Hi Jim, maybe I have a language problem, but as indicated in many posts on isaserver.org, you can pass IPSec traffic *_through_* ISA if and only if the VPN endpoints (the client and the gateway) supports the NAT Traversal drafts. With the NAT Traversal drafts I mean: - http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-01.txt - http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt - http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt More specifically, it is the UDP encapsulation of the IPSec traffic, performed by the VPN endpoints, who makes this possible. ISA will only see UDP traffic! However, there are not so many IPSec implementations who adhere to this latest drafts. The most IPSec implementations I know of (Checkpoint, Cisco, Nortel, Netscreen, ...) uses at this moment an UDP port different from UDP port 500 (IKE) for the UDP encapsultated traffic. This means you have to create an extra protocol definition for the UDP encapsulated IPSec traffic (i.e. Cisco VPN3000 uses by default UDP port 10000 for that). If I'm well informed, the Windows .NET release as well as the new L2TP/IPSec client for Windows 98, Windows Me, and Windows NT Workstation 4.0 (http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpc lient.asp) should already support the NAT Traversal feature as defined above. I've not yet done any tests, but I expect that if you are running ISA on .NET instead of W2K, *maybe* you can already terminate a NAT Traversal compatible IPSec implementation on ISA. Regards, Stefaan -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: zaterdag 24 augustus 2002 18:41 To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA2000 Nat Traversal http://www.ISAserver.org That was my point (if a bit obfuscated). ISA NAT does not support "traversal" in the same context as is applied to IPSec. The only VPN technology that is supported *_through_* ISA is PPTP, and that only from SecureNAT clients. ISA can terminate IPSec or PPTP VPN (actually RRAS does it). Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://jalojash.org/isatools Read the books! ----- Original Message ----- From: "Andrew Prince" <Andrew@xxxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Saturday, August 24, 2002 9:06 AM Subject: [isalist] Re: ISA2000 Nat Traversal http://www.ISAserver.org Jim, Thanks for the reply - I am however confused. PPTP does not need NAT traversal as there is no enryption with the packet payload, therefore the packet can be modified without any deivces interpreting that as the loss of data integraty. With IPsec L2TP the problem involves ensuring packet integrity. When a packet passes through a NAT device, the original IP address is modified. This is cannot happen with IPsec, because any modification of the packet will result in a failed integrity check and prevent the VPN tunnel from being created. Cheers, Andy. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 24 August 2002 16:27 To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA2000 Nat Traversal http://www.ISAserver.org Only for Windows 2000 PPTP. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://jalojash.org/isatools Read the books! ----- Original Message ----- From: "Andrew Prince" <andrew@xxxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Saturday, August 24, 2002 7:15 AM Subject: [isalist] ISA2000 Nat Traversal http://www.ISAserver.org Can anyone tell me if ISA2000 supports NAT Traversal? ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: andrew@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')