Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: How to pass IPSec traffic through ISA Server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> RE: How to pass IPSec traffic through ISA Server Page: <<   < prev  1 2 [3] 4 5   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: How to pass IPSec traffic through ISA Server - 8.Aug.2003 10:15:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Tom,

most third-party IPSec implementations (and I assume also the downlevel L2TP/IPSec VPN client for Windows 98, Windows Me and Windows NT 4.0) are implemented as 'Bump in the Stack'. That means as a shim, inserted between the network and the data link layer. Therefore, that traffic can *never* be redirected by the Firewall client.

However, for W2K/XP the L2TP/IPSec VPN client is 'OS integrated'. Remember the figure in section '5.3. Microsoft'. So, I think that could explain why that traffic can be redirected by the Firewall client.

HTH,
Stefaan

(in reply to spouseele)
Post #: 41
RE: How to pass IPSec traffic through ISA Server - 29.Aug.2003 3:48:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hey guys,

just to let you know I've updated the article with the latest info about the Microsoft L2TP/IPSec NAT-T implementation (5.3. Microsoft).

After some more testing, Tom has concluded that, even for the L2TP/IPSec VPN client on W2K/XP, the client must be configured as a SecureNAT client.

BTW --- if somebody can prove it works also with a Firewall client only configuration on Win2k and WinXP, let me know and I will be pleased to update my article.

HTH,
Stefaan

(in reply to spouseele)
Post #: 42
RE: How to pass IPSec traffic through ISA Server - 30.Aug.2003 5:53:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

Thanks!
Tom

(in reply to spouseele)
Post #: 43
RE: How to pass IPSec traffic through ISA Server - 31.Aug.2003 7:57:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Mario,

ESP is required only if the packets are not encapsulated.

HTH,
Tom

(in reply to spouseele)
Post #: 44
RE: How to pass IPSec traffic through ISA Server - 28.Sep.2003 2:34:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hey guys,

just to let you know that on September 25, 2003 Steve Riley of Microsoft held an excellent Technet Webcast about IPsec and NAT-T. The recorded event can be found on http://www.microsoft.com/usa/webcasts/ondemand/2323.asp .

HTH,
Stefaan

(in reply to spouseele)
Post #: 45
RE: How to pass IPSec traffic through ISA Server - 28.Sep.2003 5:08:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

Thanks!
Tom

(in reply to spouseele)
Post #: 46
RE: How to pass IPSec traffic through ISA Server - 4.Oct.2003 1:43:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hey guys,

just to let you know I've updated the article with the latest IETF Internet Draft "Negotiation of NAT-Traversal in the IKE" (version 7).

HTH,
Stefaan

(in reply to spouseele)
Post #: 47
RE: How to pass IPSec traffic through ISA Server - 4.Oct.2003 3:31:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

Great! What might want want to do is post the entire article again, with a new name, then it can get on the front page of the site and an email will go out to everyone (if you have time to do that [Smile]

Thanks!
Tom

(in reply to spouseele)
Post #: 48
RE: How to pass IPSec traffic through ISA Server - 14.Oct.2003 7:07:00 PM   
telccl

 

Posts: 18
Joined: 8.May2003
Status: offline 		We want to set up the following configuration:

Clients on Internet to ISA Server (also used as RRAS server for PPTP only at this time) to W2k3 Server acting as L2TP VPN server for a separate domain outside of our forest located on our internal network.

We have followed the suggestions in this paper, but can only see IKE traffic on Port 500 in Netmon. Nothing gets passed thru to the Internal w2k3 server.

Also, how do certificates come into play in this scenerio?

Thx

(in reply to spouseele)
Post #: 49
RE: How to pass IPSec traffic through ISA Server - 14.Oct.2003 8:37:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi telccl,

my article is about outbound IPSec passthrough. It sounds that you are talking about an inbound passthrough IPSec scenario, more precisely publishing a W2K3 RRAS server.

That's perfect possible if L2TP/IPSec with NAT-T is used. However, you should change the direction in the protocol definition *and* disable the IPSec service on ISA.

For more info, check out http://www.isaserver.org/articles/isa2000vpndeploymentkit.html .

HTH,
Stefaan

(in reply to spouseele)
Post #: 50
RE: How to pass IPSec traffic through ISA Server - 16.Oct.2003 12:23:00 AM   
telccl

 

Posts: 18
Joined: 8.May2003
Status: offline 		Would you happen to know which article to review? I have them all printed, but it seems they all talk about the VPN server residing on the ISA box....

Thx...

(in reply to spouseele)
Post #: 51
RE: How to pass IPSec traffic through ISA Server - 16.Oct.2003 12:59:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Tec,

Why not put the VPN server on the firewall?

Thanks!
Tom

(in reply to spouseele)
Post #: 52
RE: How to pass IPSec traffic through ISA Server - 16.Oct.2003 4:28:00 PM   
telccl

 

Posts: 18
Joined: 8.May2003
Status: offline 		We are looking at this setup to try and allieviate some of the pressure on the ISA box, which also is running our Internet surfing monitor software, DNS caching, MSDE for the surfing monitoring and some other processes.

Thx...

(in reply to spouseele)
Post #: 53
RE: How to pass IPSec traffic through ISA Server - 16.Oct.2003 10:03:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi telccl,

what would you think of http://www.tacteam.net/isaserverorg/vpnkitbeta2/b2bnat-t.htm , section "Installing and Configuring the External ISA Server firewall" ! [Big Grin]

HTH,
Stefaan

(in reply to spouseele)
Post #: 54
RE: How to pass IPSec traffic through ISA Server - 25.Oct.2003 7:42:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hey guys,

just to let you know I've updated the article with the latest IETF Internet Draft IPsec-NAT Compatibility Requirements (version 6).

Also, on oct 21, 2003 the IETF Internet Drafts Negotiation of NAT-Traversal in the IKE (version 7) and UDP Encapsulation of IPsec Packets (version 6) has moved to the stage Last Call to Proposed Standard. This is a very important milestone because it is the last step to become an official RFC.

HTH,
Stefaan

(in reply to spouseele)
Post #: 55
RE: How to pass IPSec traffic through ISA Server - 26.Oct.2003 4:49:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

You can post a "news" article about this. It is noteworthy and I think deserves being posted as news.

Thanks!
Tom

(in reply to spouseele)
Post #: 56
RE: How to pass IPSec traffic through ISA Server - 13.Nov.2003 11:21:00 PM   
jlarnold

 

Posts: 4
Joined: 13.Nov.2003
From: Chicago
Status: offline
quote:
Originally posted by spouseele:
Hi Marrio,

if you carefully read section '2.2. The negotiation of the NAT Traversal in the IKE' you will notice that a NAT-T discovery is done. That means that the endpoints will try to detect if a NAT device is in the path. Only if a NAT device is detected *and* both endpoints are NAT-T capable, then the NAT-T feature will be used.

Therefore, you can have two results for IPSEC NAT-T capable devices:

1) no NAT device detected along the path: the protocols used are UDP port 500 (IKE) and IP Protocol 50/51 (ESP/AH).

2) a NAT device is detected along the path: the protocol used are UDP port 500 (IKE) and UDP port 4500 (NAT-T or UDP encapsulated ESP).

HTH,
Stefaan
Hello Stefaan,
I have a question regarding this. I'm having an INTERESTING problem using Cisco 5000 VPN client 5.2.3 3DES to connect to external Cisco 5000 Series VPN Concentrator.

My internal VPN client is in a Complex network with a default gateway that eventually routes traffic to the internal interface of the ISA server. So it's a SecureNAT client. I connect to the internet via 2 ISA Servers configured in a BACK to BACK DMZ configuration.

The only ports that the VPN Concentrator Admins told me to open were:
Protocol 50
UDP 500
and TCP 80 (I'm assuming outbound)on my firewall.

What I've done on BOTH ISA Servers is:
1.Create a custom Packet filter for protocol 50 with direction as BOTH.

2.Create protocol definitions for UDP port 500 send/recieve.

3.Create protocol rule to allow both definitions
4.Since I can surf internet fine,I'm assuming TCP 80 is already allowed via the HTTP definition.

What happens is that when I launch the VPN client.It DOES say connected, and I DO get an IP address from the VPN server.However I can't pass any traffic. The client software status shows that I'm sending packets out but no packets are ever coming back. I can't even ping myself(VPN Address given by server).

I enabled logging for allowed and blocked packets on both ISA servers and can see entries from and to the VPN Server that are allowed Via UDP 500 only. Shouldn't I see entries for protocol 50?

Also,the VPN admins never mentioned opening UDP port 4500, but when I found this article I went ahead and opened that on both firewalls as well. It didn't make any difference.

Now here's where it gets INTERESTING. I thought maybe there was an ISA problem so I put a machine outside both firewalls and gave it one of my public IP addresses.It connects to my ISP via the ISP's cisco router(No NAT,No Access Lists). When launching vpn client,I have the same problem from this PC.I get an IP address from VPN server, but no traffic.

Is it possible that the router IOS doesn't support IPSEC passthrough? I thought that would only be an a problem if the router was doing NAT. In my case the router is just routing.

Anyone have any Ideas, I need help!

(in reply to spouseele)
Post #: 57
RE: How to pass IPSec traffic through ISA Server - 14.Nov.2003 7:42:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi jlarnold,

first of all, creating IP packet filters to get outbound access from a LAT source to a non-LAT destination will not work. Secondly, if the VPN admin is only talking about UDP port 500 (IKE) and IP protocol 50 (ESP) then he is definitely not talking about IPSec NAT-T. Therefore, it will NEVER work through ISA server or any NAT device.

So, the first thing you should ask him is if his Cisco VPN 5000 gear supports IPSec NAT-T or any Cisco specific UDP encapsulated ESP method. If he doesn't know what you are talking about then you have a serious problem! [Big Grin]

HTH,
Stefaan

(in reply to spouseele)
Post #: 58
RE: How to pass IPSec traffic through ISA Server - 29.Nov.2003 9:34:00 PM   
majstorv

 

Posts: 22
Joined: 24.Feb.2003
From: Belgrade,Serbia and Montenegro
Status: offline 		Hello,

Our company managers have lap-tops with application using partner`s VPN Concentrator site (IP address 146.197.27.32, belongs to "NIKE") and should connect as our LAN internal IP addresses (CISCO VPN Client 3.5.2, IPSec over UDP, transparent tunneling) over our ISA 2000 firewall and our CISCO 805 router.

(Sorry, this should not have been advertisement, it`s just that I have had not much of support from their contacts, in fact they are not real sys.admins, and I could not get to any real VPN Concentrator admin. Besides, I hope this will make other people having had the same problem with the same side to post here their suggestions and experience).

Anyway, all they told me is: open UDP 500 and UDP 10000. I am afraid it is not that simple.

They can connect, authenticate, get address from VPN Concentrator ,but when they start using application there is no response from target server. No data ever comes inbound.

ON ISA 2000 side:
"packet filtering enabled"
FILTERS: ESP,GRE
PROTOCOL DEFINITIONS: UDP - 500,4500,10000
TCP - 40400
PROTOCOL RULE: FOR ALL IP TRAFFIC, BOTH DIRECTIONS.

Now, I have been experimenting with our CISCO router which is behind firewall (completely public): I assigned public address to Laptop client and tested changing access-list in order to "catch" ports.
All OUTBOUND IP traffic on CISCO is permitted.

For INBOUND access list, I have put:
"permit ip any any" and THIS HELPED.

I have tried with "netstat" on client to see what IP ports are in use but haven`t discovered anything interesting, besides the fact that when application communicates remote server TCP 40400 IS ALWAYS OPENED ON REMOTE SIDE!

When I changed INBOUND access list to:
"permit udp any any
permit tcp any any" NO SUCCESS!

I tried with:

"permit ipinip any any" but NO SUCCESS!

1) Does anyone knows what ports this VPN Concentrator really uses and how to find out what specific IP protocols and ports should be opened on CISCO 805, both in and out?
PLEASE ONLY APPROVED THROUGH TESTING.

2) If VPN CONCENTRATOR (146.197.27.32) admins do not follow this forum, how to monitor ports and IP protocols in use on ISA 2000, during unsuccesful tries.

3) How to force ISA pass all IP, not only for defined protocols and filters? Can TCP, UDP and IP protocol ranges be created like in CISCO IOS, so I can be sure that "permit all IP" on ISA means LITERALY ALL!

Regards,
Vladimir

(in reply to spouseele)
Post #: 59
RE: How to pass IPSec traffic through ISA Server - 30.Nov.2003 8:49:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Vladimir,

quote:
Anyway, all they told me is: open UDP 500 and UDP 10000. I am afraid it is not that simple.
If that information is correct, then the Cisco box is setted up for IPSec NAT-T (UDP encapsulated ESP). So, you have to create 2 protocol definitions: one for UDP port 500 send/receive and one for UDP port 10000 send/receive, and allow them in a protocol rule.

Next, make sure the internal client is configured as SecureNAT client and that if the Firewall client is installed, you disable the Firewall client before setting up the VPN connection. Of course, the destination Network ID reachable *through* the VPN tunnel must NOT overlap with your internal Network ID.

If it still doesn't work, take a network monitor trace at the internal client and the ISA external interface. You should be able to find out why it isn't working.

HTH,
Stefaan

(in reply to spouseele)
Post #: 60

Page:   <<   < prev  1 2 [3] 4 5   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> RE: How to pass IPSec traffic through ISA Server Page: <<   < prev  1 2 [3] 4 5   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts