RE: Looking for a work around- IPSEC client thru ISA

Hi Greg,

If you can wait for .Net Server, it will support L2TP/IPSec through the
ISA NAT.

Just giving you something to look forward to :-)

Laterz,
Tom
www.isaserver.org/shinder


-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] 
Sent: Friday, March 22, 2002 12:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA

http://www.ISAserver.org


Has anyone heard of IPSEC NAT Traversal? If so... Would this allow a
Win2k Client sitting behind a ISA Server to VPN into a IPSEC
VPN server?

Here is a portion of the technical doc....

Description:
When a Contivity Client is used with IPSec NAT Traversal active and the
'UDP Wrapped' packets are
fragmented, the client is unable to properly decode the packets.

Discussion:
Legacy Port NAT devices rely on being able to track sessions using
either TCP or UDP port numbers. The
IPSec encapsulation protocol (ESP) is not based on either TCP or UDP.
Unless a port NAT device is
'IPSec aware' it is not able to pass IPSec based traffic.


To get around this limitation, a new feature was added to the CVC 4_10
client when combined with the
4_0 switch software called 'IPSec NAT Traversal'. This feature will
detect if there is a NAT device in
between the client and server. The feature can then determine if this
NAT device can successfully pass
an IPSec traffic stream. If the device is unable to pass the stream,
then the switch will implement IPSec
NAT Traversal. IPSec NAT Traversal will encapsulate the IPSec (ESP)
datagrams in a UDP Wrapped
frame, which is then able to successfully traverse Port NAT systems.

Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005


-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
Sent: Friday, March 22, 2002 12:26 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Looking for a work around- IPSEC client thru ISA


http://www.ISAserver.org


A customer of ours recently incorporated a VPN solution for it's
employee's and contractors. This solution is from Nortel.

They sent me a CD which has a VPN client that I've installed on my Win2k
Pro box. This client says that it is using IPSEC and I've
got a SecurID Token that I use in conjunction with my username and pin.


I'm sitting behind an ISA server that acts as my "gateway" for all
internal clients.


I've read that ISA (NAT) does not like IPSEC or rather IPSEC does not
like connections coming from NAT'd systems.


So as you can see we are unable to connect to our clients VPN server
from behind our ISA server. The only way that I've been able to
get by is by installing another NIC into my machine and assigning it a
public IP address and setting the gateway to our external
router. I've put a little firewall (BlackIce) on my PC so that when I
disconnect my internal lan and enable my external connection
I'm not just sitting out in the public network naked.

If I have to do this as a solution I guess it is fine but another
scenario has come up.


I might need to VPN into my office PC from home connecting through my
ISA server (Which servers as my VPN server for the office)
connect to my computer using PCAnywhere and then would need to connect
to said customer. Obviously this can't be done because as
soon as I disable my local lan I'll be dropped by my work pc.


Am I the only one who needs to connect to a IPSEC VPN server through
ISA? Does anyone have a suitable workaround other than a dual
NIC configuration?

Thanks in advance for all that respond!

Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: