I am using a Contivity VPN Client by Nortel to get an access to the Internet at the Univerity. Without the Comodo Firewall everything works fine. Even when I say
“Adjust Security Level” => “Allow All”
it works.
But in normal mode (Custom) when I try to start the Contivity VPN Client I get a message box saying:
“Checking For banner Text From:
A.B.C.D”
and after about 30 seconds another message box:
“The secure Contivity VPN connection has been lost.
Click connect to reestablich the connection”
I have singled out the first one, which says the UDP protocol (17) port 500, the ESP protocol (50) or the AH protocol (51) is blocked. (What does the numbers (17)(50)(51)stands for?)
In the Network Control Rules i have added the Rule:
“ALLOW UDP IN or OUT FROM IP [Any] TO IP [Any] WHERE SOURCE PART IS [Any] AND DESTINATION PORT IS [Any]”
so i think the UDP protocol will pass.
The application is not blocked and.(Destination: [Any], Port: [Any], Protocol: TCP/UDP In/Out, Permission: Allow)
So the problem is - and that’s the basic part of the problem - , where to find the options to handle the AH and ESP protocol which are part of IPsec so they can pass the firewall.
I have added a new zone (after I tried the Wizard for Trusted Network with the Start Range :0.0.0.0 and the End Range: 255.255.255.255)
I am using XP Home SP2(updated), Comodo Firewall Version 2.3.6.81 and of course the latest Contivity VPN Client.
If you ask the sys/network admin at the Uni they will be able to tell you what ports you need to use.
With a Uni system you would most likely be connecting to a gateway which has a VPN server running. Therefore i would suggest entering the gateway IP in the network rule (only for your own safety). I would set the rule up as follows to get by the fact AH adn ESP are not available in the drop down:
Action: Allow
Protocol: IP
Direction: In/Out
Source IP: Any
Destination IP: enter gateway IP here
IP Protocol: Any
If this still doesn’t work, then i’m all out of suggestions. And you could always request this in the Wishlist Rev4 thread.
You can get more results (from others’ posts) by using the Advanced Search feature in the forum. Put “VPN” in the search field, uncheck the box for “Check all” then click the “Choose a board link.” From there you can select to search only Firewall Help and FAQ, for results. This should narrow it down and give you a number of posts to look through for similar problems and resolutions.
If you are not the administrator of the endpoint for the VPN, you will need to contact the admin of the VPN for information as far as port forwarding, IP, and their protocols for using/accessing the system.
Hope that helps. I’d give you more, but I’m no longer in a position where I need remote access, and I have not used CPF in that capacity.
So what did you use for the gateway IP address? Did you have to work through the Network admin folks to get this information or is there some other way to obtain it?
Okay, good. As has been noted, you’ll need two rules in CPF’s Network Monitor; one for Inbound, one for Outbound. You can set up a “Zone” under Security/Tasks/Add Remove Modify a Zone. Then in the Network Monitor, reference that Zone in creating your two rules. (You can also run the Network Wizard - Security/Tasks/Define a New Trusted Network, and reference the zone; it will automatically create the rules).
Keep in mind - for the In rule, source is the Gateway, destination is your computer. For the Out rule, source is your computer, destination is the gateway.
Be sure to check the box, “Create an alert if this rule is fired” on both rules, so they will generate activity log entries to help with diagnosis if there are any problems.
If the network admin provided any specific ports to use, those can be easily added to the rules.
LM
If you have any trouble with creating the rules, or still can’t connect, we can help you through that.