Welcome to ISAserver.org

RE: How to pass IPSec traffic through ISA Server

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> VPN >> RE: How to pass IPSec traffic through ISA Server

Page: << < prev 2 3 [4] 5 6 next > >>

Message

<< Older Topic Newer Topic >>

RE: How to pass IPSec traffic through ISA Server - 1.Dec.2003 11:44:00 PM

trebligb

Posts: 94
Joined: 13.Feb.2002
Status: offline

I have a problem conencting to a remote sonicwall VPN through ISA (it works fine from a device outside the ISA server). I have followed the directions in the article to create a protocol rule. In addition out of frustration I have a all access rule created allowing all internal IP addresses access on all protocols to all outside IP addresses. It does not work at all. I have tried it with both Firewall and S-Nat clients. No dice...

thoughts?

(in reply to spouseele)

Post #: 61

Featured Links*

RE: How to pass IPSec traffic through ISA Server - 2.Dec.2003 9:18:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Bill,

the first thing you should do is calling the administrator of the VPN box. He should be able to tell you if IPSec NAT-T is supported on the gateway *and* client, and on which UDP port the UDP encapsulation of the ESP traffic is done.

BTW --- testing from the outside is not relevant to your situation because it is very likely that no NAT is done.

HTH,
Stefaan

[ December 02, 2003, 09:19 PM: Message edited by: spouseele ]

(in reply to spouseele)

Post #: 62

RE: How to pass IPSec traffic through ISA Server - 3.Dec.2003 11:03:00 AM

majstorv

Posts: 22
Joined: 24.Feb.2003
From: Belgrade,Serbia and Montenegro
Status: offline

Hello,

So, IPSEC over UDP to VPN Concentrator over ISA...
Result is always the same:
I establish VPN connection, but cannot move from that. Cannot ping any server on remote network, cannot ping even my own assigned IP address, no matter what I change on ISA !
All I achieved is with public IP address assigned to client attached next to our public router, and it works, but only after I permit all IP inbound and outbound from that network, not only UDP and TCP!

Obviously, ISA NAT does not support this kind of VPN, or I have a big misunderstanding of ISA and all of this stuff.
I have been seraching ISA logs, but found only UDP 500 connections. In fact I suppose I cannot find anything interesting there since it logs only kind of traffic familiar by "protocol definitions" and "packet filters" ,but here we have no such case.
I would rather assign public addresses to clients but how to avoid NAT/PAT? ISA does not support 1 to 1 mapping,does it? And RRAS routing supports but RRAS NAT is not good for VPN by definition.
Questions:
1) Can "Secondary connections" in "protocol defintions" help?
2) I have allowed UDP ports 500, 4500, 10000, but only "SendReceive". Could it help with "Send", "ReceiveSend" or "Receive"
3) IP Packet filters are a little bit of mystery for me:

GRE 47 was created automatically when I enabled PPTP but it is kind of a predefined "PPTP call" and "PPTP receive" protocol; I created ESP by simply adding "custom" protocol number 50 ,both directions.
Does it make sense to create filters for undefined protocols this way?

4) Again "Packet filters": I have created UDP filter:
"custom"
UDP "sendreceive"
"local port:all ports"
"remote port:all ports"
When I created filter in "protocol number" value is 17. What is this?
Along with Local port options there are "fixed port/local port number" and "dynamic".
Does this filter make sense and would it help to gamble with this other options?
Would it help to use this other options and how?

5) I disabled "filtering IP fragments", is it correct?
6) My clients are SecureNAT clients. I guess that LAT plays no role here, does it?

I don`t know how to debug this thing at all?
This way I can experiment endlessly, never to succeed.

Does anyone know firewall devices other than ISA 2000 (not CISCO IOS, only in W2000) that support this?

Regards,
Vladimir

(in reply to spouseele)

Post #: 63

RE: How to pass IPSec traffic through ISA Server - 3.Dec.2003 11:06:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Vladimir,

check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001993 and http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=002017 ! [Big Grin]

Thanks,
Stefaan

(in reply to spouseele)

Post #: 64

RE: How to pass IPSec traffic through ISA Server - 7.Dec.2003 1:55:00 PM

krypto9t

Posts: 13
Joined: 1.Dec.2003
Status: offline

Stefan,

I have a lot to learn if I am going to understand the article you wrote, but was hoping you could clarify a basic understanding I have.

If I have a server in the DMZ (between a pix and an ISA) and I want it to use IPSEC to communicate with another server in the internal LAN, then I need to run ISA on Windows 2003?

(in reply to spouseele)

Post #: 65

RE: How to pass IPSec traffic through ISA Server - 7.Dec.2003 2:39:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi krypto9t,

in order to pass IPSec traffic through *any* NAT device, including ISA server, the IPSec *endpoints* must support the IETF NAT Traversal solution.

In your case the IPSec endpoints are the DMZ server and an internal server. So, those two hosts *must* run on Win2003. On the other hand, ISA server might run on Win2000 although we recommend Win2003 in anyway.

HTH,
Stefaan

[ December 07, 2003, 02:40 PM: Message edited by: spouseele ]

(in reply to spouseele)

Post #: 66

RE: How to pass IPSec traffic through ISA Server - 8.Dec.2003 1:28:00 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Mario,

Please read the NAT-T articles in the ISA Server 2000 VPN Deployment Kit. You DO NOT need to create filters for IP level protocols.

HTH,
Tom

(in reply to spouseele)

Post #: 67

RE: How to pass IPSec traffic through ISA Server - 8.Dec.2003 4:44:00 PM

MattYurek

Posts: 34
Joined: 11.Apr.2001
From: Norwalk, CT
Status: offline

The NAT-T update for Windows 2000 is missing from the Catalog website. The XPSP1 update is still there.

Does anyone have any idea where I can find the Windows 2000 update?

Thanks

(in reply to spouseele)

Post #: 68

RE: How to pass IPSec traffic through ISA Server - 8.Dec.2003 4:44:00 PM

MattYurek

Posts: 34
Joined: 11.Apr.2001
From: Norwalk, CT
Status: offline

The NAT-T update for Windows 2000 is missing from the Catalog website. The XPSP1 update is still there.

Does anyone have any idea where I can find the Windows 2000 update?

Thanks

(in reply to spouseele)

Post #: 69

RE: How to pass IPSec traffic through ISA Server - 8.Dec.2003 4:45:00 PM

MattYurek

Posts: 34
Joined: 11.Apr.2001
From: Norwalk, CT
Status: offline

The NAT-T update for Windows 2000 is missing from the Catalog website. The XPSP1 update is still there.

Does anyone have any idea where I can find the Windows 2000 update?

Thanks

(in reply to spouseele)

Post #: 70

RE: How to pass IPSec traffic through ISA Server - 9.Dec.2003 12:09:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Matt,

I just checked it and found it for the OS Windows 2000 Professional SP4 with 818043 in the advanced search options.

HTH,
Stefaan

(in reply to spouseele)

Post #: 71

RE: How to pass IPSec traffic through ISA Server - 9.Dec.2003 8:36:00 AM

krypto9t

Posts: 13
Joined: 1.Dec.2003
Status: offline

Stefaan,

Thank you for your response. I have another question.

In the scenario (Server in DMZ ---- ISA ----Internal LAN Server) that I mentioned all my servers are running W2K. Is it plausible then to bypass NAT-Traversal by creating one IPSEC policy between the server in the DMZ and the external NIC on the ISA box, and then create another IPSEC policy between the internal NIC of the ISA box and the server on the LAN? e.g.

DMZ Server <----IPSEC POLICY1----> External ISA NIC-ISA Server in the Middle-INTERNAL ISA NIC <-----IPSEC POLICY2----> INTERNAL SERVER

(in reply to spouseele)

Post #: 72

RE: How to pass IPSec traffic through ISA Server - 9.Dec.2003 7:58:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi krypto9t,

can you explain why you want to use IPSec between the DMZ server and an internal server?

Thanks,
Stefaan

(in reply to spouseele)

Post #: 73

RE: How to pass IPSec traffic through ISA Server - 10.Dec.2003 1:08:00 PM

krypto9t

Posts: 13
Joined: 1.Dec.2003
Status: offline

Stefaan,

The reason would be to have the highest level of security for the information that would be coming from the server on the internal lan. The dmz server is a webserver and the internal lan server is a sql box with sensitive data.

(in reply to spouseele)

Post #: 74

RE: How to pass IPSec traffic through ISA Server - 10.Dec.2003 8:42:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi krypto9t,

I would be more afraid of a badly written web application and misconfigured SQL server in the first place. [Big Grin]

I suggest you take some time and follow the Microsoft Webcast http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241476&Culture=en-US .

Don't understand me wrong, implementing IPSec between the frontend en backend server is a good solution BUT only makes sense if all other components in the chain are perfectly implemented, including the access to the web server (i.e. HTTPS with strong user authentication).

HTH,
Stefaan

(in reply to spouseele)

Post #: 75

RE: How to pass IPSec traffic through ISA Server - 17.Dec.2003 5:10:00 PM

Guest

I am having great difficultly doing all of the above but in reverse. The Cisco clients are on the internet and the Cisco Concentrator 3000 is behind the ISA Firewall. What do I need to do to allow NAT-T inbound to the concentrator?

Brian Reid

(in reply to spouseele)

Post #: 76

RE: How to pass IPSec traffic through ISA Server - 17.Dec.2003 8:33:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Brian,

you need to server publish the Cisco Concentrator 3000. Basically you need to create the two protocol definitions but with receive/send, use each of them in a server publishing rule and disable the IPSec service on ISA server. For more info, check out http://www.tacteam.net/isaserverorg/vpnkitbeta2/b2bnat-t.htm , section 'Installing and Configuring the External ISA Server firewall'.

HTH,
Stefaan

(in reply to spouseele)

Post #: 77

RE: How to pass IPSec traffic through ISA Server - 17.Dec.2003 8:52:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Stefaan,

I believe you have the most popular thread in the history of ISAServer.org!

[Big Grin]

Thanks!
Tom

(in reply to spouseele)

Post #: 78

RE: How to pass IPSec traffic through ISA Server - 17.Dec.2003 11:58:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Tom,

VPN scenario's, particular when IPSec is involved, are very fascinating. That explains also the great success of your excellent VPN Deployment kit! [Cool]

Thanks,
Stefaan

(in reply to spouseele)

Post #: 79

RE: How to pass IPSec traffic through ISA Server - 20.Mar.2004 5:39:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hey guys,

just to let you know I've updated the article with the latest IETF Internet RFC 3715 IPsec-NAT Compatibility Requirements. The IETF Internet Drafts Negotiation of NAT-Traversal in the IKE and UDP Encapsulation of IPsec Packets have now version 8.
I added also some links to two excellent Microsoft Webcasts and to a forum topic about the Cisco VPN client.

Once the IETF drafts become an RFC, I will revise the article and add some more info about specific implementations.

HTH,
Stefaan

(in reply to spouseele)

Post #: 80