MN-700 and IPSec VPN Access...

Ok, I am new to wireless, so when I set up my MN-700 and
could no longer connect to the office, I was
disappointed. I read many postings on this news group
with people having trouble getting connected to their
office. Plugging directly into your cable or DSL box
gets you in, but connecting through your MN-700 fails. I
also read people setting up a DMZ and connect that way -
OUTSIDE OF THE FIREWALL! After reading a couple of
postings and some of the replys to then, I pieced
together everything and was able to connect to the
office! Looks like port forwarding is the key.

My company uses SafeNet Soft PK, which is an IPSec VPN.
I looked up on the net the default ports for IPSec VPN.
They are 50, 51, and 500. Log into your MN-700, go to
Security, then Port Forwarding and then Application
Triggered Port Forwarding. Set up a trigger for each
IPSec port - one is not going to cut it! Authentication
occurs on 50 and 51 and the connection is established on
500. For the description, type the name of the
application or simply "VPN". Type in the outbound port
of 50, then the trigger type of "UDP" then 50 for the
inbound port and "UPD" for Public type. Repeat for 51
and 500. They can all have the same description. You
should now be able to connect. If you cannot connect,
check to see if your company has changed the default
ports to something else.

I am now quite happy with my MN-700 wireless box. I
didn't have to turn off firewall to all my computers, I
didn't have to set up a DMZ, and I still have MAC
filtering turned on and WEP security on my wireless!

Good luck.
Joel

Before you did all of this did you try -
1. change the IP address of the MN700 to 192.168.1.1
2. thus changing the scope of IP addresses that the base station serves up
via DHCP

(E-Mail Removed) wrote:
> Ok, I am new to wireless, so when I set up my MN-700 and
> could no longer connect to the office, I was
> disappointed. I read many postings on this news group
> with people having trouble getting connected to their
> office. Plugging directly into your cable or DSL box
> gets you in, but connecting through your MN-700 fails. I
> also read people setting up a DMZ and connect that way -
> OUTSIDE OF THE FIREWALL! After reading a couple of
> postings and some of the replys to then, I pieced
> together everything and was able to connect to the
> office! Looks like port forwarding is the key.
>
> My company uses SafeNet Soft PK, which is an IPSec VPN.
> I looked up on the net the default ports for IPSec VPN.
> They are 50, 51, and 500. Log into your MN-700, go to
> Security, then Port Forwarding and then Application
> Triggered Port Forwarding. Set up a trigger for each
> IPSec port - one is not going to cut it! Authentication
> occurs on 50 and 51 and the connection is established on
> 500. For the description, type the name of the
> application or simply "VPN". Type in the outbound port
> of 50, then the trigger type of "UDP" then 50 for the
> inbound port and "UPD" for Public type. Repeat for 51
> and 500. They can all have the same description. You
> should now be able to connect. If you cannot connect,
> check to see if your company has changed the default
> ports to something else.
>
> I am now quite happy with my MN-700 wireless box. I
> didn't have to turn off firewall to all my computers, I
> didn't have to set up a DMZ, and I still have MAC
> filtering turned on and WEP security on my wireless!
>
> Good luck.
> Joel


--
Barb Bowman
Expert Zone Columnist
http://www.microsoft.com/windowsxp/expertzone
MS-MVP (Windows)

No, I did not. The defaul is still 192.168.2.1.

Joel

>-----Original Message-----
>Before you did all of this did you try -
>1. change the IP address of the MN700 to 192.168.1.1
>2. thus changing the scope of IP addresses that the base
station serves up
>via DHCP
>
>(E-Mail Removed) wrote:
>> Ok, I am new to wireless, so when I set up my MN-700
and
>> could no longer connect to the office, I was
>> disappointed. I read many postings on this news group
>> with people having trouble getting connected to their
>> office. Plugging directly into your cable or DSL box
>> gets you in, but connecting through your MN-700
fails. I
>> also read people setting up a DMZ and connect that
way -
>> OUTSIDE OF THE FIREWALL! After reading a couple of
>> postings and some of the replys to then, I pieced
>> together everything and was able to connect to the
>> office! Looks like port forwarding is the key.
>>
>> My company uses SafeNet Soft PK, which is an IPSec VPN.
>> I looked up on the net the default ports for IPSec VPN.
>> They are 50, 51, and 500. Log into your MN-700, go to
>> Security, then Port Forwarding and then Application
>> Triggered Port Forwarding. Set up a trigger for each
>> IPSec port - one is not going to cut it!
Authentication
>> occurs on 50 and 51 and the connection is established
on
>> 500. For the description, type the name of the
>> application or simply "VPN". Type in the outbound port
>> of 50, then the trigger type of "UDP" then 50 for the
>> inbound port and "UPD" for Public type. Repeat for 51
>> and 500. They can all have the same description. You
>> should now be able to connect. If you cannot connect,
>> check to see if your company has changed the default
>> ports to something else.
>>
>> I am now quite happy with my MN-700 wireless box. I
>> didn't have to turn off firewall to all my computers, I
>> didn't have to set up a DMZ, and I still have MAC
>> filtering turned on and WEP security on my wireless!
>>
>> Good luck.
>> Joel
>
>
>--
> Barb Bowman
> Expert Zone Columnist
> http://www.microsoft.com/windowsxp/expertzone
> MS-MVP (Windows)
>
>
>.
>

Making the changes I outlined has (for some people) resolved VPN
connectivity issues. The MN-700 is supposed to pass IPSec transparently.

Joel wrote:
> No, I did not. The defaul is still 192.168.2.1.
>
> Joel
>
>> -----Original Message-----
>> Before you did all of this did you try -
>> 1. change the IP address of the MN700 to 192.168.1.1
>> 2. thus changing the scope of IP addresses that the base station
>> serves up via DHCP
>>
>> (E-Mail Removed) wrote:
>>> Ok, I am new to wireless, so when I set up my MN-700
> and
>>> could no longer connect to the office, I was
>>> disappointed. I read many postings on this news group
>>> with people having trouble getting connected to their
>>> office. Plugging directly into your cable or DSL box
>>> gets you in, but connecting through your MN-700
> fails. I
>>> also read people setting up a DMZ and connect that
> way -
>>> OUTSIDE OF THE FIREWALL! After reading a couple of
>>> postings and some of the replys to then, I pieced
>>> together everything and was able to connect to the
>>> office! Looks like port forwarding is the key.
>>>
>>> My company uses SafeNet Soft PK, which is an IPSec VPN.
>>> I looked up on the net the default ports for IPSec VPN.
>>> They are 50, 51, and 500. Log into your MN-700, go to
>>> Security, then Port Forwarding and then Application
>>> Triggered Port Forwarding. Set up a trigger for each
>>> IPSec port - one is not going to cut it!
> Authentication
>>> occurs on 50 and 51 and the connection is established
> on
>>> 500. For the description, type the name of the
>>> application or simply "VPN". Type in the outbound port
>>> of 50, then the trigger type of "UDP" then 50 for the
>>> inbound port and "UPD" for Public type. Repeat for 51
>>> and 500. They can all have the same description. You
>>> should now be able to connect. If you cannot connect,
>>> check to see if your company has changed the default
>>> ports to something else.
>>>
>>> I am now quite happy with my MN-700 wireless box. I
>>> didn't have to turn off firewall to all my computers, I
>>> didn't have to set up a DMZ, and I still have MAC
>>> filtering turned on and WEP security on my wireless!
>>>
>>> Good luck.
>>> Joel
>>
>>
>> --
>> Barb Bowman
>> Expert Zone Columnist
>> http://www.microsoft.com/windowsxp/expertzone
>> MS-MVP (Windows)
>>
>>
>> .


--
Barb Bowman
Expert Zone Columnist
http://www.microsoft.com/windowsxp/expertzone
MS-MVP (Windows)

