IPsec client and Vista "ports"

mlew · ‎02-06-2007

We use an ACL at the router to block wireless users from going anywhere but to a VPN 3030 public interface. With Vista and VPn client 4.8.02, I can't reach the VPN interface (pings fine however), once I removed the ACL, then I connected fine. Seems I need to allow a new protocol or port thru my ACL. Does somebody know if VISTA might use different ports to communicate with the VPN concentrator. When I sniffed the port on my laptop, seems the only difference with Win XP when using the VPN is the UDP source port, but this changes every time I think. The ISAKMP handshake looks the same. Thanks.

Marcelo

acomiskey · ‎02-06-2007

What does your acl look like? For ipsec vpn you need esp protocol, isakmp udp 500, and maybe nat-t udp 4500.

mlew · ‎02-07-2007

We have been using this ACL and the VPn client for 5 years. It gotta be something that changed with 4.8.02, since this one doesn't work on WinXP either..

I do have esp, isakmp, etc, etc..

Thanks.

mlew · ‎02-07-2007

Forgot to mention, it is a UDP issue, I confirmed this by allowing any UDP port to our concentrator's public interface on the acl, and the the vpn client works fine. As soon as I go back to "eq isakmp", stops working.

acomiskey · ‎02-07-2007

Can you log the denies in the router to see what's being blocked?

mlew · ‎02-08-2007

I will try that. Thanks.

BTW, yesterday I got a message that Cisco released VPN client 5.0