Nortel VPN doesn't connect (Basic IPsec problem)

Hi all,

I am using a Contivity VPN Client by Nortel to get an access to the Internet at the Univerity. Without the Comodo Firewall everything works fine. Even when I say
Adjust Security Level” => “Allow All
it works.
But in normal mode (Custom) when I try to start the Contivity VPN Client I get a message box saying:

“Checking For banner Text From:

and after about 30 seconds another message box:

“The secure Contivity VPN connection has been lost.
Click connect to reestablich the connection”

There exists a pdf-file (
that says there are 5 reasons for this mistake.

I have singled out the first one, which says the UDP protocol (17) port 500, the ESP protocol (50) or the AH protocol (51) is blocked. (What does the numbers (17)(50)(51)stands for?)

In the Network Control Rules i have added the Rule:
so i think the UDP protocol will pass.

The application is not blocked and.(Destination: [Any], Port: [Any], Protocol: TCP/UDP In/Out, Permission: Allow)

So the problem is - and that’s the basic part of the problem - , where to find the options to handle the AH and ESP protocol which are part of IPsec so they can pass the firewall.

I have added a new zone (after I tried the Wizard for Trusted Network with the Start Range : and the End Range:

I am using XP Home SP2(updated), Comodo Firewall Version and of course the latest Contivity VPN Client.

Thanks for every answer


Doesn’t somebody have an answer???

If you ask the sys/network admin at the Uni they will be able to tell you what ports you need to use.

With a Uni system you would most likely be connecting to a gateway which has a VPN server running. Therefore i would suggest entering the gateway IP in the network rule (only for your own safety). I would set the rule up as follows to get by the fact AH adn ESP are not available in the drop down:

Action: Allow
Protocol: IP
Direction: In/Out
Source IP: Any
Destination IP: enter gateway IP here
IP Protocol: Any

If this still doesn’t work, then i’m all out of suggestions. And you could always request this in the Wishlist Rev4 thread.

I am having the same problem with Nortel VPN client and Comodo.

Does anyone have any idea for a solution??

Help! Anyone???

Sorry for the lack of response thus far.

You might have a look at this link:,989.0.html (aside from the ZA issues, there’s other VPN rules info there).

and this one:,5323.0.html Where there is specific rules info.

You can get more results (from others’ posts) by using the Advanced Search feature in the forum. Put “VPN” in the search field, uncheck the box for “Check all” then click the “Choose a board link.” From there you can select to search only Firewall Help and FAQ, for results. This should narrow it down and give you a number of posts to look through for similar problems and resolutions.

If you are not the administrator of the endpoint for the VPN, you will need to contact the admin of the VPN for information as far as port forwarding, IP, and their protocols for using/accessing the system.

Hope that helps. I’d give you more, but I’m no longer in a position where I need remote access, and I have not used CPF in that capacity.


Hi thanks a lot.

Tomorrow let’s see what will work!!!

Of course I will report.




It was an absolute silly mistake.

I changed - as Rucia suggested - the rule in the Network Monitor. There was only one for the outgoing traffic, no one for the incoming.

So thanks a lot Rucia (:CLP)

@ Fred H.

I hope it will help you, too.


Kind of a key thing, there. (:WIN)

Glad you got that worked out.

Fred, let us know how you’re doing on your end.


So what did you use for the gateway IP address? Did you have to work through the Network admin folks to get this information or is there some other way to obtain it?

Ok, I called my network admins and got the gateway IP’s to use. I will try it when I get home and report back. Thanks for the help!

Okay, good. As has been noted, you’ll need two rules in CPF’s Network Monitor; one for Inbound, one for Outbound. You can set up a “Zone” under Security/Tasks/Add Remove Modify a Zone. Then in the Network Monitor, reference that Zone in creating your two rules. (You can also run the Network Wizard - Security/Tasks/Define a New Trusted Network, and reference the zone; it will automatically create the rules).

Keep in mind - for the In rule, source is the Gateway, destination is your computer. For the Out rule, source is your computer, destination is the gateway.

Be sure to check the box, “Create an alert if this rule is fired” on both rules, so they will generate activity log entries to help with diagnosis if there are any problems.

If the network admin provided any specific ports to use, those can be easily added to the rules.


If you have any trouble with creating the rules, or still can’t connect, we can help you through that.

well I dunno if I did it right or not. All I did was add a rule as stated in the earlier post that consisted of:

Action: Allow
Protocol: IP
Direction: In/Out
Source IP: Any
Destination IP: enter gateway IP here
IP Protocol: Any

That fixed it and the banner text is no longer blocked and the VPN works.

Great, glad to hear it.

One rule like that is probably fine; I would personally break it into two rules, like this:

Action: Allow
Protocol: IP
Direction: Out
Source IP: Any (or yours)
Destination IP: Gateway IP
IP Protocol: Any

Action: Allow
Protocol: IP
Direction: In
Source IP: Gateway IP
Destination IP: Any (or yours)
IP Protocol: Any

But that’s just me. I keep all the rules separate, so that it’s not In/Out combined.


Thanks rucia and little mac. I reached this thread by a search, and today you solved my problem also.

Great, hc33708; I’m glad to hear it helped you.

Welcome to the forums!