Configuring ZeroZhell’s default IKE port (I.E.: 10000)

Home Page Forums Network Management VPN Configuring ZeroZhell’s default IKE port (I.E.: 10000)

This topic contains 18 replies, has 0 voices, and was last updated by  david@deluise.org 5 years, 12 months ago.

Viewing 15 posts - 1 through 15 (of 20 total)
  • Author
    Posts
  • #43752

    I am helping someone configure ZeroShell for the first time. We are able to connect to ZeroShell ok and browse the internet. I then use cisco’s VPN client to connect to my network’s firewall. My firewall’s logs show ZeroShell using port 10000 for IKE which is denied because my firewall is configured to use port 500 for IKE.

    How do I configure ZeroShell to use port 500 for IKE instead of 10000?

    Thank you.

    #52930

    redfive
    Participant

    I didn’t clearly understood the question , are you trying to connect to Zs using the cisco vpn client ? Could you clarify ?
    afaik , port 10000 is the default port when using cTCP on cisco vpn client side …
    greetings

    #52931

    Thanks for follow up.

    BTW our goal is to replace our Chillispot server with Zs.

    Hopefully I can explain better:

    Note in the sample ASA FW logs:
    The Zs server IP is 68.236.159.167
    The ASA’s IP is represented as ###.###.###.###
    The Chillispot server IP is 68.236.159.162

    After I successfully connect to Zs, I want to then connect to my cisco ASA using Cisco’s VPN Client (ver 5) configured with IPSec over UDP.

    Here are a sample of my ASA logs when the VPN connection works using our Chillispot server instead of Zs:

    Built inbound UDP connection for INTERNET:68.236.159.162/61169 (68.236.159.162/61169) to identity:###.###.###.###/500

    Built inbound UDP connection for INTERNET:68.236.159.162/61170 (68.236.159.162/61170) to identity:###.###.###.###/4500

    Here are a sample of my ASA logs when the VPN connection does not work using Zs:
    IP = 68.236.159.167, IKE port 10000 for IPSec UDP already reserved on interface INTERNET

    It’s like Zs is using cTCP instead of IPSec over UDP which is what my cisco client is configured to use.

    Does that make sense ?

    #52932

    In addition, I cannot allow split tunneling for the cisco VPN clients connecting to the ASA via Zs.

    #52933

    redfive
    Participant

    What mean “after I successfully connect to ZS” ? via cp on the lan ? from the internet ?
    Why you have to connect to Zs ,for then connect to asa ?
    How is Zs configured ? one lan , one wan directly connected to the internet…
    Is Zs at one site , and the asa in another site, and hosts “behind” ZS have to connect to an “asa on its public ip address ” via the internet ?
    Sorry for these questions , just for understand.. ๐Ÿ™„

    #52934

    Not a problem. I really appreciate the help.

    Zs is going to be used to authenticate users on a local Lan, who want to use our DSL connection to connect to the internet.
    This connection works no problem:
    User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 68.236.159.167) — DSL –> http://www.google.com

    Some users will need to connect to the internet to initiate a VPN connection with our ASA firewall at another geographical location(asa is on a public ip address).
    This is the path of the traffic that does not work:
    User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 68.236.159.167) — DSL –> ASA (xxx.xxx.xxx.xxx:500)
    User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 68.236.159.167) — DSL –> ASA (xxx.xxx.xxx.xxx:4500)

    Instead, Zs is using port 10000 for IKE. I’ll represent it like this:
    User (192.168.10.69) — Lan –> Zs (Private: 192.168.10.1; Public: 68.236.159.167) — DSL –> ASA (xxx.xxx.xxx.xxx:10000)
    Our ASA is not configured to listen on port 10000 for cTCP.

    What do you think?

