3 Replies Latest reply on Jan 11, 2011 1:48 AM by nsidoti

    Ipsec Client Behind Snapgear SG300

      I am running an Ubuntu Desktop and have installed the VPNC client which is a compatible Cisco IPsec Client. Further to this I have a Snapgear SG300 doing PPPoE and it has my public IP address. Nothing special in the set-up of the SG300, in fact it is very basic with no added FW rules. I can go anywhere to any web site with no issues.

      My main issue is that the VPNC client configured on my Ubuntu Desktop will not connect to my Company VPN which has a PIX 515e Firewall configured for Remote Access VPN. I have tested this by removing the Snapgear and just connecting a simple ADSL modem (Billion) directly to my Ubuntu box and the VPNC will connect perfectly. Therefore I am assuming the problem is with the Snapgear.

      After reading countless articles about this I am still unclear on how to resolve it. Has anyone ever got a VPN client sitting behind a Snapgear SG300 to connect to a corporate network that has a Pix 515e as the VPN endpoint?

      Happy to provide more information on request.

        • 1. Re: Ipsec Client Behind Snapgear SG300

          I assume when you tested without the Snapgear, the public IP was on your ubuntu box.

           

          The 'problem' is NAT-T ( NAT traversal )

           

          KB62315 in our knowledge base will give you an understanding of NAT-T

           

          Basically, you will need to use agressive mode rather than main mode, and use some form of ID ( possibly in email format ) other than the public IP, which resides on the Snapgear.

           

          Google seems to show a number of useful links when searching for 'vpnc nat traversal'

           

          hope this helps.

          1 of 1 people found this helpful
          • 2. Re: Ipsec Client Behind Snapgear SG300

            Actually, when I removed the Snapgear I configured the Billion Modem to do the PPPoE connection which means the modem had the public IP address. My Ubuntu box received a LAN IP address (192.168.x.x/24) from the Billion. Therefore the Billion modem was also doing NAT. I could use the vpnc client sucessfully in this setup.

             

            When the Snapgear is in place I had the Billion modem in bridge mode whioch means the Snapgear was doing the PPPoE connection and receiving the Public IP Address. The Snapgear also was doing NAT. With this configuration I could not get the vpnc client on my Ubuntu Box to work at all. Funny thing is that there are no logs either on the Snapgear relating to the ipsec traffic.

             

            I am not sure what you mean by "aggressive mode" but I look at the article you mentioned.

            • 3. Re: Ipsec Client Behind Snapgear SG300

              Solved,

               

              I finally got this solved and it turns out that the vpnc client  needed another parameter added to the configuration file in  /etc/vpnc.conf

              I added the following line, (0 is a zero)

              Local Port 0

              What this does is force the vpnc client to randomly choose a port for  the ISAKMP port number. If you do not add this line then the default  port is 500.

               

              BTW the vpnc client support aggressive mode only.