Linux IP Masq and Nortel Extranet Client

Thibodeau, Gregg GThibodeau at NAVISITE.COM
Tue Jan 4 11:00:54 EST 2000

The problem is most like with many to one NAT.  IPSEC will not work with
many to one NAT unless the firewall/gateway is specifically designed to
handle this configuration.

IPSEC requires that both source and destination ports used during connection
setup be 500.  Most boxes doing many to one NAT change the source port.  The
Contivity Extranet Switch will not respond to the setup request since the
source port is not 500.  Even after that, the firewall/gateway needs to use
the SAs in the IPSEC traffic running on IP 50 to keep track of the original

The only device that we have found that will support outgoing IPSEC and many
to one NAT is Nortel's Instant Internet.


-----Original Message-----
From: jmaegli [mailto:jmaegli at PCPROS.NET]
Sent: Tuesday, January 04, 2000 10:39 AM
Subject: Linux IP Masq and Nortel Extranet Client

I have a NT laptop running Nortel Networks Extranet client. When I dialin to
my ISP the client connects and everything works great.  Now the rub, I have
an at home network with 5 Win 98 and NT boxes, one sun and 3 Linux
workstations. One of the Linux boxes is my gateway to the internet.
This box has the modem and all other boxes use this as their gateway. When I
make my connection, everything works fine, HTTP, Email, Telnet etc. but when
I try to connect the client (the one that works as mentioned before) I can
not connect and get the message "Failure Do to remote host not responding" I
do see a UDP packet on port 500 and my firewall is opened up so I'm not
getting blocked there.
If anyone has any thoughts or white papers on this kind of setup especially
with a Linux gateway please let me know.   Thanx so much for your time.

John Maegli
Systems Engineer
Sterling Software
Office (715) 848-2682
john.maegli at

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list