RE: Novell Bordermanager VPN client

• From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 4 Sep 2003 21:12:48 +0200

Hi Mark, 

according to
http://developer.novell.com/research/appnotes/2001/septembe/01/a0109015.htm:

--- Begin ---
The changes for the VPN 3.6 packet format over VPN 3.5 are as follows:
- IP Header: The Protocol ID in the IP Header is UDP (17) instead of SKIP
(57). This is required for translation at the NAT.
- UDP Header: A new UDP header (with source and destination port = 2010) is
inserted between the IP and SKIP headers.
- SKIP Header: The Source and Destination NSID (name space Identifier) is
now 1 instead of 0. This indicates that the IP name space is used and that
the key lookup is now based on the Master Key-ID field.

A new 32-bit field for Source and Destination Master Key-ID has been added.
This field contains bound source and destination IP addresses respectively
(and not the NATed IP address). 
--- End ---

So, the ISA server will not longer see the SKIP protocol but an UDP protcol
as 'next protocol' in the IP Header.

HTH, 
Stefaan

-----Original Message-----
From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
Sent: donderdag 4 september 2003 20:58
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Novell Bordermanager VPN client


http://www.ISAserver.org


Hi Stefaan,

sorry to keep asking :) but what about SKIP then? 

Thanks
Mark

> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] 
> Sent: Thursday, September 04, 2003 8:11 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Novell Bordermanager VPN client
> 
> 
> Hi Mark, 
> 
> if that paper is still up-to-date, then it might work through 
> ISA server!
> 
> The protocols used seems to be:
> - TCP Port 353 outbound for the authentication gateway
> - UDP Port 353 send/receive for the keep alive to the 
> authentication gateway
> - UDP port 2010 send/receive for the NAT-T VPN tunnel
> 
> Of course, make sure you disable the Firewall client, the 
> host is configured as a SecureNAT client and that remote VPN 
> gateway and the VPN client are running the correct version. 
> 
> HTH, 
> Stefaan
> 
> -----Original Message-----
> From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> Sent: donderdag 4 september 2003 9:03
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Novell Bordermanager VPN client
> 
> 
> http://www.ISAserver.org
> 
> 
> Hi Tom,
> 
> Just to get that sorted out: couldn't we place the client 
> into the DMZ? We could allow protocol 57 traffic then.
> 
> @Francois: There is an article from Sep. 2001 here 
> http://developer.novell.com/research/appnotes/2001/septembe/01
> /a0109013.
> htm which explains the Bordermanager approach to NAT-T. 
> 
> 
> 
> Thanks
> Mark
> 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > Posted At: Thursday, September 04, 2003 3:05 AM
> > Posted To: www.isaserver.org
> > Conversation: [isalist] RE: Novell Bordermanager VPN client
> > Subject: [isalist] RE: Novell Bordermanager VPN client
> > 
> > 
> > http://www.ISAserver.org
> > 
> > 
> > Hi Francois,
> > 
> > That's right. The only IP protocol that isn't UDP or TCP
> > allowed outbound is GRE and ICMP.
> > 
> > BTW -- If the VPN protocol doesn't use encapsulation for
> > NAT-T, then that provides more evidence why Novell is 
> > primarily of historial interest.
> > 
> > HTH,
> > Tom
> > 
> > Thomas W Shinder
> > www.isaserver.org/shinder 
> > ISA Server and Beyond: http://tinyurl.com/1jq1 
> > Configuring ISA Server: http://tinyurl.com/1llp 
> > 
> > 
> > 
> > -----Original Message-----
> > From: Francois Malherbe [mailto:Francois@xxxxxxxxxxxxxx]
> > Sent: Wednesday, September 03, 2003 2:02 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Novell Bordermanager VPN client
> > 
> > 
> > http://www.ISAserver.org
> > 
> > 
> > Hi Mark
> > 
> > I have a definite answer from Microsoft - NO.
> > 
> > According to Microsoft, ISA server itself cannot be
> > configured to propagate this protocol. I spent about 3 months 
> > talking to MS tech support and their final solution was to 
> > get Novell to write a plug-in for ISA.
> > 
> > If you find any other answer or solution, please keep me
> > informed as well.
> > 
> > Thanks
> > 
> > Francois
> > 
> > -----Original Message-----
> > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> > Sent: 02 September 2003 11:19 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Novell Bordermanager VPN client
> > 
> > 
> > http://www.ISAserver.org
> > 
> > 
> > Hi Stefaan,
> > 
> > Ha! I've seen this article before - what get's me is Novell's
> > documentation: they say that I'd have to allow IP protocol
> > number 57. Which is related to a thingy called SKIP... 
> > 
> > I might be far off the line here, but if I need a custom IP
> > protocol enabled, I'd have to do this with packet filtering, 
> > yes? Wouldn't that mean that I could only use the 
> > Bordermanager client from within the DMZ? Or, put another 
> > way, packet filtering relies on normal IP routing 
> > functionality, so I couldn't possibly enter an internal 
> > network address in a packet filtering rule, right? 
> > 
> > Thanks,
> > Mark
> > 
> > > -----Original Message-----
> > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]
> > > Sent: Tuesday, September 02, 2003 8:26 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Novell Bordermanager VPN client
> > > 
> > > 
> > > Hi Mark,
> > > 
> > > I haven't, but you can use my article
> > > http://www.isaserver.org/articles/IPSec_Passth> rough.html 
> > as baseline
> > > ;-)
> > > 
> > > HTH,
> > > Stefaan
> > > 
> > > -----Original Message-----
> > > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> > > Sent: dinsdag 2 september 2003 20:21
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Novell Bordermanager VPN client
> > > 
> > > 
> > http://www.ISAserver.org
> > 
> > 
> > Hi,
> > 
> > Has anybody eventually happened to use this VPN behind ISA?
> > 
> > Thanks
> > Mark
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory:
> > http://www.serverfiles.com No.1 Exchange Server Resource 
> > Site: http://www.msexchange.org Windows Security Resource 
> > Site: http://www.windowsecurity.com/ Network Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank 
> > email to $subst('Email.Unsub')
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory:
> > http://www.serverfiles.com No.1 Exchange Server Resource 
> > Site: http://www.msexchange.org Windows Security Resource 
> > Site: http://www.windowsecurity.com/ Network Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: francois@xxxxxxxxxxxxxx To unsubscribe send a blank 
> > email to $subst('Email.Unsub')
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory:
> > http://www.serverfiles.com No.1 Exchange > Server Resource 
> > Site: http://www.msexchange.org Windows Security Resource 
> > Site: http://www.windowsecurity.com/ Network Security 
> > Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a 
> > blank email to $subst('Email.Unsub')
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory:
> > http://www.serverfiles.com No.1 Exchange > Server Resource 
> > Site: http://www.msexchange.org Windows Security Resource 
> > Site: http://www.windowsecurity.com/ Network Security 
> > Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank 
> > email to $subst('Email.Unsub')
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: stefaan.pouseele@xxxxxxx
> To unsubscribe send a blank email to 
> $subst('Email.Unsub')
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Novell Bordermanager VPN client
• » RE: Novell Bordermanager VPN client
• » RE: Novell Bordermanager VPN client
• » RE: Novell Bordermanager VPN client
• » RE: Novell Bordermanager VPN client
• » RE: Novell Bordermanager VPN client
• » RE: Novell Bordermanager VPN client
• » RE: Novell Bordermanager VPN client
• » RE: Novell Bordermanager VPN client
• » RE: Novell Bordermanager VPN client
• » RE: Novell Bordermanager VPN client

1. Home
2. isalist
3. Archive
4. 09-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---