RE: Looking for a work around- IPSEC client thru ISA

  • From: "Greg Foulks" <greg.foulks@xxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 22 Mar 2002 17:26:19 -0500

Hi Tom,
Come again???

Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005


-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Friday, March 22, 2002 5:13 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA


http://www.ISAserver.org


Hi Greg,

Maybe the IP address is on the same network ID as the local network?

HTH,
Tom
www.isaserver.org/shinder


-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] 
Sent: Friday, March 22, 2002 3:58 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA

http://www.ISAserver.org


It just doesn't make sense... How is it I can connect to the remote
site/authenticate and receive an IP address and nothing else?

Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005


-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Friday, March 22, 2002 4:41 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA


http://www.ISAserver.org


Here's something that might help:
 
IPsec functionality over NAT
 
IPsec Encapsulating Security Payload (ESP) packets can now pass through
Network Address Translators (NATs) that allow User Datagram Protocol
(UDP) traffic. The Internet Key Exchange (IKE) negotiation protocol
automatically detects the presence of a NAT and adds a UDP port 500
header to the IPsec ESP packet. As a result, the NAT only recognizes UDP
port 500 traffic. This functionality is an implementation of the IETF IP
Security Working group standard for IPsec.
 
NATs are widely used for Internet Connection Sharing (ICS) and in
locations that provide public Internet access (such as hotels and
airports) and that are likely to be used by telecommuters. In addition,
some Internet Service Providers (ISPs) use a centralized NAT to connect
their clients to the Internet.
 
IPsec functionality over NAT enables IPsec-secured connections to be
established in the following common deployment scenarios:
 
*         Layer Two Tunneling Protocol (L2TP)/IPsec virtual private
network (VPN) clients that are behind NATs can establish IPsec-secured
connections over the Internet to their corporate network, using IPsec
ESP transport mode. 
*         Routing and Remote Access (RRAS) servers can establish
gateway-to-gateway IPsec tunnels, when one of the RRAS servers is behind
a NAT. 
*         Clients and servers can send IPsec-secured TCP and UDP packets
to other clients or servers, using IPsec ESP transport mode, when one or
both of the computers are behind a NAT. For example, an application
running on a DMZ server can be IPsec-protected when making connections
to the corporate network. 
 
Note that there is no mention of AH :-) 
 
HTH,
Tom
 
-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] 
Sent: Friday, March 22, 2002 2:48 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA
 
http://www.ISAserver.org
 
 
As I am sure you all have figured out I'm not trying to proclaim that I
am a expert by any means. Just one trying to learn...
 
Here is a what if------
 
What if I install the client on the ISA server. If I connect to my
customers VPN server from my ISA server, then shouldn't clients
behind ISA be able to route to those remote systems? Meaning my requests
for the remote systems would be forwarded to ISA since it
is the gateway and it would know to route my request over to it's
external interface.
 
Am I way off my rocker?
 
Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005
 
 
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Friday, March 22, 2002 3:32 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA
 
 
http://www.ISAserver.org
 
 
Hi Greg,
 
If you can wait for .Net Server, it will support L2TP/IPSec through the
ISA NAT.
 
Just giving you something to look forward to :-)
 
Laterz,
Tom
www.isaserver.org/shinder
 
 
-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
Sent: Friday, March 22, 2002 12:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA
 
http://www.ISAserver.org
 
 
Has anyone heard of IPSEC NAT Traversal? If so... Would this allow a
Win2k Client sitting behind a ISA Server to VPN into a IPSEC
VPN server?
 
Here is a portion of the technical doc....
 
Description:
When a Contivity Client is used with IPSec NAT Traversal active and the
'UDP Wrapped' packets are
fragmented, the client is unable to properly decode the packets.
 
Discussion:
Legacy Port NAT devices rely on being able to track sessions using
either TCP or UDP port numbers. The
IPSec encapsulation protocol (ESP) is not based on either TCP or UDP.
Unless a port NAT device is
'IPSec aware' it is not able to pass IPSec based traffic.
 
 
To get around this limitation, a new feature was added to the CVC 4_10
client when combined with the
4_0 switch software called 'IPSec NAT Traversal'. This feature will
detect if there is a NAT device in
between the client and server. The feature can then determine if this
NAT device can successfully pass
an IPSec traffic stream. If the device is unable to pass the stream,
then the switch will implement IPSec
NAT Traversal. IPSec NAT Traversal will encapsulate the IPSec (ESP)
datagrams in a UDP Wrapped
frame, which is then able to successfully traverse Port NAT systems.
 
Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005
 
 
-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
Sent: Friday, March 22, 2002 12:26 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Looking for a work around- IPSEC client thru ISA
 
 
http://www.ISAserver.org
 
 
A customer of ours recently incorporated a VPN solution for it's
employee's and contractors. This solution is from Nortel.
 
They sent me a CD which has a VPN client that I've installed on my Win2k
Pro box. This client says that it is using IPSEC and I've
got a SecurID Token that I use in conjunction with my username and pin.
 
 
I'm sitting behind an ISA server that acts as my "gateway" for all
internal clients.
 
 
I've read that ISA (NAT) does not like IPSEC or rather IPSEC does not
like connections coming from NAT'd systems.
 
 
So as you can see we are unable to connect to our clients VPN server
from behind our ISA server. The only way that I've been able to
get by is by installing another NIC into my machine and assigning it a
public IP address and setting the gateway to our external
router. I've put a little firewall (BlackIce) on my PC so that when I
disconnect my internal lan and enable my external connection
I'm not just sitting out in the public network naked.
 
If I have to do this as a solution I guess it is fine but another
scenario has come up.
 
 
I might need to VPN into my office PC from home connecting through my
ISA server (Which servers as my VPN server for the office)
connect to my computer using PCAnywhere and then would need to connect
to said customer. Obviously this can't be done because as
soon as I disable my local lan I'll be dropped by my work pc.
 
 
Am I the only one who needs to connect to a IPSEC VPN server through
ISA? Does anyone have a suitable workaround other than a dual
NIC configuration?
 
Thanks in advance for all that respond!
 
Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005
 
 
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
 
 
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
 
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
 
 
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



Other related posts: