Hi Tom, Come again??? Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, March 22, 2002 5:13 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA http://www.ISAserver.org Hi Greg, Maybe the IP address is on the same network ID as the local network? HTH, Tom www.isaserver.org/shinder -----Original Message----- From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] Sent: Friday, March 22, 2002 3:58 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA http://www.ISAserver.org It just doesn't make sense... How is it I can connect to the remote site/authenticate and receive an IP address and nothing else? Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, March 22, 2002 4:41 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA http://www.ISAserver.org Here's something that might help: IPsec functionality over NAT IPsec Encapsulating Security Payload (ESP) packets can now pass through Network Address Translators (NATs) that allow User Datagram Protocol (UDP) traffic. The Internet Key Exchange (IKE) negotiation protocol automatically detects the presence of a NAT and adds a UDP port 500 header to the IPsec ESP packet. As a result, the NAT only recognizes UDP port 500 traffic. This functionality is an implementation of the IETF IP Security Working group standard for IPsec. NATs are widely used for Internet Connection Sharing (ICS) and in locations that provide public Internet access (such as hotels and airports) and that are likely to be used by telecommuters. In addition, some Internet Service Providers (ISPs) use a centralized NAT to connect their clients to the Internet. IPsec functionality over NAT enables IPsec-secured connections to be established in the following common deployment scenarios: * Layer Two Tunneling Protocol (L2TP)/IPsec virtual private network (VPN) clients that are behind NATs can establish IPsec-secured connections over the Internet to their corporate network, using IPsec ESP transport mode. * Routing and Remote Access (RRAS) servers can establish gateway-to-gateway IPsec tunnels, when one of the RRAS servers is behind a NAT. * Clients and servers can send IPsec-secured TCP and UDP packets to other clients or servers, using IPsec ESP transport mode, when one or both of the computers are behind a NAT. For example, an application running on a DMZ server can be IPsec-protected when making connections to the corporate network. Note that there is no mention of AH :-) HTH, Tom -----Original Message----- From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] Sent: Friday, March 22, 2002 2:48 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA http://www.ISAserver.org As I am sure you all have figured out I'm not trying to proclaim that I am a expert by any means. Just one trying to learn... Here is a what if------ What if I install the client on the ISA server. If I connect to my customers VPN server from my ISA server, then shouldn't clients behind ISA be able to route to those remote systems? Meaning my requests for the remote systems would be forwarded to ISA since it is the gateway and it would know to route my request over to it's external interface. Am I way off my rocker? Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, March 22, 2002 3:32 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA http://www.ISAserver.org Hi Greg, If you can wait for .Net Server, it will support L2TP/IPSec through the ISA NAT. Just giving you something to look forward to :-) Laterz, Tom www.isaserver.org/shinder -----Original Message----- From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] Sent: Friday, March 22, 2002 12:42 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA http://www.ISAserver.org Has anyone heard of IPSEC NAT Traversal? If so... Would this allow a Win2k Client sitting behind a ISA Server to VPN into a IPSEC VPN server? Here is a portion of the technical doc.... Description: When a Contivity Client is used with IPSec NAT Traversal active and the 'UDP Wrapped' packets are fragmented, the client is unable to properly decode the packets. Discussion: Legacy Port NAT devices rely on being able to track sessions using either TCP or UDP port numbers. The IPSec encapsulation protocol (ESP) is not based on either TCP or UDP. Unless a port NAT device is 'IPSec aware' it is not able to pass IPSec based traffic. To get around this limitation, a new feature was added to the CVC 4_10 client when combined with the 4_0 switch software called 'IPSec NAT Traversal'. This feature will detect if there is a NAT device in between the client and server. The feature can then determine if this NAT device can successfully pass an IPSec traffic stream. If the device is unable to pass the stream, then the switch will implement IPSec NAT Traversal. IPSec NAT Traversal will encapsulate the IPSec (ESP) datagrams in a UDP Wrapped frame, which is then able to successfully traverse Port NAT systems. Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 -----Original Message----- From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] Sent: Friday, March 22, 2002 12:26 PM To: [ISAserver.org Discussion List] Subject: [isalist] Looking for a work around- IPSEC client thru ISA http://www.ISAserver.org A customer of ours recently incorporated a VPN solution for it's employee's and contractors. This solution is from Nortel. They sent me a CD which has a VPN client that I've installed on my Win2k Pro box. This client says that it is using IPSEC and I've got a SecurID Token that I use in conjunction with my username and pin. I'm sitting behind an ISA server that acts as my "gateway" for all internal clients. I've read that ISA (NAT) does not like IPSEC or rather IPSEC does not like connections coming from NAT'd systems. So as you can see we are unable to connect to our clients VPN server from behind our ISA server. The only way that I've been able to get by is by installing another NIC into my machine and assigning it a public IP address and setting the gateway to our external router. I've put a little firewall (BlackIce) on my PC so that when I disconnect my internal lan and enable my external connection I'm not just sitting out in the public network naked. If I have to do this as a solution I guess it is fine but another scenario has come up. I might need to VPN into my office PC from home connecting through my ISA server (Which servers as my VPN server for the office) connect to my computer using PCAnywhere and then would need to connect to said customer. Obviously this can't be done because as soon as I disable my local lan I'll be dropped by my work pc. Am I the only one who needs to connect to a IPSEC VPN server through ISA? Does anyone have a suitable workaround other than a dual NIC configuration? Thanks in advance for all that respond! Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')