Can't get VPN to work in v3 [Merged Threads]

[Guest]

[Buggy - BugMeNot.com Shared Account]

Khe2007, you work-around works perfectly for me.
Thanks

[stevesa]

khe2007's workaround works for me too.  A bit better than making System Idle Process a trusted application I think. 

Thanks!

[ptfreed]

I'm a long time user of Comodo 2, and I've recently downloaded v3.  (Congrats on a truly amazing product!)   I've got a problem, though -- and it's something of an emergency.  I need to connect via a VPN.  Right now I'm working on Nortel Contivity, and later I'll need to use Cisco.  (Yes, it really is possible to have them both on the same system.  I've had them together for years; it just takes a bit of tweaking.)

In any case, I'm struggling with my Nortel VPN connection.  In my Firewall Events, I get the following:

  System Idle Process: blocked protocol 50  from my system to the remote firewall.

My firewall software is "trusted."  In my Global Network Rules I am allowing IP protocol 50 between any addresses.  Still no luck, though.  Normally I'd play for a day or so, since there's usually an answer to be found if one is patient and persistent.  But I need to get into the network tonight--and I'd rather not have to revert to the old firewall to do it.  Can someone help?

Thanks very much.

[AnotherOne]

A bit confused - This remote firewall - what is it on?  What firewall software is "Trusted" and do you have them both (CFP and the "Trusted" one) running on one computer?  Is this a LAN?  Have you defined a Network Zone and then run the Stealth Ports Wizard to define a Trusted Zone?

[ptfreed]

Sorry about that.  There is no remote firewall, just a VPN that I need to talk to.  (The VPN is Nortel Contivity.)  What I meant to say is that my *VPN* software is a trusted application in Comodo.

As to having used the Stealth Ports Wizard -- no, I didn't do that.  I went directly into the Global Network Rules and created "allow any IP in/out" entries to the relevant hosts.  Just for good measure, I just did the same thing with the wizard, and simply got additional pairs of rules (one for incoming, another for outgoing).  In any case. it didn't help.

I figure that I am missing some key blocked traffic; I've turned on logging wherever I can, but I don't see anything being blocked.  At this point I trust their whole network -- something I would never normally do.

In v2, I simply watched the log, and kept adding rules till I had covered all the key events.  But that doesn't seem to be working here....   I'm even using Wireshark to see what I can figure out. 

What I'm seeing there is

Code:

PC  -> VPN  ISAKMP Aggressive
VPN -> PC   ISAKMP Aggressive
PC  -> VPN  ISAKMP Aggressive
VPN -> PC   ISAKMP Transaction (Config Mode)
PC  -> VPN  ISAKMP Transaction (Config Mode)
VPN -> PC   ISAKMP Quick Mode
PC  -> VPN  ISAKMP Quick Mode
VPN -> PC   ISAKMP Quick Mode

At this point with the firewall on, the conversation stops.  But with the firewall disabled, the PC begins sending ESP messages to the firewall.  These messages are allowed in the Global Rules section of Network Security Policy, both explicitly (Allow any IP In/Out to VPN address with protocol 50) and implicitly (Allow any IP In/Out ot VPN address with _any_ protocol).  These are the first two rules in the Global Rules section.

I'm really lost....

[AOwL]

Try to change the "block and log" rules to "ask and log". Both in application rules and global rules. I have found that if i create a rule manually it doesn't always work, but if i use "ask" and then click "allow and remember" the rule works...
I don't use vpn but try to set svchost to ask and maybe a few others related there.
Try it and see if it works...

[ptfreed]

In my Firewall Events, I get the following:

  System Idle Process: blocked protocol 50  from my system to the remote firewall.

This strikes me as odd, and possible wrong; why is my System Idle Process trying to do anything?  In the meantime, though, perhaps this is the key to getting it fixed.  How can I add permissions to the "System Idle Process?"  Is there a particular executable associated with it?

[adric]

This strikes me as odd, and possible wrong; why is my System Idle Process trying to do anything?  In the meantime, though, perhaps this is the key to getting it fixed.  How can I add permissions to the "System Idle Process?"  Is there a particular executable associated with it?

This might answer your question. Read thw entire thread for more insight.

Al

[zombie]

go to defense + settings and disable defense +, this will solve your problems

[zombie]

  or in the defense + settings define VPN related apps. as trusted

[ptfreed]

Try to change the "block and log" rules to "ask and log".

Seems like a stretch, but I'll give it a try.  Thanks!

[ptfreed]

go to defense + settings and disable defense +, this will solve your problems

  or in the defense + settings define VPN related apps. as trusted

My Defense+ security level is set to disabled already -- so that's not it.

[ptfreed]

This might answer your question. Read thw entire thread for more insight.

Thanks; that explains it.

And on another part of this thread:

Try to change the "block and log" rules to "ask and log". Both in application rules and global rules.

I tried this, but to no avail.  I even removed the "No incoming ping" global rule, since there is no way to tell a global setting to "Ask."  Nothing has changed -- the VPN appears to connect, but then dies while "Checking for banner text."  This is a common failure point for the Contivity VPN, and it typically means that the necessary VPN packets aren't getting through.

I added a global rule that says allow IP protocol 50 IN/OUT from anywhere.  But I'm still seeing unsolicited protocol 50 packets being blocked.  In desperation, I tried adding a global rule that says "permit all IP from anywhere," and the connection still fails.  But if I set the firewall mode to "disabled" I connect immediately.

So where else is there to look?

[AnotherOne]

I'm not any kind of expert, but a quick look at a reference http://www.docs.hp.com/en/B9901-90021/ch07s04.html
shows that UDP and TCP need to be configured for this connection.  That may be why it stops working.

[ptfreed]

a quick look at a reference http://www.docs.hp.com/en/B9901-90021/ch07s04.html
shows that UDP and TCP need to be configured for this connection.

IP (which is what I am allowing) includes both TCP/IP and UDP/IP, as well as ESP, GRE, ICMP, and a slew of other protocols.  So I should be OK in that regard.

[Tags:]