We make mistakes. Things crack and break.

[reddragdiva]

I have a Shiny New Work Laptop, a Dell Latitude C610. I wish it weighed half as much, but apart from that it's just fine. (It'd rate "lovely" if it had a DVD drive.)

I am on call starting next Monday evening. I am having VPN problems — it connects for a few minutes, then data stops flowing (though the connection doesn't drop). Apparently the NAT on a Speedtouch 510 (our DSL modem) blocks a few ports too many by default (and there's no way to bypass the NAT). Does anyone have clues on what needs to be unblocked for a Cisco VPN to work? I found instructions for a Nortel VPN ...

This morning I connected from home, crashed one of the two mail servers ("well, that sure broke the mirror"), went into the colo and waited two hours for the Sun engineer to show and replace the bad disk. Then I got to fix all manner of Solstice DiskShite problems with one chapter of the manual to hand. Learning by pitfall — it's a bit of a stress, but it focuses the attention marvellously.

Tonight will hopefully be the Voices of Masada gig.

Comments

[steer.livejournal.com]

I am having VPN problems

Have you tried wearing thicker trousers or going commando... Oh, wait, I see what you mean!

I found instructions for a Nortel VPN .

Which is handy because they've almost certainly downsized anyone who ever knew how it worked.

[Um... no I can't help.]

[blixa23.livejournal.com]

Yes, the C610s are nice, for being Pentium 3 laptops. Nicer if it has the miniPCI wireless card in it. And if you did have a DVD drive, it plays movies decently. Did they issue you a docking station with it? Those are nice as well (the docks, NOT the port replicators).

We are big fans of Dell Latitude series laptops where I work. Although I'm no longer a fan of the new D-series docks/port replicators...

You can't configure your DSL modem to be a bridge? That sucks. I almost wish they hadn't incorporated NAT functions into DSL modems...I configured mine to be a bridge and just let my router do all the NAT. Linksys/Netgear/etc. routers are so cheap these days, that if people can afford DSL, they can afford to buy one of those...then we don't need to deal with the crappy NAT/firewall implementations on DSL modems.

[arkady.livejournal.com]

Is this what you need?
http://www.speedtouch.com/ST610%5CAppNotes/AppNote_NetworkAddressTranslation.pdf

[rbarclay.livejournal.com]

You're getting through the NAT step OK, so it's probably UDP-encapsulated. The DSL thing might be of the impression that UDP connections cannot live longer than foo minutes, so it then drops the firewalls packets.
Look if you can increase the appropriate timeouts. It would also be helpful if you run a packet-trace at _both_ ends of the connection.

[arkady.livejournal.com]

OK, bearing in mind that I Am Not A Geek. I found this:

Provide Support for the Cisco VPN Client
In most cases, IPSec VPN traffic does not pass through ISA Server 2000. However, Cisco Concentrator 3300, with the latest firmware updates, uses "transparent tunneling" that uses User Datagram Protocol (UDP) ports 500, 4500, and 10000 to communicate securely between VPN clients and concentrators.

To provide support for this configuration, create the following protocol definitions:

Note The client computer must be configured as a SecureNat client.
Port number: 500
Protocol type: UDP
Direction: Send Receive

Port number: 4500
Protocol type: UDP
Direction: Send Receive

Port number: 10000
Protocol type: UDP
Direction: Send Recieve

I found it here (http://support.microsoft.com/default.aspx?scid=kb;en-us;812076). I don't know how useful it is to you?

This (http://www.adslguide.org.uk/qanda.asp?faq=dslhardware#Q178) looks hopeful, too.

[arkady.livejournal.com]

Oh, and this?

VPN Passthrough for SpeedTouch 570, 510 and 530 modems

Jonathan Shearman from www.conexus.com.au reports the following procedure for people having difficulties with VPNs.

The SpeedTouch 570, 510 and 530 modems incorporate an ALG (application level gateway) in the firmware. This allows the modem to recognise certain protocols such as IPSEC and preserve PORT in the NAT translation table which is a critical requirement for ensuring VPN connectivity. However certain VPN clients (and Nortel Contivity is one) have a proprietary protocol for VPN solutions and as such the modem's ALG will not be able to recognise the protocol and preserve the port through the NAT table translation. The problem is related to the way floating ports are implemented in Contivity.
The following commands will address this issue and provide a fix.
----------------------------------------
In order to implement these commands, you need to access the Speedtouch via Telnet and the 'command line interface' [CLI].
To access the SpeedTouch CLI interface, in the Windows Start menu of a computer connected directly to the SpeedTouch, select Run.
Enter 'telnet 10.0.0.138' [which provides Telnet access to the SpeedTouch via its internal IP address].
Enter password if necessary, otherwise, press Enter. [Note this is the MODEM password, not the ISP password, and may not be required if user has not specified it.]
This will produce a telnet session window with a => prompt.
At the prompt, enter command 'nat unbind application=ESP port=1' or 'nat unbind application=ESP'. [these are interchangeable but must be entered exactly as shown, without the ']
Then enter 'nat unbind application=IKE port=500'.
Then enter 'config save'
Then terminate the Telnet session.

[reddragdiva]

That could be precisely what I was after! The last bit appears to address this precise problem too!

[arkady.livejournal.com]

Heh. I seem to be just enough of a geek to find the right stuff on Google. ;-)

[reddragdiva]

I guess I'll have to take you out and buy you a *pint* ;-*

[mikewd]

Unless it's a very old versions of the Cisco VPN server/client software it will probably be using standard NAT-T negotiation so will tunnel the UDP traffic on port 4500. (Some sort of NAT traversal must be working as you can connect for a while). [Older versions used pre-standard NAT traversal on UDP port 10000].

Normally when it negotiates NAT-T a keepalive is sent periodically designed to keep NAT translations on firewalls active, this keepalive interval is configurable at the server end so you could see if that can be shortened. However it's possible your speedtouch has some absolute timeout for UDP sessions or something and drops the NAT after this point (although that would seem to be severely broken if it's set to 2 minutes by default).

If enabled on the server end you can configure the client to tunnel over TCP (port 10000) which might avoid the timeout (but is obviously non optimal from a network performance point of view).

Try turning up the logging options on the client as it may give you more clue what's going on [also the stats page should tell you what tunneling settings its negotiated].

[grumpy-sysadmin.livejournal.com]

The assumption that UDP transmissions can't be stateful is precisely why NAT should only be done in softare unless you've paid $2500 or more for the hardware involved. Totally incompetent.

[grumpy-sysadmin.livejournal.com]

Exactly the same lapwarmer my current employer issued me. I fucking hate it, but I fucking hate windows. Good thing my new Powerbook showed up yesterday. Only time I'll use that POS XP lapscrap is when I log in by way of key fob.

[rbarclay.livejournal.com]

You tell me. I implement firewalls and related stuff for a living, and what I've seen of incompetence, especially in homeuser-class products, is absolutely overwhelming.