Fix for Watchguard IPSec NAT-T Kludge

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 2 Nov 2004 06:26:42 -0600

a1wake 
Junior Member 
Member # 24969 

Rate Member
<http://forums.isaserver.org/ultimatebb.cgi?ubb=get_profile;u=00024969>
  posted November 01, 2004 08:21 PM       
<http://forums.isaserver.org/ultimatebb.cgi?ubb=get_profile;u=00024969>
 
<http://forums.isaserver.org/ultimatebb.cgi?ubb=private_message;u=000249
69>        
<http://forums.isaserver.org/ultimatebb.cgi?ubb=edit_post;f=30;t=000314;
reply_num=000014;u=00024969>    
<http://forums.isaserver.org/ultimatebb.cgi?ubb=reply;f=30;t=000314;repl
yto=000014>   
________________________________

Following up a little...
I went back and forth with WG on the issue until they finally replied
with a work around using the policy editor. You may notice that they
never actually answered my question of WHEN or IF they would actually be
compliant with the spec.

Topic: RE: MUVPN behind ISA 2004 %3C-%3E V60 NAT-T (10 of 10), Read 4
times
Conf: IPsec MUVPN
From: W G Moderator
Date: Friday, October 29, 2004 12:38 PM

Here is what you need to do in order to have the Vclass accept IKE
solicitations when the source port is not 500:

Add in a policy like this:
Src IP = ANY (or NAT box external IP)
Dst IP = PUBLIC_PORT_IP
Service = IKE
Firewall = PASS

Nathan Buff
WatchGuard Technologies
FAQs/Issues Documentation

-----Original Message-----

Hi guys, my apologies for not mentioning this sooner, (I got lost in
details and justification, and distracted from the original question of
IF and WHEN it would be compliant) but it states right in the release
notes of the latest firmware (Vclass 5.1.1 sp1 hf1), "Known Limitations
and Issues", on page 4:

VPN (IKE and IPSec)
NAT-T is restricted to devices that do not change the source port of
regular IKE packets (UDP 500).
Typically, devices that support IPSec passthrough will not change the
source port and should function
correctly with NAT-T.

This is clearly showing that it is not compliant with the latest NAT-T
specs, so is there any way to know when or if NAT-T will be correctly
supported?
JW 
--------
Any security issues with this that I may not be aware of?
This work around does actually work, so it is helpful, however I still
can't get to my SOHO VPN routers from behind ISA or even from behind a
SOHO VPN router of the same model type, which has IPSec/L2TP pass
through. I am guessing that the SOHO router simply does not support
NAT-T, and only supports "passthrough" which, thanks to all of your
help, I now understand is quite different.

Thanks for all your help!
JW 
 
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder> 
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 

GIF image

GIF image

GIF image

GIF image

GIF image

Other related posts:

  • » Fix for Watchguard IPSec NAT-T Kludge