Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: How to pass IPSec traffic through ISA Server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: How to pass IPSec traffic through ISA Server - 25.Mar.2004 8:56:00 PM
|
|
|
networklab
Posts: 2
Joined: 25.Mar.2004
From: In the Lab
Status: offline
|
quote:
Originally posted by spouseele:
Hey guys,
just to let you know I've updated the article with the latest IETF Internet RFC 3715 IPsec-NAT Compatibility Requirements. The IETF Internet Drafts Negotiation of NAT-Traversal in the IKE and UDP Encapsulation of IPsec Packets have now version 8.
I added also some links to two excellent Microsoft Webcasts and to a forum topic about the Cisco VPN client.
Once the IETF drafts become an RFC, I will revise the article and add some more info about specific implementations.
HTH,
Stefaan
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 25.Mar.2004 9:16:00 PM
|
|
|
networklab
Posts: 2
Joined: 25.Mar.2004
From: In the Lab
Status: offline
|
quote:
Originally posted by Nig:
quote:
Originally posted by spouseele:
Hey guys,
just to let you know I've updated the article with the latest IETF Internet RFC 3715 IPsec-NAT Compatibility Requirements. The IETF Internet Drafts Negotiation of NAT-Traversal in the IKE and UDP Encapsulation of IPsec Packets have now version 8.
I added also some links to two excellent Microsoft Webcasts and to a forum topic about the Cisco VPN client.
Once the IETF drafts become an RFC, I will revise the article and add some more info about specific implementations.
HTH,
Stefaan
Well that was a good first posting!
Read your article with interest after looking for some info on getting Nortel Contivity client thru' ISA.
I have a number of clients using Contivity without problems. These reside behind Cisco, ICS machines, Linksys routers, 3Com routers and so on. Couple this with the fact that we front our Contivity switches with Watchguards, and it makes me wonder why this has to be so hard when you introduce ISA!
All I want to do is forward udp500 (AISI, this should be forwarded by default on ISA) and IP protocol 50. This is what everything else I've come into contact with has required, but how do you set the IP protocol on ISA? I can create udp or tcp filters but not ip ones. Do you know if this is possible? I have set a custom protocol in IP Packer Filters, but I think this doesn't actually mean IP protocols in the proper sense.
As regards the article, you show screendumps of IPSec setup on an ISA server. How do I get to these panels? Can't see anything IPSec related on this here 2K server. I also can't see anything when I try to add the service.
Cheers,
Nig
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 15.Apr.2004 3:32:00 PM
|
|
|
Guest
|
I am trying to get SecuRemote Client 4.1 SP5 to communicate through ISA. I have read many of the discussions but cannot get it to work 100%.
The scenario is <CheckPoint VPN> -- <Internet> -- <ISA 2k / W2k> -- <DMZ> -- <ISA 2k / W2k> -- <LAN> -- <Client>. I have placed the client in the DMZ and was able to get authenticated but could not proceed beyond that point. I moved the client outside of ISA and all works fine.
I am not an ISA or network expert so I really do not know how to determine what is failing. I have tried sniffing the packets to see what is being sent but could not see anything that popped out as being wrong.
Does anyone know if SecuRemote Client 4.1 SP5 will work behind ISA? If so is there any specific documentation that would walk me through the proper configuration of ISA so that I can get the SecuRemote Client operational behind ISA?
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 17.Apr.2004 11:46:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi dyerj,
I haven't first hand experience with the SecuRemote Client. From the information that I gathered in the forums it should work if you have CheckPoint 4.1 SP6 or NG1 FP1 or higher. I suggest you check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001107 for more info.
HTH,
Stefaan
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 7.Jun.2004 8:32:00 PM
|
|
|
sroshan
Posts: 1
Joined: 7.Jun.2004
Status: offline
|
Hi Stefan,
I am running a small network with internet connected thru DSL to ISA 2000 with SP2.
A few users (Win XP) need to connect an external VPN Server but when I am trying o connect getting an error "678, the computer did not respond".
I already create ports 4500 and 500 on the ISA Server but still unable to connect. I can connect from the ISA Server itself.
Please help and guide the procedure I have to follow.
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 7.Jun.2004 9:39:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Roshan,
what is the VPN protocol used: PPTP or L2TP/IPSec?
HTH,
Stefaan
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 7.Jul.2004 3:56:00 AM
|
|
|
Guest
|
Hi there, I have recently setup a vpn to pass through ISA server using Netscreen Remote v8.
I found that I must create a protocl definition in ISA on "UDP port 20358 direction receive" to connect to remote server.
Hope this help.
Stephen
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 19.Jul.2004 3:47:00 AM
|
|
|
Guest
|
Hi Stefaan,
I follow the info provided by Netscreen and your article. It manage to connect to remote VPN gateway (a netscreen 5gt), but i just can't telnet to any server behind the VPN gateway.
After checking the ISA log, I found that port 20358 was blocked in ISA. I create the protocol defination and it works now!
The problem I encounter now is the connection timeout very fast. I'm wondering where should I change the timeout setting?? Anyway, thanks for your reply.
regards,
Stephen
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 1.Aug.2004 2:14:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Stephen,
that's weird! Once the VPN connection is up, all traffic destined for the remote site should go through the VPN tunnel. Therefore it is completely shielded for the ISA server. So, the ISA server can *not* even interfere with that traffic!
Are you sure that the client PC is configured as SecureNAT client only when the VPN connection is up?
HTH,
Stefaan
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 29.Jan.2005 8:49:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hey guys,
just to let you know I've updated the article with the latest IETF Internet RFC's 3947 Negotiation of NAT-Traversal in the IKE and 3948 UDP Encapsulation of IPsec Packets. This completes at last the standarization process of the IPsec NAT Traversal solution.
Also, it is a pity that the two excellent Microsoft Technet Webcasts "IPsec and NAT-T : Finally in Harmony? (Level 400)" and "Demystifying IPsec (Level 400)" given by Steve Riley are no longer available on the Microsoft Webcast site. However, on Steve Riley's website you should be able to find the excellent powerpoint presentation IPsec and NAT: Finally in harmony .
HTH,
Stefaan
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 15.Mar.2005 11:19:00 AM
|
|
|
sdsmtss
Posts: 45
Joined: 5.Nov.2003
Status: offline
|
Hi Stefaan,
I just wanted to share my findings when I used Server 2003/ISA 2004 to pass IPSec traffic.
My setup consisted of a ISA Server 2004 machine, Server 2003 machine on my internal network and Windows XP machine on the external network.
When I publish my internal servers UDP ports 500 and 4500 I was unable to ping the external IP used in the publishing rule from my external Windows XP machine. There were actually a couple problems.
The first problem was that I had to disable "IPSec Services" on the ISA server machine.
The second problem was the NoDefaultExempt registry key had to be changed so that it was the same on both the Windows XP and Server 2003 machines because they aren't by default. (Some guy actually sent me a tin of chocolates when I helped him with the NoDefaultExempt problem on another message board.)
After I made those changes, I was able to ping both ways but that didn't last long. If I ping the external client from the internal server, it works but about ten minutes later then it doesn't work. I can't ping either way:confused: Then after I wait awhile, it works again.
If I would only initiate the ping from the external client, then it would always work.
I'm not 100% but I think the problem is related to me having multiple IP's on the external interface of the ISA Server. This problem seems to disappear if I am using the first(default) IP listed for the publishing rule. So if I am correct, then you can only publish IPSec for one server using ISA 2004. I wanted to publish two:(
A very big mistake that I made while testing was to switch the default IP on my external interface. I also use this ISA Server to publish Exchange. Everything seemed to be working fine untill somebody complained to me about emails being rejected by The University of Minnesota's email server. Since all outgoing traffic was being sent from the new default IP which didn't match my MX record they blocked my server.
I'm getting a little off topic so maybe I should end now. If you have succesfully published multiple servers using IPSec then please let me know how.
Thanks,
Stephen
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 24.May2005 4:19:00 AM
|
|
|
doerr.sebastian
Posts: 1
Joined: 24.May2005
Status: offline
|
Hi to all,
this article is very close to my problem.
On the customer site i am using an SBS2003 (standard) and a Lancom Router. This works excelent for the customers Internet an E-Mail traffic and my VPN Dial for Administration out of my home office (direct internet connection).
Trying to make a connection from my office (also there is a SBS2003 standard wont work. SBS does the Internet connection (no ISA no Router is involved).
The connection is established with my client but the protokoll shows that there is only traffic in one direction).
Lancom Support says that i have to enabled IPSEC Passthru on my SBS but could not tell me how to do that.
Is anyone able to tell me how to enable my SBS for passig IPSEC thru?
Best Regards
SD from Germany
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 24.May2005 2:09:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi SD,
I'm sorry, but I have no experience at all with SBS. Re-post your question in a new topic and hopefully somebody is able to answer your specific question.
HTH,
Stefaan
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 6.Sep.2005 11:08:00 AM
|
|
|
itsupport@resi.com.au
Posts: 1
Joined: 6.Sep.2005
Status: offline
|
Stefaan,
Only yesterday I was given the task of installing the Cisco VPN Client to a 3rd party company.
By passing our MS ISA 2000 Server via an external IP address, the VPN connection worked.
However when tried to go through the ISA 2000 server the client would not connect.
I configured our ISA server as per point 3 of your article http://www.isaserver.org/articles/IPSec_Passthrough.html but with no luck.
The 3rd party is using a Cisco VPN Concentrator 3005, they gave me Cisco VPN client 2.5 to install.
Any hits would be greatly appreciated.
ITSupportRMC
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 6.Sep.2005 2:32:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi ITSupportRMC,
1. to my knowledge the Cisco VPN client should be version 3.6 or later. Check out section '5.2. Cisco'.
2. don't forget to read section '4. Configuring ISA Clients' too!
HTH,
Stefaan
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 7.Apr.2006 7:16:12 AM
|
|
|
itsuncoast
Posts: 7
Joined: 17.Mar.2006
Status: offline
|
Hi, I mistakingly sent you a personal message a couple of weeks ago about my issue.
I have a 2000 SBS and trying to get a Cisco VPN Client v4.8 through without success. The concentraor admin says NAT-T is enabled and I have read your article and subsequent posts but still no luck.
I have copied some of the relevant lines from the logs below. I am certainly no expert but I can't see where anything is getting blocked. I have asked the cisco admin to look at any logs his end but haven't heard back yet. I just want to make sure my end is right before I start pointing fingers.
#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2006-04-05 00:00:23
#Fields: date time source-ip destination-ip protocol param#1 param#2 tcp-flags filter-rule interface ip-header
2006-04-05 01:06:45 210.193.241.42 203.0.220.234 Udp 51351 500 - ALLOWED 210.193.241.42 45 00 03 88 77 73 00 00 80 11 00 00 d2 c1 f1 2a cb 00 dc ea
2006-04-05 01:06:51 210.193.241.42 203.0.220.234 Udp 51351 500 - ALLOWED 210.193.241.42 45 00 03 88 77 e7 00 00 80 11 00 00 d2 c1 f1 2a cb 00 dc ea
2006-04-05 01:06:56 210.193.241.42 203.0.220.234 Udp 51351 500 - ALLOWED 210.193.241.42 45 00 03 88 78 a4 00 00 80 11 00 00 d2 c1 f1 2a cb 00 dc ea
2006-04-05 01:07:01 210.193.241.42 203.0.220.234 Udp 51351 500 - ALLOWED 210.193.241.42 45 00 03 88 7a be 00 00 80 11 00 00 d2 c1 f1 2a cb 00 dc ea
#Fields: c-ip cs-username c-agent date time s-computername r-host r-ip r-port time-taken cs-bytes sc-bytes cs-protocol cs-transport s-operation sc-status sessionid connectionid
192.168.0.200 - - 2006-04-07 02:17:25 SERVER - - - 16 - - 0 UDP Bind 0 2 1
192.168.0.200 - - 2006-04-07 02:17:25 SERVER - 203.0.220.234 500 - - - 500 UDP UdpMap 0 2 1
192.168.0.200 - - 2006-04-07 02:19:53 SERVER - 203.0.220.234 500 147672 7008 - 500 UDP UdpMap 20000 2 1
192.168.0.200 - - 2006-04-07 02:19:53 SERVER - - - 147703 7008 - 0 UDP Bind 20001 2 1
#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2006-04-07 02:27:10
#Fields: c-ip cs-username c-agent sc-authenticated date time s-svcname s-computername cs-referred r-host r-ip r-port time-taken cs-bytes sc-bytes cs-protocol cs-transport s-operation cs-uri cs-mime-type s-object-source sc-status s-cache-info rule#1 rule#2 sessionid connectionid
192.168.0.200 - - N 2006-04-07 02:30:49 fwsrv SERVER - - - - - - - 0 UDP Bind - - - 0 - Users - 5 4
192.168.0.200 - - N 2006-04-07 02:30:49 fwsrv SERVER - - 203.0.220.234 500 - - - 500 UDP UdpMap - - - 0 - IPSec Pass Thru-All Users Allow rule 5 4
192.168.0.200 - - N 2006-04-07 02:32:06 fwsrv SERVER - - 203.0.220.234 500 77437 3504 - 500 UDP UdpMap - - - 20000 - IPSec Pass Thru-All Users Allow rule 5 4
192.168.0.200 - - N 2006-04-07 02:32:06 fwsrv SERVER - - - - 77437 3504 - 0 UDP Bind - - - 20001 - Users - 5 4
Any assistance would be greatly appreciated by myself and my customer who is becoming less patient.
Thanks,
Neil
|
|
|
|
|
RE: How to pass IPSec traffic through ISA Server - 7.Apr.2006 1:26:15 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Neil,
according to the info given, it sounds that the IKE negotiation starts but no response is received. What is the Cisco VPN client logging telling you? How far does the IKE negotiation get? A NetMon trace on the ISA external interface can also give some useful information.
BTW --- for the Cisco VPN client logging, check out http://forums.isaserver.org/m_130199300/mpage_1/tm.htm.
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Razz]](/image/smiles/tongue.gif)
![[Smile]](/image/smiles/smile.gif)
