Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: How to pass IPSec traffic through ISA Server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: How to pass IPSec traffic through ISA Server - 21.May2003 12:27:00 AM
|
|
|
mpb7277
Posts: 1
Joined: 20.May2003
From: phoenix
Status: offline
|
Thanks for the article. I have users, all SecureNAT clients, that need access to external networks using both Nortel and Cisco VPN clients. I will contact the Admin on the Nortel, based on your article info.
I cannot get the Cisco to work. The LAT includes all internal ips and the clients are dhcp. Do I need to make the clients Firewall?
Thanks
Marcus
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 21.May2003 10:19:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Marcus,
the client *must* be configured as a SecureNAT client. This is a requirement! A client may also be configured as a Firewall client, BUT test *first* with the Firewall client disabled if installed. Once the VPN is working you can fine tune the Firewall client configuration as mentioned in my article.
Which Cisco VPN client are you using? What Cisco VPN gateway is used on the remote site? Does it support NAT Traversal? You should contact the VPN administrator to get that important info.
HTH,
Stefaan
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 21.May2003 10:49:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hey guys,
just to let you know that the L2TP/IPSec NAT-T Update for Windows XP and Windows 2000 is available from Microsoft. Check out http://support.microsoft.com/default.aspx?SCID=KB;EN-US;818043 for more info.
HTH,
Stefaan
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 28.May2003 9:48:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hey guys,
Microsoft has withdrawn the L2TP/IPSec NAT-T Update for Windows XP after conflicts between it and third party firewall products. However, the updated VPN client is still available for Microsoft Windows 2000 SP3.
HTH,
Stefaan
[ May 28, 2003, 10:34 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 31.May2003 7:43:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Stefaan,
Yes, and it works great!
You need to create two protocol rules:
UDP 500 send/receive
UDP 4500 send/receive
on the local ISA Server
On the remote ISA Server/VPN Server, create the following packet filters:
UDP 500 receive/send (from all ports to UDP 500)
UDP 4500 receive/send (from all ports to UDP 4500)
UDP 1701 receive/send (from all ports to UDP 1701)
That's it!
Thanks!
Tom
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 31.May2003 8:05:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Tom,
thanks to remind me of that magic UDP port 1701 (L2TP) packet filter when ISA is acting as the VPN endpoint.
Thanks,
Stefaan
[ May 31, 2003, 08:37 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 31.Jul.2003 11:35:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hey guys,
good news! The L2TP/IPSec NAT-T Update for Windows XP SP1 is available again on the Windows update site. quote:
Recommended Update for Windows XP (818043) - (Posted Date: July 22, 2003)
Download size: 771 KB
This update to internet Protocol Security Clients IPSec and L2TP/IPSec allows IPSec to work across Network Address Translation (NAT) boundaries. A client may connect to a Windows Server 2003 Server with IPSec or L2TP/IPSec when the client is behind one or more NATs. Users should download this update if they use IPSec and/or L2TP Virtual Private Network (VPN) connections. After you install this item, you may have to restart your computer. Read More...
Check out http://support.microsoft.com/default.aspx?SCID=KB;EN-US;818043 for more info.
HTH,
Stefaan
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 2.Aug.2003 5:03:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Stefaan,
GREAT!
Thanks!
Tom
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 4.Aug.2003 9:57:00 PM
|
|
|
pjarm
Posts: 4
Joined: 11.Feb.2003
Status: offline
|
Hello together,
i've still got a strange problem. We've got a cisco vpn client in our company. And i've got a isa server to protect my network. I've done the rules to connect to the company's network. And this is working. But i can not access the network, no traffic i mean. Then i've made a rule to open port UDP 10000 to pass VPN traffic through ISA. Once it worked. But next i've tried, nothing happened. What's wrong.
Thank you for your ideas....
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 4.Aug.2003 10:52:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi pjarm,
make sure you test first with the Firewall client disabled if installed. This implies of course that the internal host is configured as a SecureNAT client too.
Are you sure the VPN gateway you are connecting to has NAT-T enabled? Check that out with the VPN gateway administrator. Have you already checked out the Firewall and Packet Filter logs on ISA server? Do you see the outbound requests in the Firewall log? Do you see blocked packets in the Packet Filter log?
Also, pay particular attention to the ISA client configuration as mentioned in section 4 of my article.
HTH,
Stefaan
[ August 04, 2003, 10:53 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 5.Aug.2003 8:58:00 PM
|
|
|
pjarm
Posts: 4
Joined: 11.Feb.2003
Status: offline
|
Yes i've tried almost all. But the strange thing is, i could get traffic once....
Thank you anyway
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 5.Aug.2003 9:32:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi pjarm,
so you see no blocked packets and you can confirm that the VPN session setup do complete but that only no real data is passing through the VPN tunnel?
I'm sure there is some logging facility on the Cisco VPN client too. What is that telling you? Also, have you already contacted the VPN gateway administrator?
HTH,
Stefaan
[ August 05, 2003, 09:33 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 7.Aug.2003 5:08:00 PM
|
|
|
Guest
|
Stefan,
reading the L2TP/IPSec NAT-T Update on MS.com for Win2k, it states that IP port 50 must be allowed:
ESP - Internet Protocol (IP) protocol 50
The only protocol types that I can see in ISA is TCP or UDP - how can I enable IP port 50? Please help me!
marrio!
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 7.Aug.2003 8:43:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Marrio,
if you carefully read section '2.2. The negotiation of the NAT Traversal in the IKE' you will notice that a NAT-T discovery is done. That means that the endpoints will try to detect if a NAT device is in the path. Only if a NAT device is detected *and* both endpoints are NAT-T capable, then the NAT-T feature will be used.
Therefore, you can have two results for IPSEC NAT-T capable devices:
1) no NAT device detected along the path: the protocols used are UDP port 500 (IKE) and IP Protocol 50/51 (ESP/AH).
2) a NAT device is detected along the path: the protocol used are UDP port 500 (IKE) and UDP port 4500 (NAT-T or UDP encapsulated ESP).
HTH,
Stefaan
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 7.Aug.2003 10:15:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Stefaan,
In your article, you said:
"Now, it should become clear that the internal host on which the VPN client is installed must be configured as a SecureNAT client. Remember that the destination of the IP packets for the VPN tunnel will be the external IP address of the remote VPN gateway and that is definitely a non-LAT destination, at least from the ISA server point of view. As a consequence, the ISA server will see the VPN tunnel as a SecureNAT request and therefore you can only apply outbound access control on the basis of a client address set."
However, I find that machine configured as ONLY a Firewall client works fine with the IPSec NAT-T L2TP/IPSec VPN client.
Am I missing something?
Thanks!
Tom
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 7.Aug.2003 11:58:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Tom,
aha... I read your finding also somewhere in your VPN deployment kit. I think the key point is: where in the protocol stack is the IPSec and NAT-T encapsulation done!
I bet you have tested that with the W2K/XP L2TP/IPSec NAT-T VPN client. Have you done also the same test with the downlevel L2TP/IPSec NAT-T VPN client (i.e. W98)? I wonder if it will give the same result!
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
![[Wink]](/image/smiles/wink.gif)
