• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

IPSEC and Static mapping!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Misc.] >> ISA Server Wish List >> IPSEC and Static mapping! Page: [1]
Login
Message << Older Topic   Newer Topic >>
IPSEC and Static mapping! - 17.Oct.2002 11:42:00 PM   
thejun

 

Posts: 109
Joined: 21.Jan.2002
Status: offline
I want IPSEC to work!

I want Static mapping!

Then ISA Server will be complete
Post #: 1
RE: IPSEC and Static mapping! - 18.Oct.2002 12:56:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi thejun,

everybody wants IPSec to work! However, the IPSec protocol was *not* designed with NAT in mind because it was originally designed for the IPV6 world.

Because the real world still use IPV4 and NAT is nowadays a requirement due to the shortage of public IPV4 addresses, the IETF was obliged to do something about that real life problem. It has taken them a lot of time to agree on a solution, but at last we may expect that the current drafts will soon become a standard, probably by the end of the year.

So, IPSec passthrough is *not* an ISA specific problem. If you want to learn more about this issue, check out:
- http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-02.txt
- http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt
- http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt
- http://www.microsoft.com/vpn
- http://www.microsoft.com/windows2000/technologies/communications/ipsec/redir-cableguytraversal.asp

HTH,
Stefaan

(in reply to thejun)
Post #: 2
RE: IPSEC and Static mapping! - 18.Jan.2003 7:51:00 AM   
hughman

 

Posts: 1
Joined: 18.Jan.2003
Status: offline
sorry stefaan but i dont understand your post.

plenty of other firewalling solutions support ipsec passthrough (IPCop and Smoothwall to name 2), i cannot see why isa doesnt do this....

(in reply to thejun)
Post #: 3
RE: IPSEC and Static mapping! - 18.Jan.2003 4:35:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi hughman,

ISA is always doing N:1 NAT or PAT and this breaks 'plain' IPSec. The only way to get IPSec through ISA is if the IPSec implementation supports the IPSec NAT Traversal drafts as specified by the IETF. This is an IPSec design problem and *not* an ISA problem. Check out http://www.ietf.org/html.charters/ipsec-charter.html for the status of the latest drafts.

I know that some other firewalls *partial* support IPSec passthrough. But that doesn't solve the real problem! [Razz] So, I'm convinced that Microsoft has taken the good decision *not* to implement those dirty hacks. However, it is a pity that the NAT Traversal is still not available in W2K.

HTH,
Stefaan

(in reply to thejun)
Post #: 4
RE: IPSEC and Static mapping! - 25.Mar.2003 3:32:00 PM   
Bruce Lee

 

Posts: 24
Joined: 5.Dec.2002
From: Germany
Status: offline
However, NAT is possible when IPSec uses the Tunnel Mode. In this mode all IPsec packets are tunnelled within a HTTP header... This header can be modified while transporting the IPsec header, because the integrity and authetnicating is done with data inside the IPsec header...

(in reply to thejun)
Post #: 5
RE: IPSEC and Static mapping! - 25.Mar.2003 8:57:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bruce,

are you sure about your statement? In which IETF RFC or draft have your read that? As far as I know IPSec and HTTP has nothing to do with each other.

Thanks,
Stefaan

(in reply to thejun)
Post #: 6
RE: IPSEC and Static mapping! - 26.Mar.2003 12:44:00 AM   
thejun

 

Posts: 109
Joined: 21.Jan.2002
Status: offline
Me Too!
When I vpn into a Cisco Firewall using cisco client, They always have it set up for IPSEC.

This is what a cisco tech told me when I asked to let me in while using ISA

"I looked at the packets and saw that Ipsec, as I stated earlier was working on protocol 50. I made it encapsulate into TCP and UDP packets so that users who are behind a firewall coming as a PAT ip with unique port numbers terminate the session here."

Whatever that means...

(in reply to thejun)
Post #: 7
RE: IPSEC and Static mapping! - 26.Mar.2003 5:57:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi thejun,

the IETF proposed method to make IPSec NAPT compliant is UDP encapsulating the IPSec ESP packets. Check out the IETF website for more info.

Here is the latest info (56the IETF meeting March 2003) for the NAT Traversal drafts:
- draft-ietf-ipsec-udp-encaps-06.txt: ready for IETF last call for proposed standard
- draft-ietf-ipsec-nat-t-ike-05.txt: ready for IETF last call for proposed standard
- draft-ietf-ipsec-nat-reqts-04.txt ready for IETF last call for informational RFC

BTW --- the Cisco TCP encapsulation is Cisco proprietary. Moreover, according to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001170 it will NOT work through ISA server.

HTH,
Stefaan

(in reply to thejun)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Misc.] >> ISA Server Wish List >> IPSEC and Static mapping! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts