a1wake Junior Member Member # 24969 Rate Member <http://forums.isaserver.org/ultimatebb.cgi?ubb=get_profile;u=00024969> posted November 01, 2004 08:21 PM <http://forums.isaserver.org/ultimatebb.cgi?ubb=get_profile;u=00024969> <http://forums.isaserver.org/ultimatebb.cgi?ubb=private_message;u=000249 69> <http://forums.isaserver.org/ultimatebb.cgi?ubb=edit_post;f=30;t=000314; reply_num=000014;u=00024969> <http://forums.isaserver.org/ultimatebb.cgi?ubb=reply;f=30;t=000314;repl yto=000014> ________________________________ Following up a little... I went back and forth with WG on the issue until they finally replied with a work around using the policy editor. You may notice that they never actually answered my question of WHEN or IF they would actually be compliant with the spec. Topic: RE: MUVPN behind ISA 2004 %3C-%3E V60 NAT-T (10 of 10), Read 4 times Conf: IPsec MUVPN From: W G Moderator Date: Friday, October 29, 2004 12:38 PM Here is what you need to do in order to have the Vclass accept IKE solicitations when the source port is not 500: Add in a policy like this: Src IP = ANY (or NAT box external IP) Dst IP = PUBLIC_PORT_IP Service = IKE Firewall = PASS Nathan Buff WatchGuard Technologies FAQs/Issues Documentation -----Original Message----- Hi guys, my apologies for not mentioning this sooner, (I got lost in details and justification, and distracted from the original question of IF and WHEN it would be compliant) but it states right in the release notes of the latest firmware (Vclass 5.1.1 sp1 hf1), "Known Limitations and Issues", on page 4: VPN (IKE and IPSec) NAT-T is restricted to devices that do not change the source port of regular IKE packets (UDP 500). Typically, devices that support IPSec passthrough will not change the source port and should function correctly with NAT-T. This is clearly showing that it is not compliant with the latest NAT-T specs, so is there any way to know when or if NAT-T will be correctly supported? JW -------- Any security issues with this that I may not be aware of? This work around does actually work, so it is helpful, however I still can't get to my SOHO VPN routers from behind ISA or even from behind a SOHO VPN router of the same model type, which has IPSec/L2TP pass through. I am guessing that the SOHO router simply does not support NAT-T, and only supports "passthrough" which, thanks to all of your help, I now understand is quite different. Thanks for all your help! JW Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls