Hi Mark, according to http://developer.novell.com/research/appnotes/2001/septembe/01/a0109015.htm: --- Begin --- The changes for the VPN 3.6 packet format over VPN 3.5 are as follows: - IP Header: The Protocol ID in the IP Header is UDP (17) instead of SKIP (57). This is required for translation at the NAT. - UDP Header: A new UDP header (with source and destination port = 2010) is inserted between the IP and SKIP headers. - SKIP Header: The Source and Destination NSID (name space Identifier) is now 1 instead of 0. This indicates that the IP name space is used and that the key lookup is now based on the Master Key-ID field. A new 32-bit field for Source and Destination Master Key-ID has been added. This field contains bound source and destination IP addresses respectively (and not the NATed IP address). --- End --- So, the ISA server will not longer see the SKIP protocol but an UDP protcol as 'next protocol' in the IP Header. HTH, Stefaan -----Original Message----- From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] Sent: donderdag 4 september 2003 20:58 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Novell Bordermanager VPN client http://www.ISAserver.org Hi Stefaan, sorry to keep asking :) but what about SKIP then? Thanks Mark > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] > Sent: Thursday, September 04, 2003 8:11 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Novell Bordermanager VPN client > > > Hi Mark, > > if that paper is still up-to-date, then it might work through > ISA server! > > The protocols used seems to be: > - TCP Port 353 outbound for the authentication gateway > - UDP Port 353 send/receive for the keep alive to the > authentication gateway > - UDP port 2010 send/receive for the NAT-T VPN tunnel > > Of course, make sure you disable the Firewall client, the > host is configured as a SecureNAT client and that remote VPN > gateway and the VPN client are running the correct version. > > HTH, > Stefaan > > -----Original Message----- > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] > Sent: donderdag 4 september 2003 9:03 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Novell Bordermanager VPN client > > > http://www.ISAserver.org > > > Hi Tom, > > Just to get that sorted out: couldn't we place the client > into the DMZ? We could allow protocol 57 traffic then. > > @Francois: There is an article from Sep. 2001 here > http://developer.novell.com/research/appnotes/2001/septembe/01 > /a0109013. > htm which explains the Bordermanager approach to NAT-T. > > > > Thanks > Mark > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > > Posted At: Thursday, September 04, 2003 3:05 AM > > Posted To: www.isaserver.org > > Conversation: [isalist] RE: Novell Bordermanager VPN client > > Subject: [isalist] RE: Novell Bordermanager VPN client > > > > > > http://www.ISAserver.org > > > > > > Hi Francois, > > > > That's right. The only IP protocol that isn't UDP or TCP > > allowed outbound is GRE and ICMP. > > > > BTW -- If the VPN protocol doesn't use encapsulation for > > NAT-T, then that provides more evidence why Novell is > > primarily of historial interest. > > > > HTH, > > Tom > > > > Thomas W Shinder > > www.isaserver.org/shinder > > ISA Server and Beyond: http://tinyurl.com/1jq1 > > Configuring ISA Server: http://tinyurl.com/1llp > > > > > > > > -----Original Message----- > > From: Francois Malherbe [mailto:Francois@xxxxxxxxxxxxxx] > > Sent: Wednesday, September 03, 2003 2:02 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Novell Bordermanager VPN client > > > > > > http://www.ISAserver.org > > > > > > Hi Mark > > > > I have a definite answer from Microsoft - NO. > > > > According to Microsoft, ISA server itself cannot be > > configured to propagate this protocol. I spent about 3 months > > talking to MS tech support and their final solution was to > > get Novell to write a plug-in for ISA. > > > > If you find any other answer or solution, please keep me > > informed as well. > > > > Thanks > > > > Francois > > > > -----Original Message----- > > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] > > Sent: 02 September 2003 11:19 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Novell Bordermanager VPN client > > > > > > http://www.ISAserver.org > > > > > > Hi Stefaan, > > > > Ha! I've seen this article before - what get's me is Novell's > > documentation: they say that I'd have to allow IP protocol > > number 57. Which is related to a thingy called SKIP... > > > > I might be far off the line here, but if I need a custom IP > > protocol enabled, I'd have to do this with packet filtering, > > yes? Wouldn't that mean that I could only use the > > Bordermanager client from within the DMZ? Or, put another > > way, packet filtering relies on normal IP routing > > functionality, so I couldn't possibly enter an internal > > network address in a packet filtering rule, right? > > > > Thanks, > > Mark > > > > > -----Original Message----- > > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] > > > Sent: Tuesday, September 02, 2003 8:26 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Novell Bordermanager VPN client > > > > > > > > > Hi Mark, > > > > > > I haven't, but you can use my article > > > http://www.isaserver.org/articles/IPSec_Passth> rough.html > > as baseline > > > ;-) > > > > > > HTH, > > > Stefaan > > > > > > -----Original Message----- > > > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] > > > Sent: dinsdag 2 september 2003 20:21 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Novell Bordermanager VPN client > > > > > > > > http://www.ISAserver.org > > > > > > Hi, > > > > Has anybody eventually happened to use this VPN behind ISA? > > > > Thanks > > Mark > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > Leading Network Software Directory: > > http://www.serverfiles.com No.1 Exchange Server Resource > > Site: http://www.msexchange.org Windows Security Resource > > Site: http://www.windowsecurity.com/ Network Security > > Library: http://www.secinf.net/ Windows 2000/NT Fax > > Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank > > email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > Leading Network Software Directory: > > http://www.serverfiles.com No.1 Exchange Server Resource > > Site: http://www.msexchange.org Windows Security Resource > > Site: http://www.windowsecurity.com/ Network Security > > Library: http://www.secinf.net/ Windows 2000/NT Fax > > Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: francois@xxxxxxxxxxxxxx To unsubscribe send a blank > > email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > Leading Network Software Directory: > > http://www.serverfiles.com No.1 Exchange > Server Resource > > Site: http://www.msexchange.org Windows Security Resource > > Site: http://www.windowsecurity.com/ Network Security > > Library: http://www.secinf.net/ Windows 2000/NT Fax > > Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a > > blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > Leading Network Software Directory: > > http://www.serverfiles.com No.1 Exchange > Server Resource > > Site: http://www.msexchange.org Windows Security Resource > > Site: http://www.windowsecurity.com/ Network Security > > Library: http://www.secinf.net/ Windows 2000/NT Fax > > Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank > > email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: stefaan.pouseele@xxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')