Dan, I'm pretty sure ESP is being used. You might see the symptoms I am describing if you were to establish two VPN connections while at home. I didn't believe our developers at first but we've tested so many different configurations, that I am confident the problem is related to Gnatbox's inability to properly route ESP traffic. This makes sense since there are no ports numbers associated with the traffic.
I think I will pursue the multiple IP addresses option on the client's side first. Marteen, How would I configure the GB-1000 to make it appear that the different VPN sessions are originating from different static IP addresses? Matt -----Original Message----- From: Dan Swartzendruber [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 8:54 AM To: Maarten Vink / Interstroom; Matt Repko Cc: [EMAIL PROTECTED] Subject: Re: [gb-users] Nortel Contivity VPN clients behind Gnatbox At 02:49 PM 11/3/2003 +0100, Maarten Vink / Interstroom wrote: >Matt Repko wrote: > >>I am having some difficulties with multiple Nortel VPN clients behind a >>Gnatbox GB-1000 unit. I've scoured Gnatbox's knowledgebase and various other >>resources and have not found any solid information. Hopefully someone on the >>list has run into this problem or has some good suggestions. >>Looking through Nortel's documentation yielded a known issue with NAT >>traversal connection failure which essentially explains that multiple VPN >>connections behind a NAT firewall will lead to unreliable connection with the >>Nortel Contivity client. >>Has anyone had problems like this? Has anyone come up with a solution or at >>least a workaround. I am open to suggestions. > >If using multiple IP's on the Nortel box is impossible, you could try >doing the same thing on your end. Assign multiple IP's to your GB-1000 and >use static address mappings to have each VPN session appear to originate >from a different IP. > >FYI, the GNAT Box VPN client has the same issue with NAT; I've heard >rumours that Cisco has a client that will work around this problem but I >haven't used it myself. I guess I'm puzzled by this. We were using Checkpoint SecureRemote at my day job and switched to Nortel recently. I've never noticed the described behavior because when I telecommute, I'm the only one doing so from my house. Anyway, one of the things I liked about Nortel was that it could be set up to use UDP encapsulation, instead of ESP, which has the standard problem of "where do return packets go, since there's no port number to go by?" The described problem sounds like ESP is being used, not UDP. If not, I'm at a loss to understand how this would ever happen, since steering inbound packets based on the port number is fundamental to allowing multiple clients using TCP or UDP behind a NAT gateway. ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
