Re: ISA2000 Nat Traversal

• From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Sat, 24 Aug 2002 20:12:03 +0200

Hi Jim,

maybe I have a language problem, but as indicated in many posts on
isaserver.org, you can pass IPSec traffic *_through_* ISA if and only if the
VPN endpoints (the client and the gateway) supports the NAT Traversal
drafts. With the NAT Traversal drafts I mean:
- http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-01.txt
- http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt
- http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt

More specifically, it is the UDP encapsulation of the IPSec traffic,
performed by the VPN endpoints, who makes this possible. ISA will only see
UDP traffic!

However, there are not so many IPSec implementations who adhere to this
latest drafts. The most IPSec implementations I know of (Checkpoint, Cisco,
Nortel, Netscreen, ...) uses at this moment an UDP port different from UDP
port 500 (IKE) for the UDP encapsultated traffic. This means you have to
create an extra protocol definition for the UDP encapsulated IPSec traffic
(i.e. Cisco VPN3000 uses by default UDP port 10000 for that).

If I'm well informed, the Windows .NET release as well as the new L2TP/IPSec
client for Windows 98, Windows Me, and Windows NT Workstation 4.0
(http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpc
lient.asp) should already support the NAT Traversal feature as defined
above. I've not yet done any tests, but I expect that if you are running ISA
on .NET instead of W2K, *maybe* you can already terminate a NAT Traversal
compatible IPSec implementation on ISA.

Regards,
Stefaan


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: zaterdag 24 augustus 2002 18:41
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA2000 Nat Traversal


http://www.ISAserver.org


That was my point (if a bit obfuscated).
ISA NAT does not support "traversal" in the same context as is applied to
IPSec.
The only VPN technology that is supported *_through_* ISA is PPTP, and that
only from SecureNAT
clients.
ISA can terminate IPSec or PPTP VPN (actually RRAS does it).

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://jalojash.org/isatools
Read the books!

----- Original Message -----
From: "Andrew Prince" <Andrew@xxxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, August 24, 2002 9:06 AM
Subject: [isalist] Re: ISA2000 Nat Traversal


http://www.ISAserver.org


Jim,

Thanks for the reply - I am however confused.  PPTP does not need NAT
traversal as there is no enryption with the packet payload, therefore the
packet can be modified without any deivces interpreting that as the loss of
data integraty.

With IPsec L2TP the problem involves ensuring packet integrity. When a
packet passes through a NAT device, the original IP address is modified.
This is cannot happen with IPsec, because any modification of the packet
will result in a failed integrity check and prevent the VPN tunnel from
being created.

Cheers,
Andy.

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 24 August 2002 16:27
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA2000 Nat Traversal


http://www.ISAserver.org


Only for Windows 2000 PPTP.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://jalojash.org/isatools
Read the books!

----- Original Message -----
From: "Andrew Prince" <andrew@xxxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, August 24, 2002 7:15 AM
Subject: [isalist] ISA2000 Nat Traversal


http://www.ISAserver.org


Can anyone tell me if ISA2000 supports NAT Traversal?

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
andrew@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » ISA2000 Nat Traversal
• » Re: ISA2000 Nat Traversal
• » Re: ISA2000 Nat Traversal
• » Re: ISA2000 Nat Traversal
• » Re: ISA2000 Nat Traversal
• » Re: ISA2000 Nat Traversal
• » Re: ISA2000 Nat Traversal
• » Re: ISA2000 Nat Traversal

1. Home
2. isalist
3. Archive
4. 08-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---