RE: Novell Bordermanager VPN client
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 4 Sep 2003 21:12:48 +0200
Hi Mark,
according to
http://developer.novell.com/research/appnotes/2001/septembe/01/a0109015.htm:
--- Begin ---
The changes for the VPN 3.6 packet format over VPN 3.5 are as follows:
- IP Header: The Protocol ID in the IP Header is UDP (17) instead of SKIP
(57). This is required for translation at the NAT.
- UDP Header: A new UDP header (with source and destination port = 2010) is
inserted between the IP and SKIP headers.
- SKIP Header: The Source and Destination NSID (name space Identifier) is
now 1 instead of 0. This indicates that the IP name space is used and that
the key lookup is now based on the Master Key-ID field.
A new 32-bit field for Source and Destination Master Key-ID has been added.
This field contains bound source and destination IP addresses respectively
(and not the NATed IP address).
--- End ---
So, the ISA server will not longer see the SKIP protocol but an UDP protcol
as 'next protocol' in the IP Header.
HTH,
Stefaan
-----Original Message-----
From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
Sent: donderdag 4 september 2003 20:58
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Novell Bordermanager VPN client
http://www.ISAserver.org
Hi Stefaan,
sorry to keep asking :) but what about SKIP then?
Thanks
Mark
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]
> Sent: Thursday, September 04, 2003 8:11 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Novell Bordermanager VPN client
>
>
> Hi Mark,
>
> if that paper is still up-to-date, then it might work through
> ISA server!
>
> The protocols used seems to be:
> - TCP Port 353 outbound for the authentication gateway
> - UDP Port 353 send/receive for the keep alive to the
> authentication gateway
> - UDP port 2010 send/receive for the NAT-T VPN tunnel
>
> Of course, make sure you disable the Firewall client, the
> host is configured as a SecureNAT client and that remote VPN
> gateway and the VPN client are running the correct version.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> Sent: donderdag 4 september 2003 9:03
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Novell Bordermanager VPN client
>
>
> http://www.ISAserver.org
>
>
> Hi Tom,
>
> Just to get that sorted out: couldn't we place the client
> into the DMZ? We could allow protocol 57 traffic then.
>
> @Francois: There is an article from Sep. 2001 here
> http://developer.novell.com/research/appnotes/2001/septembe/01
> /a0109013.
> htm which explains the Bordermanager approach to NAT-T.
>
>
>
> Thanks
> Mark
>
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > Posted At: Thursday, September 04, 2003 3:05 AM
> > Posted To: www.isaserver.org
> > Conversation: [isalist] RE: Novell Bordermanager VPN client
> > Subject: [isalist] RE: Novell Bordermanager VPN client
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Francois,
> >
> > That's right. The only IP protocol that isn't UDP or TCP
> > allowed outbound is GRE and ICMP.
> >
> > BTW -- If the VPN protocol doesn't use encapsulation for
> > NAT-T, then that provides more evidence why Novell is
> > primarily of historial interest.
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder
> > www.isaserver.org/shinder
> > ISA Server and Beyond: http://tinyurl.com/1jq1
> > Configuring ISA Server: http://tinyurl.com/1llp
> >
> >
> >
> > -----Original Message-----
> > From: Francois Malherbe [mailto:Francois@xxxxxxxxxxxxxx]
> > Sent: Wednesday, September 03, 2003 2:02 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Novell Bordermanager VPN client
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Mark
> >
> > I have a definite answer from Microsoft - NO.
> >
> > According to Microsoft, ISA server itself cannot be
> > configured to propagate this protocol. I spent about 3 months
> > talking to MS tech support and their final solution was to
> > get Novell to write a plug-in for ISA.
> >
> > If you find any other answer or solution, please keep me
> > informed as well.
> >
> > Thanks
> >
> > Francois
> >
> > -----Original Message-----
> > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> > Sent: 02 September 2003 11:19 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Novell Bordermanager VPN client
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Stefaan,
> >
> > Ha! I've seen this article before - what get's me is Novell's
> > documentation: they say that I'd have to allow IP protocol
> > number 57. Which is related to a thingy called SKIP...
> >
> > I might be far off the line here, but if I need a custom IP
> > protocol enabled, I'd have to do this with packet filtering,
> > yes? Wouldn't that mean that I could only use the
> > Bordermanager client from within the DMZ? Or, put another
> > way, packet filtering relies on normal IP routing
> > functionality, so I couldn't possibly enter an internal
> > network address in a packet filtering rule, right?
> >
> > Thanks,
> > Mark
> >
> > > -----Original Message-----
> > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]
> > > Sent: Tuesday, September 02, 2003 8:26 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Novell Bordermanager VPN client
> > >
> > >
> > > Hi Mark,
> > >
> > > I haven't, but you can use my article
> > > http://www.isaserver.org/articles/IPSec_Passth> rough.html
> > as baseline
> > > ;-)
> > >
> > > HTH,
> > > Stefaan
> > >
> > > -----Original Message-----
> > > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> > > Sent: dinsdag 2 september 2003 20:21
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Novell Bordermanager VPN client
> > >
> > >
> > http://www.ISAserver.org
> >
> >
> > Hi,
> >
> > Has anybody eventually happened to use this VPN behind ISA?
> >
> > Thanks
> > Mark
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory:
> > http://www.serverfiles.com No.1 Exchange Server Resource
> > Site: http://www.msexchange.org Windows Security Resource
> > Site: http://www.windowsecurity.com/ Network Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank
> > email to $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory:
> > http://www.serverfiles.com No.1 Exchange Server Resource
> > Site: http://www.msexchange.org Windows Security Resource
> > Site: http://www.windowsecurity.com/ Network Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: francois@xxxxxxxxxxxxxx To unsubscribe send a blank
> > email to $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory:
> > http://www.serverfiles.com No.1 Exchange > Server Resource
> > Site: http://www.msexchange.org Windows Security Resource
> > Site: http://www.windowsecurity.com/ Network Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a
> > blank email to $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory:
> > http://www.serverfiles.com No.1 Exchange > Server Resource
> > Site: http://www.msexchange.org Windows Security Resource
> > Site: http://www.windowsecurity.com/ Network Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank
> > email to $subst('Email.Unsub')
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: stefaan.pouseele@xxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts: