• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

NAT/IPsec through ISA to another VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> NAT/IPsec through ISA to another VPN Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
NAT/IPsec through ISA to another VPN - 14.Jun.2001 6:32:00 PM   
WarrenC

 

Posts: 25
Joined: 6.Apr.2001
From: Vancouver, BC, Canada
Status: offline
Is this possible?

We are running ISA, NAT'd of course, and we need to use a Cisco/Intraport VPN client to connect to a client's corporate LAN through their firewall. It uses IPSec, Protocols 50 & 51.. is this possible?

I've heard that IPSec does not like a NAT client connection, is there any workarounds we can use?

Thanks for any help.

-Warren

Post #: 1
RE: NAT/IPsec through ISA to another VPN - 15.Jun.2001 7:10:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Warren,

From everything I've seen and read, this will not work. There have been hints from some people that it could work, but then those comments were retracted.

Its an interesting problem, though.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to WarrenC)
Post #: 2
RE: NAT/IPsec through ISA to another VPN - 15.Jun.2001 10:49:00 PM   
WarrenC

 

Posts: 25
Joined: 6.Apr.2001
From: Vancouver, BC, Canada
Status: offline
Can you go into any technical details as to why?

Can this be resolved by a service pack, or is there a reason ISA Server functions like this?

Thanks.


(in reply to WarrenC)
Post #: 3
RE: NAT/IPsec through ISA to another VPN - 16.Jun.2001 5:34:00 AM   
jtaylor

 

Posts: 27
Joined: 7.Jun.2001
Status: offline
Hi Warren,
It has to do with the with the data integrity of the packet. IPSec uses AH and ESP protocols to provide authentication and integrity services. AH adds a header with no encryption, and ESP encapsulates and encrypts the entire packet. So the packets are digitally signed for integrity and authenticity purposes.

NAT tries to rewrite the packet headers and send them on to their NAT'ed address. When the attempt is made to alter or modify the packet, the digital signatures created by AH and ESP are no longer valid, and the VPN server drops the packet, IPSec interpeting the rewritten headers as a breach in security.

This is why NAT doesn't work with IPSec. It can't be resolved in a service pack, it is the way it is because of the way IPSec works.

James Taylor


(in reply to WarrenC)
Post #: 4
RE: NAT/IPsec through ISA to another VPN - 18.Jun.2001 6:43:00 PM   
WarrenC

 

Posts: 25
Joined: 6.Apr.2001
From: Vancouver, BC, Canada
Status: offline
Okay.. that makes sense. However this particular client we are trying to use (Intraport - going through a Cisco 5000 I think), seems to indicate that it can work behind a NAT'd setup, but something with ISA in particular seems to be causing a problem. This IPSec VPN client is not just a default Win2k VPN, but its own application. Any thoughts?

Surely some IPSec has to work with NAT or it would be severely limited in use. Doesn't L2TP use IPSec?

Thanks for the info...

-Warren


(in reply to WarrenC)
Post #: 5
RE: NAT/IPsec through ISA to another VPN - 18.Jun.2001 7:03:00 PM   
jtaylor

 

Posts: 27
Joined: 7.Jun.2001
Status: offline
Warren,
Yes, L2TP uses IPSec, but that still doesn't avoid the NAT problem. And NAT is a problem with IPSec, and although you might think it would be severely limiting, IPSec implementations seem to be the most secure at present, so limitations or not, if you want the best level of VPN security you use IPSec.

Now I have heard that some VPN implementations, like Check Point's VPN-1 and it's Securemote client avoid NAT issues by encapsulating the packets with UDP headers. This is actually an issue I am struggling with right now. I can use Securemote with IKE to create sessions through Win 2K's ICS, but not through ISA Server, and I am trying to understand why. I was told by a colleague (and Tom Shinder mentioned it as well) it's because of the UDP encapsulation.

It sounds like you are have the same problem with ISA using a different client (Intraport). I am going to work on this some this week, and if I figure it out I will let you know.

JT

[This message has been edited by jtaylor (edited 18 June 2001).]


(in reply to WarrenC)
Post #: 6
RE: NAT/IPsec through ISA to another VPN - 18.Jun.2001 10:45:00 PM   
jtaylor

 

Posts: 27
Joined: 7.Jun.2001
Status: offline
Warren,
I made my Securemote stuff work.

I logged a session using a sniffer, and noticed topology requests were made outbound on TCP port 264 with a dynamically assigned source port. Authentication to the Policy Server was made on UDP 500 with a dynamically assigned source port, one packet out and one packet in.

I created 2 packet filers, one for TCP 264 outbound, and one for UDP 500 send-recieve.

I created protocol definitions for the above two ports, and then created a protocol rule that allowed TCP 264 and UDP 500.

I think the difference between my client and your client is that mine encapsulates the packets with a UDP header to sneak it past NAT (assuming that what I've been told is correct in that my IKE sessions are using IPSec to transmit the data). It looks like your client, if it is using TCP 50 and 51, doesn't, so your stuff won't work. You might look into that.

JT


(in reply to WarrenC)
Post #: 7
RE: NAT/IPsec through ISA to another VPN - 19.Jun.2001 6:08:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi James,

Fantastic! Thanks for the info. A lot of people have been asking about this. We'll stick this tidbit in the next newsletter as the post of the week

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to WarrenC)
Post #: 8
RE: NAT/IPsec through ISA to another VPN - 20.Jun.2001 12:14:00 AM   
jtaylor

 

Posts: 27
Joined: 7.Jun.2001
Status: offline
Wow! I am honored Tom! Thank you very much!

James


(in reply to WarrenC)
Post #: 9
RE: NAT/IPsec through ISA to another VPN - 20.Jun.2001 6:03:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi James,

You bet! It was a great tip and will be very popular. And of course, I'll give you credit in the newsletter

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to WarrenC)
Post #: 10
RE: NAT/IPsec through ISA to another VPN - 20.Jun.2001 7:42:00 PM   
Obbie

 

Posts: 14
Joined: 20.Jun.2001
From: Edmonton,Alberta,Canada
Status: offline
James..Good Idea!
Would you be able to tell me what sniffer you used? I too am have a great problem in getting my inside users to connect to a remote VPN network. The Nortel client software calls for the same IPSec 50 and 51..Man there has to be away to get this to work using ISA as a gateway!

Thanks
Rob.


(in reply to WarrenC)
Post #: 11
RE: NAT/IPsec through ISA to another VPN - 20.Jun.2001 9:24:00 PM   
jtaylor

 

Posts: 27
Joined: 7.Jun.2001
Status: offline
Rob,
I used Analyzer (http://netgroup-serv.polito.it/analyzer/) to do my packet capturing. It's a freeware product, and a pretty good one at that.

I think the key is the UPD encapsulation. If your client is using TCP ports 50 and 51, then your client won't work with NAT, if what I understand is right. You would need a client, like Check Point's Securemote, that encapsulates the packets after signing and encrypting them.

You could try creating packet filters, protocol definitions and protocol rule like I did and use TCP ports 50 and 51 instead and see if that works to test the UDP encapsualation theory. If you do, I would like to know what you find out.

On another note, a customer of ours had asked about load-balancing VPN traffic. I found a vendor that said they could do that as long as AH was not used, but ESP was okay. And to load-balance the traffic, you would have to have some sort of hide NAT going on (like virtual IP for clustering services).

So if that is really true, then maybe UPD encapsulation really isn't why it works. I don't know how to see if I am using AH, ESP or both yet. Maybe that's something else to consider.

A lot of possiblities

JT

[This message has been edited by jtaylor (edited 20 June 2001).]


(in reply to WarrenC)
Post #: 12
RE: NAT/IPsec through ISA to another VPN - 21.Jun.2001 12:04:00 AM   
Obbie

 

Posts: 14
Joined: 20.Jun.2001
From: Edmonton,Alberta,Canada
Status: offline
Thanks for the Link James! I really like that sniffer.

For some reason all the traffic I can see the client requesting when I try to connect with the VPN client software is UDP traffic on port 500 both local and remote?

If i enabled that port and protocol why would this not work?

Rob.


(in reply to WarrenC)
Post #: 13
RE: NAT/IPsec through ISA to another VPN - 21.Jun.2001 3:46:00 AM   
jtaylor

 

Posts: 27
Joined: 7.Jun.2001
Status: offline
Rob,
those are the same ports Check Point's Securemote client uses. My set up:

Packet filter:
-Custom
-UDP, Both, All Ports, Fixed Port, 500
-Applied filter to specific external IP on my ISA box (I have more that one assigned, and it also seemed to mess up my Terminal Server sessions if I didn't specify an external IP)

Protocol definitions for Securemote sessions using IKE:
-UDP 500 Send-Recieve, no secondary connections specified

Protocol Rule:
-Selected protocol from my newly created definition

That's pretty much it. I left out the bit I did for Securemote topology dnloads, but that's just an additional filter on TCP 264 and another protocol definition that I plug into the same Protocol Rule.

I too am using RSA SecurID to authenticate my VPN-1/Securemote sessions, and I am able to dnload VPN-1 topologys and authenticate with SecurID.

JT


(in reply to WarrenC)
Post #: 14
RE: NAT/IPsec through ISA to another VPN - 24.Jun.2001 1:46:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi James,

Good stuff! I am wondering if you even need the packet filter. It seems to me that the Protocol Definitions and Protocol Rules should do the trick, unless you need the same functionality on the ISA Server itself.

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to WarrenC)
Post #: 15
RE: NAT/IPsec through ISA to another VPN - 24.Jun.2001 6:28:00 PM   
jtaylor

 

Posts: 27
Joined: 7.Jun.2001
Status: offline
Tom,
I don't know about the packet filter, if it is necessary or not. I added it because in the newsgroup, when I first posed the question about this problem and was wondering what the differences where between Win 2K's ICS and ISA Server (because I never had this problem behind Win 2K ICS), Jim Harrison pointed out that ISA filters the packets and Win 2K ICS doesn't

You may be right. I will let you know Monday, though, after I disable the filter and see if it works

JT

[This message has been edited by jtaylor (edited 24 June 2001).]


(in reply to WarrenC)
Post #: 16
RE: NAT/IPsec through ISA to another VPN - 25.Jun.2001 5:38:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi James,

Yes please! Try it without the packet filters and just use the Protocol Rules. I harp on the point a lot about how you don't need to use packet filters when you have Protocol Rules in place. So I'd like to confirm that I'm not blowing smoke

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to WarrenC)
Post #: 17
RE: NAT/IPsec through ISA to another VPN - 25.Jun.2001 5:51:00 PM   
jtaylor

 

Posts: 27
Joined: 7.Jun.2001
Status: offline
Tom,
You are correct, sir! Disabled the filters, and I was able to download the topology and authenticate no problem. So the packet filters are not needed.

So would there ever be instance when you would need both packet filters and protocol rules in place? Or should just go on the premise that if you have a protocol rule, you don't need a packet filter, like you suggest?

JT


(in reply to WarrenC)
Post #: 18
RE: NAT/IPsec through ISA to another VPN - 25.Jun.2001 8:46:00 PM   
qhplar

 

Posts: 6
Joined: 18.Feb.2001
From: NJ
Status: offline
Hi,

I too am try to get a IPSec client to connect out to my companies network. I currently have the "All open" setup that Tom's article uses to test ISA server, therefor all my ports and protocals should be open. Do I need to set anything else up like UDP port 500 to test if my client can get through ISA server?


(in reply to WarrenC)
Post #: 19
RE: NAT/IPsec through ISA to another VPN - 25.Jun.2001 8:55:00 PM   
qhplar

 

Posts: 6
Joined: 18.Feb.2001
From: NJ
Status: offline
Rob,

Did you get the Nortel client to work? I'm trying to get a Nortel client to work also.

Thanks
Ralph


(in reply to WarrenC)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> NAT/IPsec through ISA to another VPN Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts