Tom, how is that going to be done? NAT changes the header and trailer, but L2TP/IPSec will not accept the change, correct? John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 jtolmachoff@xxxxxxxxxxxxxxxx www.reliancesoft.com -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, March 22, 2002 12:32 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA http://www.ISAserver.org Hi Greg, If you can wait for .Net Server, it will support L2TP/IPSec through the ISA NAT. Just giving you something to look forward to :-) Laterz, Tom www.isaserver.org/shinder -----Original Message----- From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] Sent: Friday, March 22, 2002 12:42 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Looking for a work around- IPSEC client thru ISA http://www.ISAserver.org Has anyone heard of IPSEC NAT Traversal? If so... Would this allow a Win2k Client sitting behind a ISA Server to VPN into a IPSEC VPN server? Here is a portion of the technical doc.... Description: When a Contivity Client is used with IPSec NAT Traversal active and the 'UDP Wrapped' packets are fragmented, the client is unable to properly decode the packets. Discussion: Legacy Port NAT devices rely on being able to track sessions using either TCP or UDP port numbers. The IPSec encapsulation protocol (ESP) is not based on either TCP or UDP. Unless a port NAT device is 'IPSec aware' it is not able to pass IPSec based traffic. To get around this limitation, a new feature was added to the CVC 4_10 client when combined with the 4_0 switch software called 'IPSec NAT Traversal'. This feature will detect if there is a NAT device in between the client and server. The feature can then determine if this NAT device can successfully pass an IPSec traffic stream. If the device is unable to pass the stream, then the switch will implement IPSec NAT Traversal. IPSec NAT Traversal will encapsulate the IPSec (ESP) datagrams in a UDP Wrapped frame, which is then able to successfully traverse Port NAT systems. Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 -----Original Message----- From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] Sent: Friday, March 22, 2002 12:26 PM To: [ISAserver.org Discussion List] Subject: [isalist] Looking for a work around- IPSEC client thru ISA http://www.ISAserver.org A customer of ours recently incorporated a VPN solution for it's employee's and contractors. This solution is from Nortel. They sent me a CD which has a VPN client that I've installed on my Win2k Pro box. This client says that it is using IPSEC and I've got a SecurID Token that I use in conjunction with my username and pin. I'm sitting behind an ISA server that acts as my "gateway" for all internal clients. I've read that ISA (NAT) does not like IPSEC or rather IPSEC does not like connections coming from NAT'd systems. So as you can see we are unable to connect to our clients VPN server from behind our ISA server. The only way that I've been able to get by is by installing another NIC into my machine and assigning it a public IP address and setting the gateway to our external router. I've put a little firewall (BlackIce) on my PC so that when I disconnect my internal lan and enable my external connection I'm not just sitting out in the public network naked. If I have to do this as a solution I guess it is fine but another scenario has come up. I might need to VPN into my office PC from home connecting through my ISA server (Which servers as my VPN server for the office) connect to my computer using PCAnywhere and then would need to connect to said customer. Obviously this can't be done because as soon as I disable my local lan I'll be dropped by my work pc. Am I the only one who needs to connect to a IPSEC VPN server through ISA? Does anyone have a suitable workaround other than a dual NIC configuration? Thanks in advance for all that respond! Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jtolmachoff@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')