Is that RFC 3947 and 3948? The vendor provided me list of RFC's -- 3947/3948 are not listed. greg -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, October 13, 2005 11:22 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 - revisited http://www.ISAserver.org If it uses RFC compliant IPSec NAT-T, it will work. It certianly works for publishing L2TP/IPSec VPNs, and the L2TP component has no bearing (to the firewall) on IPSec passthrough. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] > Sent: Thursday, October 13, 2005 10:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 > - revisited > > http://www.ISAserver.org > > I thought I had mention IPSec NAT-T server and client. > > Should this config work across isa 2004? Since Microsoft recently > picked up this switch as their wireless solution, one would think that > it would work through ISA -- providing Microsoft is using ISA > throughout > its infrastructure, and plan on using remote ap's. > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Thursday, October 13, 2005 10:42 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 - > revisited > > http://www.ISAserver.org > > ..and the use of the term "NAT-T" in the original posting. > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Thursday, October 13, 2005 08:37 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 - > revisited > > http://www.ISAserver.org > > Sounds like someone forgot about UDP 500. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] > > Sent: Thursday, October 13, 2005 10:31 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 > > - revisited > > > > http://www.ISAserver.org > > > > Jim, > > > > This is from the switch doc: > > > > The AP and secure switch communication uses the UDP 4500 > > port. When both > > the switch and the AP are behind NAT devices, the AP is > configured to > > use the NAT device's public address as its master address. > On the NAT > > device, it is necessary to enable NAT-T (UDP port 4500 only) > > and forward > > all packets to the public address of the NAT device on UDP > > port 4500 to > > the Aruba Aruba > > Mobility Controller to ensure that the Remote AP bootstraps > > successfully. > > > > > > The VPN server is published as IPSec NAT-T Server without > an internal > > ISA server. The wireless switch connects to ISA via windows > > 2003/rras. > > > > TIA > > > > greg > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: Thursday, October 13, 2005 9:03 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 - > > revisited > > > > http://www.ISAserver.org > > > > ISA External to ISA internal == NAT. > > IPSec + NAT == busted connection. > > > > -----Original Message----- > > From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] > > Sent: Thursday, October 13, 2005 5:22 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] non-windows VPN Server behind ISA 2004 - > revisited > > > > http://www.ISAserver.org > > > > The VPN server is Aruba Networks wireless switch. The > > client, a remote > > wireless access point(RAP), connects to the switch via an ipsec/l2tp > > tunnel. The logs of the switch indicate the tunnel > > completed, however, > > ESP died in the process. The wireless client can attach to > the switch > > across ISA internally -- not from the Internet. ISA logs > indicate the > > RAP connects to the switch on port/protocol 4500/udp (IPSec NAT-T > > Server). When the RAP connects internally, ISA logs indicates > > port/protocol (IpSec NAT-T Client). > > > > TIA > > > > greg > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > All mail to and from this domain is GFI-scanned. > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > gregory.crockett@xxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > gregory.crockett@xxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx