Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
255
Views
0
Helpful
2
Replies

Filter on Public-Interface for Cisco Concentrator 3000

wgutschner
Level 1
Level 1

‎10-23-2003 01:35 AM - edited ‎03-09-2019 05:15 AM

Hello...

I have 2 question.

1.)

I'm wondering why i don't need a Filter for UDP 4001 if i'm connecting via IPSEC over UDP Port 4001. I only have the Default-Filter for NAT-T (UDP 4500). Can someone explain why this works?

2.)

I have problems to connect when a Firewall on the client-side is involved. The Firewall "says" fragmented packet dropped (UDP 500 from the concentrator), i have reduced the MTU to 1000 to see if this helps, but still the same problem...

This only happens when split tunnel is activ, if i tunnel everything then i have no problems (with split tunnel activ and no Firewall, also no problems).

Thanks for any informations...

best regards,

Walter

Labels:
0 Helpful
2 Replies 2

engel
Level 2
Level 2

‎10-28-2003 01:23 AM

1. I believe, the filter for IPSec over UDP (or IPSec over TCP) is invisible to the GUI. According to my experience it only kicks on when the VPN client begins the IKE connection (UDP/500) and if successfull, the filter for UDP/10000 (default port for IPSec over UDP) is applied to the Public Interface of VPN3000.

2. Regarding the client-side firewall, are you using CPP (Client Push Policy) or policy downloading from Integrity Server (ZoneLabs Firewall). Just a guess, that if your fragmented UDP/500 packets are dropped, you may have to add filter for passing UDP/500.

Regards,

Engel

0 Helpful

wgutschner
Level 1
Level 1
In response to engel

‎10-29-2003 06:15 AM

thanks for the infomation...

1.in the meantime i have found that the concentrator are creating a dynamic fiter for IPSec over UDP Connections.

2. The problem is that the Firewall droppes fragmented packet, for this Firewall (Sonicwall) i can create a rule to allow frag. Packets, but what's is with simple Firewalls, where i can't create rules. I wan't to avoid fragments, but how? The settings at the interface-configuration (fragmentation-policy) doesn't help. I'm wondering why do i have a fragmented packet only in split-tunnel mode? Whith tunnel everthing i have IKE Packets from 100 to 330 Bytes, und with split-tunnel on, i have one IKE Packet with 3140 Byte -> 3 Fragments ??

best regards,

Walter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents