RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 19 Jan 2006 09:24:09 -0600

Hi Stefaan,

I thought these brain dead NAT devices allowed everything outbound,
which removes the requirement for a "Open Port" button for outbound
connections. 

So, they actually are so malevolent to block outbound UDP 500 after the
first connection? Are they going out of their way to cheat the customer
with no valid tech reason to explain why they do this?

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] 
> Sent: Thursday, January 19, 2006 9:13 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE 
> negotiation on UDP port 4500 instead of 500
> 
> http://www.ISAserver.org
> 
> Tom, 
> 
> Yep, that's it. Well at least it is what I think is happening 
> because it
> doesn't work with more than one host behind the sharing device. 
> 
> Now, if you disable that so called 'IPSec passthrough' 
> feature, UDP port 500
> is completely blocked! 
> 
> Stefaan
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: donderdag 19 januari 2006 16:04
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE 
> negotiation on
> UDP port 4500 instead of 500
> 
> http://www.ISAserver.org
> 
> Hi Stefaan,
> 
> Interesting. You really have to hand it to the "hardware" NAT 
> device guys.
> The really take advantage of their hapless customers :\
> 
> So, this is actually an outbound issue for the NAT device? If 
> the horked NAT
> device "sees" an outbound UDP 500 connection, then it blocks 
> all subsequent
> UDP 500 attempts while that pseudo-session is active?
> 
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
>  
> 
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: Thursday, January 19, 2006 8:50 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE 
> > negotiation on UDP port 4500 instead of 500
> > 
> > http://www.ISAserver.org
> > 
> > Hi Tom,
> > 
> > It's the ipsec hack (IPSec passthrough option) that causes trouble, 
> > not the NAT. Apparently, if those sharing devices see 
> outbound traffic 
> > to UDP 500 they 'lock' all further IKE/IPSec traffic to the 
> first host 
> > who originated the UDP 500 traffic. Therefore, a second host can't 
> > setup another IKE negotiation.
> > 
> > If we could start the negotiation on UDP 4500 than I think 
> that those 
> > sharing devices will not be aware that it is in fact also IKE/IPSec 
> > traffic and therefore will handle that traffic as 'normal' traffic.
> > 
> > Thanks,
> > Stefaan
> > 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: donderdag 19 januari 2006 15:29
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE 
> > negotiation on UDP port 4500 instead of 500
> > 
> > http://www.ISAserver.org
> > 
> > Hi Stefaan,
> > 
> > I don't understand the problem. What's the difference if 
> they start on 
> > 500 or 4500?
> > 
> > Tom
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > > Sent: Thursday, January 19, 2006 3:54 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Windows XP SP2: start L2TP/IPSec IKE
> > negotiation on
> > > UDP port 4500 instead of 500
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Hey guys,
> > > 
> > > Is it possible to configure Windows XP SP2 to start the IKE 
> > > negotiation of a L2TP/IPSec VPN connection directly on UDP
> > port 4500
> > > instead of UDP port 500?
> > > According to the RFC's this is a valid configuration. 
> > > 
> > > The reason for this question is that a lot of cheap 
> sharing devices 
> > > limit the number of IPSec connections to one because of 
> their IPSec 
> > > hack implemention (aka IPSec passthough). If we switch off
> > the IPSec
> > > passthrough setting in the sharing device then UDP port 500 is 
> > > completely blocked.
> > > 
> > > Thanks,
> > > Stefaan
> > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as: 
> > > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > stefaan.pouseele@xxxxxxxxx To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as: 
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

Other related posts:

• » Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
• » RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---