I'm running a PIX and one of my internal users needs to VPN to an external customer's site where they use a Contivity. The nortel docs they sent me were useless, so I'm looking for someone with knowledge of what ports/protocols I need to permit so this user can connect to the remote VPN gateway.
I have tried permitting GRE (like Microsoft PPTP) and this had no effect.
Are you running PAT? If so, opening IP ports 50 and 51 won't work because these are not TCP and UDP based, and therefore have no user ports to keep track of in the PIX (it can't really do a translation table on these).
If you are using NAT with a static, I recommend that you turn off AH on the Nortel end if it's enabled (although it's probably not an issue).
You will have to see if the Nortel supports IPSec over NAT/PAT, which allows the packets to be sent over TCP or UDP.
I have a PIX 501 set up pretty much the way it comes out of the box accept for a few static entries and an access-list to allow access to my web server. I have only 1 client on the inside that needs to be able to connect to a contivity box with the nortel client. How do I set up the pix to allow this client through? I tried to add entries to my access-list for protocol 50 and 51 as well as udp port 500 and nothing. Do I set this up on the outside interface or the inside interface? Can this be done through just adding an access-list or is more complicated than that? Any insight would be greatly appreciated. Remember that this is a PIX 501 because it may make a difference from those using other PIXs
IPSEC/ESP and PPTP with overloaded addresses on PIX is not supported yet (expected in 6.3 PIX). Instead, set the contivity to do IPSEC over UDP.
A Nortel customer reports: Using a Contivity ES1500D, the suggested version of code to use is V04_06.120, The 'NAT traversal' feature is available on all version 4 codes and the 128MB of RAM is recommended by the vendor. There's no add on cost for this option or the version 4 code, as long as you have a software contract with Nortel. After upgrading, a new section is added under Services --> IPSEC --> NAT Traversal. The only option is to enable it (default is disable) and specify a UDP port number (that's unused in your private network, eg 10000).
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...