RE: non-windows VPN Server behind ISA 2004 - revisited

• From: "Crockett, Gregory" <Gregory.Crockett@xxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 13 Oct 2005 15:40:11 -0500

More info from the vendor:

"Hi Greg,

We are not fully compliant with RFC 3947 but we have remote APs working
in networks which have Aruba switch behind firewall & NAT. In such a
network topology only port 4500 needs to be open. As in my earlier email
I am suspecting that ESP packets are not hitting the switch."


I did ask if these APs are located on the Internet side of the firewall.
We, too, can get these APs working internally on different networks
passing through the firewall.



-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, October 13, 2005 12:56 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 -
revisited

http://www.ISAserver.org

Hi Gregory,

That's pretty strange, since if you check the NAT-T specs, UDP port 4500
is used in the RFC complant NAT-T.

Try publishing the VPN server in the same way you would publish an
L2TP/IPSec VPN server except leave the the L2TP publishing rules.

HTH,

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] 
> Sent: Thursday, October 13, 2005 12:51 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 
> - revisited
> 
> http://www.ISAserver.org
> 
> I do not think they are playing nice.  The vendor list of RFCs never
> mentioned NAT-T.
> 
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Thursday, October 13, 2005 12:36 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 -
> revisited
> 
> http://www.ISAserver.org
> 
> What MS uses internally is not anything even remotely like what you're
> describing.
> As Tom said, if the traffic generated by these devices "plays nice" in
> the NAT-T space, ISA will allow it through the publishing rule.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] 
> Sent: Thursday, October 13, 2005 08:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 -
> revisited
> 
> http://www.ISAserver.org
> 
> I thought I had mention IPSec NAT-T server and client.
> 
> Should this config work across isa 2004?  Since Microsoft recently
> picked up this switch as their wireless solution, one would think that
> it would work through ISA -- providing Microsoft is using ISA 
> throughout
> its infrastructure, and plan on using remote ap's.  
> 
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Thursday, October 13, 2005 10:42 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 -
> revisited
> 
> http://www.ISAserver.org
> 
> ..and the use of the term "NAT-T" in the original posting.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Thursday, October 13, 2005 08:37
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 -
> revisited
> 
> http://www.ISAserver.org
> 
> Sounds like someone forgot about UDP 500.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
> > -----Original Message-----
> > From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] 
> > Sent: Thursday, October 13, 2005 10:31 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 
> > - revisited
> > 
> > http://www.ISAserver.org
> > 
> > Jim,
> > 
> > This is from the switch doc:
> > 
> > The AP and secure switch communication uses the UDP 4500 
> > port. When both
> > the switch and the AP are behind NAT devices, the AP is 
> configured to
> > use the NAT device's public address as its master address. 
> On the NAT
> > device, it is necessary to enable NAT-T (UDP port 4500 only) 
> > and forward
> > all packets to the public address of the NAT device on UDP 
> > port 4500 to
> > the Aruba Aruba
> > Mobility Controller to ensure that the Remote AP bootstraps
> > successfully.
> > 
> > 
> > The VPN server is published as IPSec NAT-T Server without 
> an internal
> > ISA server.  The wireless switch connects to ISA via windows 
> > 2003/rras.
> > 
> > TIA
> > 
> > greg
> > 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > Sent: Thursday, October 13, 2005 9:03 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 -
> > revisited
> > 
> > http://www.ISAserver.org
> > 
> > ISA External to ISA internal == NAT.
> > IPSec + NAT == busted connection.
> > 
> > -----Original Message-----
> > From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] 
> > Sent: Thursday, October 13, 2005 5:22 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] non-windows VPN Server behind ISA 2004 - 
> revisited
> > 
> > http://www.ISAserver.org
> > 
> > The VPN server is Aruba Networks wireless switch.  The 
> > client, a remote
> > wireless access point(RAP), connects to the switch via an ipsec/l2tp
> > tunnel.  The logs of the switch indicate the tunnel 
> > completed, however,
> > ESP died in the process.  The wireless client can attach to 
> the switch
> > across ISA internally -- not from the Internet.  ISA logs 
> indicate the
> > RAP connects to the switch on port/protocol 4500/udp (IPSec NAT-T
> > Server).  When the RAP connects internally, ISA logs indicates
> > port/protocol (IpSec NAT-T Client).
> > 
> > TIA
> > 
> > greg
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > gregory.crockett@xxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gregory.crockett@xxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gregory.crockett@xxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited
• » RE: non-windows VPN Server behind ISA 2004 - revisited

1. Home
2. isalist
3. Archive
4. 10-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---