- This topic is empty.
October 4, 2013 at 3:11 pm #43752
I am helping someone configure ZeroShell for the first time. We are able to connect to ZeroShell ok and browse the internet. I then use cisco’s VPN client to connect to my network’s firewall. My firewall’s logs show ZeroShell using port 10000 for IKE which is denied because my firewall is configured to use port 500 for IKE.
How do I configure ZeroShell to use port 500 for IKE instead of 10000?
Thank you.October 4, 2013 at 4:54 pm #52930
I didn’t clearly understood the question , are you trying to connect to Zs using the cisco vpn client ? Could you clarify ?
afaik , port 10000 is the default port when using cTCP on cisco vpn client side …
greetingsOctober 4, 2013 at 7:04 pm #52931
Thanks for follow up.
BTW our goal is to replace our Chillispot server with Zs.
Hopefully I can explain better:
Note in the sample ASA FW logs:
The Zs server IP is 220.127.116.11
The ASA’s IP is represented as ###.###.###.###
The Chillispot server IP is 18.104.22.168
After I successfully connect to Zs, I want to then connect to my cisco ASA using Cisco’s VPN Client (ver 5) configured with IPSec over UDP.
Here are a sample of my ASA logs when the VPN connection works using our Chillispot server instead of Zs:
Built inbound UDP connection for INTERNET:22.214.171.124/61169 (126.96.36.199/61169) to identity:###.###.###.###/500
Built inbound UDP connection for INTERNET:188.8.131.52/61170 (184.108.40.206/61170) to identity:###.###.###.###/4500
Here are a sample of my ASA logs when the VPN connection does not work using Zs:
IP = 220.127.116.11, IKE port 10000 for IPSec UDP already reserved on interface INTERNET
It’s like Zs is using cTCP instead of IPSec over UDP which is what my cisco client is configured to use.
Does that make sense ?October 4, 2013 at 7:13 pm #52932
In addition, I cannot allow split tunneling for the cisco VPN clients connecting to the ASA via Zs.October 4, 2013 at 7:59 pm #52933
What mean “after I successfully connect to ZS” ? via cp on the lan ? from the internet ?
Why you have to connect to Zs ,for then connect to asa ?
How is Zs configured ? one lan , one wan directly connected to the internet…
Is Zs at one site , and the asa in another site, and hosts “behind” ZS have to connect to an “asa on its public ip address ” via the internet ?
Sorry for these questions , just for understand.. 🙄October 4, 2013 at 8:39 pm #52934
Not a problem. I really appreciate the help.
Zs is going to be used to authenticate users on a local Lan, who want to use our DSL connection to connect to the internet.
This connection works no problem:
User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 18.104.22.168) — DSL –> http://www.google.com
Some users will need to connect to the internet to initiate a VPN connection with our ASA firewall at another geographical location(asa is on a public ip address).
This is the path of the traffic that does not work:
User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 22.214.171.124) — DSL –> ASA (xxx.xxx.xxx.xxx:500)
User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 126.96.36.199) — DSL –> ASA (xxx.xxx.xxx.xxx:4500)
Instead, Zs is using port 10000 for IKE. I’ll represent it like this:
User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 188.8.131.52) — DSL –> ASA (xxx.xxx.xxx.xxx:10000)
Our ASA is not configured to listen on port 10000 for cTCP.
What do you think?October 4, 2013 at 9:17 pm #52935
Ok , is clear now !!
Well , I did some tests while waiting for your reply , unfortunately my asa is down at the moment , so i did with an cisco isr….isn’t the same , but for the purpose could also be….host win7 , lan behind Zs , authenticated on the Captive portal … then launched the cisco vpn client (VPN_CLIENT 5.0.07.0410:WinNTp) to another site , where the cisco isr vpn server is listening ( on this second site , there is another Zs placed into a DMZ of the cisco router/fw/ips , that acts also as radius server for vpn auth. ) the vpn is ipsec/udp (500/4500) , this is the 1st log of the cisco vpn server regarding the connection
22:26:52 192.168.191.1: 002312: Oct 4 22:26:52.288 Rome: ISAKMP: local port 500, remote port 56021
some logs later
22:26:53 192.168.191.1: 002418: Oct 4 22:26:52.884 Rome: ISAKMP: Trying to insert a peer 184.108.40.206/220.127.116.11/56022/, and inserted successfully 86914934.
all the rest goes well , and the connection is established correctly, so , in my case , I would say that ZS doesn’t change the udp 500 port..you can take a look , on ZS , firewall , conntrack , fill the filter field with “10000” , then try to connect via vpn client , and click on refresh button… this is my output , I put 500 in “filter” field
udp 17 159 src=192.168.0.76 dst=18.104.22.168 sport=50692 dport=500 src=22.214.171.124 dst=126.96.36.199 sport=500 dport=50692 [ASSURED] mark=0 use=1
udp 17 170 src=192.168.0.76 dst=188.8.131.52 sport=50693 dport=4500 src=184.108.40.206 dst=220.127.116.11 sport=4500 dport=50693 [ASSURED] mark=0 use=1
Try , and let me know…
greetingsOctober 8, 2013 at 3:49 pm #52936
Sorry for the delay:
This is what the Zs log shows:
udp 17 17 src=192.168.10.69 dst=18.104.22.168 sport=10000 dport=10000 [UNREPLIED] src=22.214.171.124 dst=126.96.36.199 sport=10000 dport=10000 mark=0 use=1
It looks like my CISCO client (192.168.10.69) is sending the request to my ASA (188.8.131.52) on port 1000.
What do you think?October 8, 2013 at 5:59 pm #52937
Did you check the ” Enable Transparent Tunneling” and “IPSec over UDP” flags , on Transport tab of the vpn client config. ? I didn’t understand if the problem appears with the same client …. that if connected to Chillispot it uses 500/4500 and instead on ZS it uses the default udp port 10000…..
greetingsOctober 8, 2013 at 9:20 pm #52938
Yes Transport Tunneling and IPSec over UDP is Selected on the VPN client.
I found this article : http://security-blog.netcraftsmen.net/2009/01/tcp-and-udp-ports-used-for-cisco-vpn.html
It talks about the three different methods for IPSec to work.
NAT Traversal is said to be the default method for UDP tunneling with the Cisco VPN Client.
How do I know if Zs is configured for NAT Traversal?October 10, 2013 at 5:18 pm #52939
I don’t think that the issue is related to Zs directly , rather some nat config. , take a look here.
greetingsOctober 10, 2013 at 7:34 pm #52940
Thank you for the article. I did find the following info on the site:
I do speak some italian that’s why I was able to reconize it:
ZeroShell, se abilitato, è in grado di negoziare con i client L2TP/IPSec l’utilizzo del NAT-T.
How can I enable NAT-T in this manner on Zs?October 10, 2013 at 7:58 pm #52941
That article refers when ZS itself acts as L2TP/IPsec server , not if a client behind (and NATted by) ZS try to connect to a remote vpn server.
I did some tests on the fly , with asa , and depending the condition of the vpn-client (option 3), it acts exactly as mentioned in the article above.
btw , I’m italian , but my name isn’t Ricardo…. 🙂
greetingsOctober 10, 2013 at 8:29 pm #52942
Duh! Sorry Fulvio… I live in the US and have family in Basilicata that I visit on occasion. What part of Italy are you from?October 10, 2013 at 8:41 pm #52943
I’m not the Zs creator and developer (which is Fulvio) , I’m a fan (and user) of Zs .
- You must be logged in to reply to this topic.