BTW our goal is to replace our Chillispot server with Zs.
Hopefully I can explain better:
Note in the sample ASA FW logs:
The Zs server IP is 68.236.159.167
The ASA’s IP is represented as ###.###.###.###
The Chillispot server IP is 68.236.159.162After I successfully connect to Zs, I want to then connect to my cisco ASA using Cisco’s VPN Client (ver 5) configured with IPSec over UDP.
Here are a sample of my ASA logs when the VPN connection works using our Chillispot server instead of Zs:
Built inbound UDP connection for INTERNET:68.236.159.162/61169 (68.236.159.162/61169) to identity:###.###.###.###/500
Built inbound UDP connection for INTERNET:68.236.159.162/61170 (68.236.159.162/61170) to identity:###.###.###.###/4500
Here are a sample of my ASA logs when the VPN connection does not work using Zs:
IP = 68.236.159.167, IKE port 10000 for IPSec UDP already reserved on interface INTERNETIt’s like Zs is using cTCP instead of IPSec over UDP which is what my cisco client is configured to use.
Does that make sense ?
