• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

something weird with vpn tunnel

O

oddyager

Diamond Member
i have a vpn tunnel setup between a pix501 and a netscreen firewall. if i have traffic completely open both ways the tunnel comes up fine. however if i restrict traffic to only a specific port, the tunnel fails at phase 2 for some reason. aren't vpn tunnels completely independent of ports? Like I can completely turn off all ports but the tunnel can still remain up.
 
site-to-site vpn? i think you still need certain ports open to initialize the tunnel. have you tried opening some of the common ports?

tcp 47 - Generic routing encapsulation
tcp 50 - Encapsulating security protocol
udp 500 - ISAKMP key negotiation
 
Yes it is site to site. I'll try adding those in the mix and see if that works. Basically I ONLY want traffic from their end to come in through one specific port but if I have to enable that as well I guess I can. Or maybe it makes more sense for me if I create a new rule and allow from the outside i/f of the pix to my outside i/f on of my netscreen (and vice versa) to allow only traffic on those ports (47,50,500?) and then all other traffic from that network through just one port of my choosing?
 
I don't think you can do that.

Both sides have to agree on what ports are allowed on the tunnel I think. It's been a while since I messed with IPsec though.

you're not getting to phase two because the SA negotiation is probably failing. I think the source/dst IP networks and port numbers are part of the negotiation. I know the L3 info is, just not sure about L4.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top