RE: IPSEC

• From: "Gary Anderson" <gary.anderson@xxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 8 Jan 2002 13:04:12 +0100

Stefaan,

Do you have an URL's on this?

It seems unlike a strange idea.  Why would you want to compromise security
to implement a security feature?

I was working for a client once when an HP engineer asked to set up an IPSec
connection like this.  I told that it didn't make sense.  He swore that HP
was using it on its client sites through France but he couldn't tell me how.
Now, I'm starting to see how they did it.

It seems like a stupid idea.  Imagine installing something like Reverse wwww
Shell that would use this mechanism.

A+,

Gary

-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]
Sent: Tuesday, January 08, 2002 12:18
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: IPSEC


http://www.ISAserver.org


Hi Vald,

the answer is yes and no ;-)

It depends on the IPSEC implementation. The big vpn vendors (Checkpoint,
Cisco, Redcreek, Netscreen, ...) have a solution to UDP encapsulate IPSEC
traffic to get through NAPT devices. This should work because the traffic
ISA sees is UDP traffic.

From what I was told, the Microsoft IPSEC client will support UDP
encapsulation for L2TP/IPSEC from .NET release onwards.

More info at www.isaserver.org in the message boards. Some time ago there
were some interesting discussions about it (Secure Remote from Checkpoint
and Cisco VPN3000).


Hope this helps,
Stefaan

-----Original Message-----
From: Vald [mailto:vald@xxxxxxxxxxxxxxxx]
Sent: dinsdag 8 januari 2002 11:40
To: [ISAserver.org Discussion List]
Subject: [isalist] IPSEC


http://www.ISAserver.org


Is it possible to initiate an IPSEC VPN connection to an external endpoint
from a client internal to
an ISA Server, assuming 50 and 51 are open and IP fragments aren't being
blocked?

I think the answer is no for the following reasons: -

1. NAT - IPSEC isn't going to like the packet being modified en route

2. It would be undesirable from a security standpoint bearing in mind the
contents of the packet could not be checked and all manner of viruses etc
could be being passed through to the internal network.

I haven't got the right equipment to be able to test this to get the
definitive answer. Can anyone help?

Vald

----- Original Message -----
From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, January 08, 2002 9:03 AM
Subject: [isalist] RE: PPTP VPN


> http://www.ISAserver.org
>
>
> Hi Brad,
>
> to my knowledge, you cann't publish a 'internal' VPN server. Server
> publishing works only for TCP/UDP protocols, not PPTP (IP 47 GRE) or IPSEC
> (IP 50 and IP 51).
>
> Why not make the ISA server the VPN server? That's a supported
> configuration...
>
> Hope this helps,
> Stefaan
>
> -----Original Message-----
> From: Brad Slaughter [mailto:brads@xxxxxxxxx]
> Sent: dinsdag 8 januari 2002 1:03
> To: [ISAserver.org Discussion List]
> Subject: [isalist] PPTP VPN
>
>
> http://www.ISAserver.org
>
>
> ISA has again perplexed me, and I'm afraid that I could really use some
> help.  I want to create a VPN server using RRAS, but not on the same
> server as ISA.  Can I create a protocol definition for VPN and then
> publish it using the external interface of the ISA server and the external
> interface of the VPN server?  This doesn't seem to be working, and I
> cannot for the life of me discern what it is that I am doing wrong.path
> from internet to VPN is as follows.
> <--65.X.X.X~Router~192.168.0.X--> <--192.168.0.X(65.X.X.X
> VIP's)~ISA~172.16.1.X--> switch <--172.16.1.X~VPN~192.168.1.X-->
<--internal
> lan-->
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
vald@xxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gary.anderson@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » IPSEC
• » RE: IPSEC
• » RE: IPSEC
• » RE: IPSEC
• » RE: IPSEC
• » IPSEC
• » IPSEC
• » IPSEC
• » IPSEC
• » Re: IPSEC
• » Re: IPSEC
• » Re: IPSEC
• » Re: IPSEC
• » IPSEC

1. Home
2. isalist
3. Archive
4. 01-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---