In article <021801c3d9f9$96f50530$(E-Mail Removed)>,
(E-Mail Removed) says...
>
> My company uses SafeNet Soft PK, which is an IPSec VPN.
> I looked up on the net the default ports for IPSec VPN.
> They are 50, 51, and 500. Log into your MN-700, go to
> Security, then Port Forwarding and then Application
> Triggered Port Forwarding. Set up a trigger for each
> IPSec port - one is not going to cut it! Authentication
> occurs on 50 and 51 and the connection is established on
> 500. For the description, type the name of the
> application or simply "VPN". Type in the outbound port
> of 50, then the trigger type of "UDP" then 50 for the
> inbound port and "UPD" for Public type. Repeat for 51
> and 500. They can all have the same description. You
> should now be able to connect. If you cannot connect,
> check to see if your company has changed the default
> ports to something else.
>
>
I'm going to try this, but the thing that bothers me about it is that it
was my understanding that the only time you need an Application
Triggered Port Forwarding rule is when you have an application that
makes an outbound connection on one port, but can, as a result of that
connection, expect to received inbound traffic on some DIFFERENT
collection of ports. You need the application triggered port forwarding
rule to inform the firewall that what would otherwise appear to be
unsolicited inbound traffic (and hence, ordinarily blocked) is not
actually unsolicited (and so, should not be blocked).

If that understanding is accurate, I can't see why you'd ever need to
tell the firewall not to block inbound traffic on the very same port
you'd just established a connection with.
--
Cheers,
BC

You should not need to do anything at all. The MN-700 is supposed to pass
IPSec transparently. In some instances, it is necessary to change the
default IP of the base station and the range of IPs served via DHCP. If this
does not work for you, please contact product support and get a SR#.

Bob Cronin wrote:
> In article <021801c3d9f9$96f50530$(E-Mail Removed)>,
> (E-Mail Removed) says...
>>
>> My company uses SafeNet Soft PK, which is an IPSec VPN.
>> I looked up on the net the default ports for IPSec VPN.
>> They are 50, 51, and 500. Log into your MN-700, go to
>> Security, then Port Forwarding and then Application
>> Triggered Port Forwarding. Set up a trigger for each
>> IPSec port - one is not going to cut it! Authentication
>> occurs on 50 and 51 and the connection is established on
>> 500. For the description, type the name of the
>> application or simply "VPN". Type in the outbound port
>> of 50, then the trigger type of "UDP" then 50 for the
>> inbound port and "UPD" for Public type. Repeat for 51
>> and 500. They can all have the same description. You
>> should now be able to connect. If you cannot connect,
>> check to see if your company has changed the default
>> ports to something else.
>>
>>
> I'm going to try this, but the thing that bothers me about it is that
> it was my understanding that the only time you need an Application
> Triggered Port Forwarding rule is when you have an application that
> makes an outbound connection on one port, but can, as a result of that
> connection, expect to received inbound traffic on some DIFFERENT
> collection of ports. You need the application triggered port
> forwarding rule to inform the firewall that what would otherwise
> appear to be unsolicited inbound traffic (and hence, ordinarily
> blocked) is not actually unsolicited (and so, should not be blocked).
>
> If that understanding is accurate, I can't see why you'd ever need to
> tell the firewall not to block inbound traffic on the very same port
> you'd just established a connection with.


--
Barb Bowman
Expert Zone Columnist
http://www.microsoft.com/windowsxp/expertzone
MS-MVP (Windows)

In article <(E-Mail Removed)>, (E-Mail Removed)
says...
> You should not need to do anything at all. The MN-700 is supposed to pass
> IPSec transparently. In some instances, it is necessary to change the
> default IP of the base station and the range of IPs served via DHCP. If this
> does not work for you, please contact product support and get a SR#.
>
Could you be more specific? In what instances, and what is the nature of
the changes needed? I am running with the defaults (e.g. 192.168.2.1,
etc.). The conmputer I am trying to get working with the Nortel client
is an Apple PowerMac G5 with OSX 10.3.2. It connects to the server but
fails to authenticate. My company's VPN support folks are mystified and
are pointing towards the router as the issue ...
--
Cheers,
BC

I don't have alot more info on this one. It was documented for the MN-500,
but I have heard reports that this also has resolved things for MN-700
users. http://support.microsoft.com/default...b;en-us;814157

I don't know anything about the Nortel Mac clients but the OS should not
matter...
but anyway, since nothing else is helping you, this one is worth trying...

Bob Cronin wrote:
> In article <(E-Mail Removed)>, (E-Mail Removed)
> says...
>> You should not need to do anything at all. The MN-700 is supposed to
>> pass IPSec transparently. In some instances, it is necessary to
>> change the default IP of the base station and the range of IPs
>> served via DHCP. If this does not work for you, please contact
>> product support and get a SR#.
>>
> Could you be more specific? In what instances, and what is the nature
> of the changes needed? I am running with the defaults (e.g.
> 192.168.2.1, etc.). The conmputer I am trying to get working with the
> Nortel client is an Apple PowerMac G5 with OSX 10.3.2. It connects to
> the server but fails to authenticate. My company's VPN support folks
> are mystified and are pointing towards the router as the issue ...


--
Barb Bowman
Expert Zone Columnist
http://www.microsoft.com/windowsxp/expertzone
MS-MVP (Windows)

In article <(E-Mail Removed)>, (E-Mail Removed)
says...
> I don't have alot more info on this one. It was documented for the MN-500,
> but I have heard reports that this also has resolved things for MN-700
> users. http://support.microsoft.com/default...b;en-us;814157
>
Hm, ok, that seems to be the reverse of my situation (am at home trying
to connect to VPN at company, not the other way around), but hey, why
not? I'll try it ...
--
Cheers,
BC

Hi Barb-

I just tried changing the IP address to 192.168.1.1 and
that didn't take care of it. Not sure why this would
have any affect, but it was worth a shot. I still have
to keep my port forwarding rules. In fact, before making
this change, I was able to disable the 50 and 51 port
rules I created last night. Now, I have to have all
three enabled in order to connect. I tried the
connection with all of them disabled, and then one by
one, reenabled all three before it would work.

Joel


>-----Original Message-----
>Making the changes I outlined has (for some people)
resolved VPN
>connectivity issues. The MN-700 is supposed to pass
IPSec transparently.
>
>Joel wrote:
>> No, I did not. The defaul is still 192.168.2.1.
>>
>> Joel
>>
>>> -----Original Message-----
>>> Before you did all of this did you try -
>>> 1. change the IP address of the MN700 to 192.168.1.1
>>> 2. thus changing the scope of IP addresses that the
base station
>>> serves up via DHCP
>>>
>>> (E-Mail Removed) wrote:
>>>> Ok, I am new to wireless, so when I set up my MN-700
>> and
>>>> could no longer connect to the office, I was
>>>> disappointed. I read many postings on this news
group
>>>> with people having trouble getting connected to their
>>>> office. Plugging directly into your cable or DSL box
>>>> gets you in, but connecting through your MN-700
>> fails. I
>>>> also read people setting up a DMZ and connect that
>> way -
>>>> OUTSIDE OF THE FIREWALL! After reading a couple of
>>>> postings and some of the replys to then, I pieced
>>>> together everything and was able to connect to the
>>>> office! Looks like port forwarding is the key.
>>>>
>>>> My company uses SafeNet Soft PK, which is an IPSec
VPN.
>>>> I looked up on the net the default ports for IPSec
VPN.
>>>> They are 50, 51, and 500. Log into your MN-700, go
to
>>>> Security, then Port Forwarding and then Application
>>>> Triggered Port Forwarding. Set up a trigger for each
>>>> IPSec port - one is not going to cut it!
>> Authentication
>>>> occurs on 50 and 51 and the connection is established
>> on
>>>> 500. For the description, type the name of the
>>>> application or simply "VPN". Type in the outbound
port
>>>> of 50, then the trigger type of "UDP" then 50 for the
>>>> inbound port and "UPD" for Public type. Repeat for
51
>>>> and 500. They can all have the same description.
You
>>>> should now be able to connect. If you cannot
connect,
>>>> check to see if your company has changed the default
>>>> ports to something else.
>>>>
>>>> I am now quite happy with my MN-700 wireless box. I
>>>> didn't have to turn off firewall to all my
computers, I
>>>> didn't have to set up a DMZ, and I still have MAC
>>>> filtering turned on and WEP security on my wireless!
>>>>
>>>> Good luck.
>>>> Joel
>>>
>>>
>>> --
>>> Barb Bowman
>>> Expert Zone Columnist
>>> http://www.microsoft.com/windowsxp/expertzone
>>> MS-MVP (Windows)
>>>
>>>
>>> .
>
>
>--
> Barb Bowman
> Expert Zone Columnist
> http://www.microsoft.com/windowsxp/expertzone
> MS-MVP (Windows)
>
>
>.
>