RE: Looking for a work around- IPSEC client thru ISA
- From: "Jay" <jschwarzkopf@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 23 Mar 2002 11:50:44 -0500
Greg, what's the output of a route print?
----- Original Message -----
From: "Greg Foulks" <greg.foulks@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, March 22, 2002 5:31 PM
Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA
> http://www.ISAserver.org
>
>
> Tom,
> Here is the output of ipconfig (this is the PC that is trying to connect
out through ISA to a remote IPSEC VPN using the Nortel
> Client)
> It clearly shows that a connection was made and I can see that bytes were
sent but the bytes received are showing as ZERO.
>
> Do I need to open some other port to allow the transmission to return?
>
>
> Windows 2000 IP Configuration
>
> Host Name . . . . . . . . . . . . : gfoulks
> Primary DNS Suffix . . . . . . . : nfti.com
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : nfti.com
>
> Ethernet adapter {3C65C244-5C6D-480D-96D9-4434F60F1A80}:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : NOC Extranet Access Adapter
> Physical Address. . . . . . . . . : 44-45-53-54-42-00
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 3.47.30.199
> Subnet Mask . . . . . . . . . . . : 255.0.0.0
> Default Gateway . . . . . . . . . : 3.47.30.199
> DNS Servers . . . . . . . . . . . : 3.97.16.101
> 3.97.16.102
> Primary WINS Server . . . . . . . : 3.174.26.138
> Secondary WINS Server . . . . . . : 3.171.8.101
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : nfti.com
> Description . . . . . . . . . . . : Accton EN1207D Series PCI Fast
Ethernet Adapter
> Physical Address. . . . . . . . . : 00-E0-29-35-03-77
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.0.0.55
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 10.0.0.1
> DNS Servers . . . . . . . . . . . : 10.0.0.30
> 12.127.16.67
>
> Greg Foulks, MCP
> NewFound Technologies, Inc.
> http://www.nfti.com
> Email: greg.foulks@xxxxxxxx
> Voice: 614.318.5036
> Fax: 614.318.5005
>
>
> -----Original Message-----
> From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Sent: Friday, March 22, 2002 5:13 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA
>
>
> http://www.ISAserver.org
>
>
> Hi Greg,
>
> Maybe the IP address is on the same network ID as the local network?
>
> HTH,
> Tom
> www.isaserver.org/shinder
>
>
> -----Original Message-----
> From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
> Sent: Friday, March 22, 2002 3:58 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA
>
> http://www.ISAserver.org
>
>
> It just doesn't make sense... How is it I can connect to the remote
> site/authenticate and receive an IP address and nothing else?
>
> Greg Foulks, MCP
> NewFound Technologies, Inc.
> http://www.nfti.com
> Email: greg.foulks@xxxxxxxx
> Voice: 614.318.5036
> Fax: 614.318.5005
>
>
> -----Original Message-----
> From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Sent: Friday, March 22, 2002 4:41 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA
>
>
> http://www.ISAserver.org
>
>
> Here's something that might help:
>
> IPsec functionality over NAT
>
> IPsec Encapsulating Security Payload (ESP) packets can now pass through
> Network Address Translators (NATs) that allow User Datagram Protocol
> (UDP) traffic. The Internet Key Exchange (IKE) negotiation protocol
> automatically detects the presence of a NAT and adds a UDP port 500
> header to the IPsec ESP packet. As a result, the NAT only recognizes UDP
> port 500 traffic. This functionality is an implementation of the IETF IP
> Security Working group standard for IPsec.
>
> NATs are widely used for Internet Connection Sharing (ICS) and in
> locations that provide public Internet access (such as hotels and
> airports) and that are likely to be used by telecommuters. In addition,
> some Internet Service Providers (ISPs) use a centralized NAT to connect
> their clients to the Internet.
>
> IPsec functionality over NAT enables IPsec-secured connections to be
> established in the following common deployment scenarios:
>
> * Layer Two Tunneling Protocol (L2TP)/IPsec virtual private
> network (VPN) clients that are behind NATs can establish IPsec-secured
> connections over the Internet to their corporate network, using IPsec
> ESP transport mode.
> * Routing and Remote Access (RRAS) servers can establish
> gateway-to-gateway IPsec tunnels, when one of the RRAS servers is behind
> a NAT.
> * Clients and servers can send IPsec-secured TCP and UDP packets
> to other clients or servers, using IPsec ESP transport mode, when one or
> both of the computers are behind a NAT. For example, an application
> running on a DMZ server can be IPsec-protected when making connections
> to the corporate network.
>
> Note that there is no mention of AH :-)
>
> HTH,
> Tom
>
> -----Original Message-----
> From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
> Sent: Friday, March 22, 2002 2:48 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA
>
> http://www.ISAserver.org
>
>
> As I am sure you all have figured out I'm not trying to proclaim that I
> am a expert by any means. Just one trying to learn...
>
> Here is a what if------
>
> What if I install the client on the ISA server. If I connect to my
> customers VPN server from my ISA server, then shouldn't clients
> behind ISA be able to route to those remote systems? Meaning my requests
> for the remote systems would be forwarded to ISA since it
> is the gateway and it would know to route my request over to it's
> external interface.
>
> Am I way off my rocker?
>
> Greg Foulks, MCP
> NewFound Technologies, Inc.
> http://www.nfti.com
> Email: greg.foulks@xxxxxxxx
> Voice: 614.318.5036
> Fax: 614.318.5005
>
>
> -----Original Message-----
> From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Sent: Friday, March 22, 2002 3:32 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA
>
>
> http://www.ISAserver.org
>
>
> Hi Greg,
>
> If you can wait for .Net Server, it will support L2TP/IPSec through the
> ISA NAT.
>
> Just giving you something to look forward to :-)
>
> Laterz,
> Tom
> www.isaserver.org/shinder
>
>
> -----Original Message-----
> From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
> Sent: Friday, March 22, 2002 12:42 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA
>
> http://www.ISAserver.org
>
>
> Has anyone heard of IPSEC NAT Traversal? If so... Would this allow a
> Win2k Client sitting behind a ISA Server to VPN into a IPSEC
> VPN server?
>
> Here is a portion of the technical doc....
>
> Description:
> When a Contivity Client is used with IPSec NAT Traversal active and the
> 'UDP Wrapped' packets are
> fragmented, the client is unable to properly decode the packets.
>
> Discussion:
> Legacy Port NAT devices rely on being able to track sessions using
> either TCP or UDP port numbers. The
> IPSec encapsulation protocol (ESP) is not based on either TCP or UDP.
> Unless a port NAT device is
> 'IPSec aware' it is not able to pass IPSec based traffic.
>
>
> To get around this limitation, a new feature was added to the CVC 4_10
> client when combined with the
> 4_0 switch software called 'IPSec NAT Traversal'. This feature will
> detect if there is a NAT device in
> between the client and server. The feature can then determine if this
> NAT device can successfully pass
> an IPSec traffic stream. If the device is unable to pass the stream,
> then the switch will implement IPSec
> NAT Traversal. IPSec NAT Traversal will encapsulate the IPSec (ESP)
> datagrams in a UDP Wrapped
> frame, which is then able to successfully traverse Port NAT systems.
>
> Greg Foulks, MCP
> NewFound Technologies, Inc.
> http://www.nfti.com
> Email: greg.foulks@xxxxxxxx
> Voice: 614.318.5036
> Fax: 614.318.5005
>
>
> -----Original Message-----
> From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
> Sent: Friday, March 22, 2002 12:26 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Looking for a work around- IPSEC client thru ISA
>
>
> http://www.ISAserver.org
>
>
> A customer of ours recently incorporated a VPN solution for it's
> employee's and contractors. This solution is from Nortel.
>
> They sent me a CD which has a VPN client that I've installed on my Win2k
> Pro box. This client says that it is using IPSEC and I've
> got a SecurID Token that I use in conjunction with my username and pin.
>
>
> I'm sitting behind an ISA server that acts as my "gateway" for all
> internal clients.
>
>
> I've read that ISA (NAT) does not like IPSEC or rather IPSEC does not
> like connections coming from NAT'd systems.
>
>
> So as you can see we are unable to connect to our clients VPN server
> from behind our ISA server. The only way that I've been able to
> get by is by installing another NIC into my machine and assigning it a
> public IP address and setting the gateway to our external
> router. I've put a little firewall (BlackIce) on my PC so that when I
> disconnect my internal lan and enable my external connection
> I'm not just sitting out in the public network naked.
>
> If I have to do this as a solution I guess it is fine but another
> scenario has come up.
>
>
> I might need to VPN into my office PC from home connecting through my
> ISA server (Which servers as my VPN server for the office)
> connect to my computer using PCAnywhere and then would need to connect
> to said customer. Obviously this can't be done because as
> soon as I disable my local lan I'll be dropped by my work pc.
>
>
> Am I the only one who needs to connect to a IPSEC VPN server through
> ISA? Does anyone have a suitable workaround other than a dual
> NIC configuration?
>
> Thanks in advance for all that respond!
>
> Greg Foulks, MCP
> NewFound Technologies, Inc.
> http://www.nfti.com
> Email: greg.foulks@xxxxxxxx
> Voice: 614.318.5036
> Fax: 614.318.5005
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg.foulks@xxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg.foulks@xxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg.foulks@xxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts: