Jim, This is from the switch doc: The AP and secure switch communication uses the UDP 4500 port. When both the switch and the AP are behind NAT devices, the AP is configured to use the NAT device's public address as its master address. On the NAT device, it is necessary to enable NAT-T (UDP port 4500 only) and forward all packets to the public address of the NAT device on UDP port 4500 to the Aruba Aruba Mobility Controller to ensure that the Remote AP bootstraps successfully. The VPN server is published as IPSec NAT-T Server without an internal ISA server. The wireless switch connects to ISA via windows 2003/rras. TIA greg -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, October 13, 2005 9:03 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 - revisited http://www.ISAserver.org ISA External to ISA internal == NAT. IPSec + NAT == busted connection. -----Original Message----- From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] Sent: Thursday, October 13, 2005 5:22 AM To: [ISAserver.org Discussion List] Subject: [isalist] non-windows VPN Server behind ISA 2004 - revisited http://www.ISAserver.org The VPN server is Aruba Networks wireless switch. The client, a remote wireless access point(RAP), connects to the switch via an ipsec/l2tp tunnel. The logs of the switch indicate the tunnel completed, however, ESP died in the process. The wireless client can attach to the switch across ISA internally -- not from the Internet. ISA logs indicate the RAP connects to the switch on port/protocol 4500/udp (IPSec NAT-T Server). When the RAP connects internally, ISA logs indicates port/protocol (IpSec NAT-T Client). TIA greg ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx