Sonicwall ver 5.1.1 and Nortel Extranet Client

Todd Koopman TKoopman at SONICWALL.COM
Tue Apr 3 15:30:42 EDT 2001


I can help clarify some of the issues on this one.

1)	VPN Pass Through, or IPSEC Pass Through, is when a NAT device
allows or supports the IPSEC protocol.  This allows you to use an
encrypted client behind the NAT device to connect to a VPN concentrator
somewhere in the rest of the world.

2)	The SonicWALL family supports VPN pass through of both IPSEC
clients (like the Nortel Contivity, Altiga, Checkpoint, et al) and PPTP
clients (Microsoft)

3)	This is done natively and automatically by the SonicWALL
products.  You do not need to purchase the site-to-site VPN firmware
upgrade.  If any of you want the technical details of how we do this,
just let me know.

4)	Specific Problems Mentioned

a)	PPTP does not work.  This is most likely caused by fragmented
packets.  The SonicWALL does not pass fragmented packets as part of its
Denial of Service logic.  However, the SonicWALL can be configured to
allow fragmented packets over PPTP or IPSEC connections.  Essentially,
we will "trust" fragmented packets if they are part of an encrypted
session we are tracking in the stateful packet inspection logic.

b)	Nortel Contivity does not work.  We implemented the IPSEC Pass
Through specifically for this client.  It required us to maintain source
port 500 for the IKE negotiation.  However, the automatic pass through
does not address the fact that the Contivity Extranet Switch initiates
the IKE rekeying, not the client.  This rekeying starts at the Contivity
switch and is a new and unexpected session arriving at the SonicWALL on
UDP port 500.  This is dropped by the default rule set that blocks all
incoming traffic unless it is a stateful session reply.

The default rekeying time for the Extranet client is 3 minutes.  

Your solutions are either increase the rekeying timeout value on the
Contivity switch or write a rule on the SonicWALL allowing inbound IKE
(udp 500) traffic.

5)	If you need any assistance with these issues, please contact
your reseller or our post-sales customer support department.
www.sonicwall.com/support has an on-line form you complete and submit to
access our technical support.

Best Regards

Todd Koopman
Systems Engineer
SonicWALL


-----Original Message-----
From: Manny Ancheta [mailto:imra at AIRBORNE.COM]
Sent: Tuesday, April 03, 2001 11:24 AM
To: VPN at SECURITYFOCUS.COM
Subject: Sonicwall ver 5.1.1 and Nortel Extranet Client


I have a a SOHO10 without the VPN option. 
Whenever I start either a PPTP(MS VPN) or the 
Nortel Extranet Client to a Nortel Contivity VPN 
server, it does not work. But, if I used the SMC 4-port 
SOHO firewall, it allows at least one connection from 
internal home network.

The SMC folks are saying that they are doing a VPN 
pass-thru. The Sonicwall requires you to buy their 
VPN software which is about 400.00 more. That 
really sucks.

What is a VPN pass-thru?


VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list