Is IPSec Traffic Being Blocked? (KB ID: KB7282)
| Article ID: | KB7282 |
|---|---|
| Former Article ID: | nskb671 |
| Published: | Feb 01, 2007 |
| Last Modified: | Feb 01, 2007 |
| Visible By: | Employee, PTAC, Partner, Customer, Public |
Back to Previous Page | Knowledge Base Home
Article URL
Synopsis
NetScreen Remote Client cannot connect to firewall. Something may be blocking the VPN traffic.
Problem
NetScreen Remote Client cannot connect to firewall. IPSec traffic might be blocked at the NetScreen Remote Client site by the PC's firewall, a router, a NAT device, or the ISP.
Solution
Try the following to correct the problem:
- If the PC has a personal firewall, try disabling it temporarily to see if it is blocking the IPSec traffic.
- For NAT Traversal to work, UDP port 500, UDP port 4500, and IP Protocol 50 must be allowed through on the router upstream from the Juniper Firewall. The UDP ports are for IKE negotiations and IP Protocol 50 is for the IPSec traffic itself. Check to make sure that nothing is blocking the ports. You may have to call your ISP to have them unblock them.
- Enable NAT traversal on both ends of the tunnel.
- If your network has a Linksys router, check the version of the Linksys router. Linksys routers had some issues with version 2.3.8.1 Linksys router version 2.4.0.2 reported successful results, allowing NAT traversal IPSec packets to pass through.
Make sure IPSec Passthrough is disabled on the Linksys router. IPSec Passthrough will break NAT Traversal functionality.
For additional information, consult: KB5671 - What Ports Are Used for a Virtual Private Network (VPN)?
Category Description
By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software
By Network Technology » IP Protocols » Routing Protocols
Purpose
Troubleshooting