    #52935

    redfive
    Participant

    Ok , is clear now !!
    Well , I did some tests while waiting for your reply , unfortunately my asa is down at the moment , so i did with an cisco isr….isn’t the same , but for the purpose could also be….host win7 , lan behind Zs , authenticated on the Captive portal … then launched the cisco vpn client (VPN_CLIENT 5.0.07.0410:WinNTp) to another site , where the cisco isr vpn server is listening ( on this second site , there is another Zs placed into a DMZ of the cisco router/fw/ips , that acts also as radius server for vpn auth. ) the vpn is ipsec/udp (500/4500) , this is the 1st log of the cisco vpn server regarding the connection

    22:26:52 	192.168.191.1: 002312: Oct 4 22:26:52.288 Rome: ISAKMP: local port 500, remote port 56021

    some logs later

    22:26:53 	192.168.191.1: 002418: Oct 4 22:26:52.884 Rome: ISAKMP: Trying to insert a peer 79.40.121.136/109.52.78.253/56022/, and inserted successfully 86914934.

    all the rest goes well , and the connection is established correctly, so , in my case , I would say that ZS doesn’t change the udp 500 port..you can take a look , on ZS , firewall , conntrack , fill the filter field with “10000” , then try to connect via vpn client , and click on refresh button… this is my output , I put 500 in “filter” field

    udp      17 159 src=192.168.0.76 dst=79.40.121.136 sport=50692 dport=500 src=79.40.121.136 dst=109.52.78.253 sport=500 dport=50692 [ASSURED] mark=0 use=1
    udp 17 170 src=192.168.0.76 dst=79.40.121.136 sport=50693 dport=4500 src=79.40.121.136 dst=109.52.78.253 sport=4500 dport=50693 [ASSURED] mark=0 use=1

    Try , and let me know…
    greetings

    #52936

    Sorry for the delay:
    This is what the Zs log shows:

    udp 17 17 src=192.168.10.69 dst=161.11.120.182 sport=10000 dport=10000 [UNREPLIED] src=161.11.120.182 dst=68.236.159.167 sport=10000 dport=10000 mark=0 use=1

    It looks like my CISCO client (192.168.10.69) is sending the request to my ASA (161.11.120.182) on port 1000.

    Go Figure!

    What do you think?

    #52937

    redfive
    Participant

    Did you check the ” Enable Transparent Tunneling” and “IPSec over UDP” flags , on Transport tab of the vpn client config. ? I didn’t understand if the problem appears with the same client …. that if connected to Chillispot it uses 500/4500 and instead on ZS it uses the default udp port 10000…..
    greetings

    #52938

    Yes Transport Tunneling and IPSec over UDP is Selected on the VPN client.

    I found this article : http://security-blog.netcraftsmen.net/2009/01/tcp-and-udp-ports-used-for-cisco-vpn.html

    It talks about the three different methods for IPSec to work.

    NAT Traversal is said to be the default method for UDP tunneling with the Cisco VPN Client.

    How do I know if Zs is configured for NAT Traversal?

    #52939

    redfive
    Participant

    I don’t think that the issue is related to Zs directly , rather some nat config. , take a look here.
    greetings

    #52940

    Ricardo,

    Thank you for the article. I did find the following info on the site:

    I do speak some italian that’s why I was able to reconize it:

    http://www.zeroshell.net/faq/vpn/#vpn.faq0b

    ZeroShell, se abilitato, รจ in grado di negoziare con i client L2TP/IPSec l’utilizzo del NAT-T.

    How can I enable NAT-T in this manner on Zs?

    #52941

    redfive
    Participant

    That article refers when ZS itself acts as L2TP/IPsec server , not if a client behind (and NATted by) ZS try to connect to a remote vpn server.
    I did some tests on the fly , with asa , and depending the condition of the vpn-client (option 3), it acts exactly as mentioned in the article above.
    btw , I’m italian , but my name isn’t Ricardo…. ๐Ÿ™‚
    greetings

    #52942

    Duh! Sorry Fulvio… I live in the US and have family in Basilicata that I visit on occasion. What part of Italy are you from?

    #52943

    redfive
    Participant

    I’m not the Zs creator and developer (which is Fulvio) , I’m a fan (and user) of Zs .
    greetings

Viewing 15 posts - 1 through 15 (of 20 total)

You must be logged in to reply to this topic.