A common reason for the banner message to hang is a firewall or router, placed somewhere along the path from the remote computer to the gateway, blocks ESP or AH traffic.
The follwing error can also be seen in the Nortel logs:
The firewall can be a personal firewall installed on the remote computer, a firewall or router at the Internet Service Provider (ISP), or a corporate firewall. In this situation, IPSec ISAKMP traffic that negotiates the tunnel establishment, the tunnel establishes, but the ESP- or AH-encapsulted traffic inside the tunnel does not get through. When the banner text is retrieved through the established tunnel, the banner message or any other traffic secured by the ESP or AH never reaches the client and the NVC continues to wait for response from the gateway until a timeout period is reached.
To resolve this issue, ensure the following traffic is allowed to pass through the firewalls along the path:
-
UDP protocol (17) port 500, both inbound and outbound
-
ESP protocol (50), both inbound and outbound
-
AH protocol (51), both inbound and outbound
It is not necessary to specify source and destination ports for ESP or AH protocols, but if a particular firewall implementation requires it, use zero or N/A as ports dependent on firewall or router requirements.
The following rule example is for Sophos:
"Impossible is Nothing!" - adidas 