Nortel IPsec VPN troubles

  • From: Kevin Egan <KEgan@xxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 8 Feb 2002 10:25:43 -0500 

I am currently neck deep in this issue with Nortel.  They are in the process
of upgrading their hardware and have a test server running that supports NAT
as well as the client component.  I am still having problems connecting
though.  It seems I get disconnected during the negotiation process.
Stefann mentions UDP encapsulation.  Is this something that has to be
implemented or allowed in ISA or is it strictly VPN Client and VPN Gateway
controlled?
 
Kevin.
-----Original Message-----
From: gops [mailto:gopi.tadi@xxxxxxxxxxxxxxx]
Sent: February 8, 2002 9:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ip protocal 50


http://www.ISAserver.org


Can u pl. tell me the process how to do it.
 
Gops
----- Original Message ----- 
From: David Elmquist <mailto:david@xxxxxxxxxx>  
To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx>  
Sent: Friday, February 08, 2002 5:03 AM
Subject: [isalist] Re: ip protocal 50

http://www.ISAserver.org <http://www.ISAserver.org> 


It is however possible to enable ESP to a device in an ISA DMZ zone, using
packet filters.
 
 David Elmquist
 
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] 
Sent: 8. februar 2002 00:12
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ip protocal 50
 
http://www.ISAserver.org
Hi Gops,
 
ip protocol 50 is ESP (IP Encapsulating Security Payload) and part of the
IPSec standard. If you want to get IPSec through ISA (internal IPSec VPN
client to external IPSec VPN gateway) this will *not* work. ISA is doing
NAPT (Network Address and PortTranslation) and this breaks IPSec. This is
*not* a ISA specific problem but an incompatiblity issue between NAPT and
IPSec. The IETF IPSec working group (
http://www.ietf.org/html.charters/ipsec-charter.html
<http://www.ietf.org/html.charters/ipsec-charter.html> ) responsible for the
IPSec standard is very well aware of that problem and is working hard to
solve that problem. In the mean time, the big IPSec vendors (CheckPoint,
Cisco, Redcreek, Nortel, etc...) have already a vendor specific solution for
passing NAPT device. Most of them have some form of UDP encapsulation of the
IPSec traffic to enable passing through NAPT devices. The only drawback is
that those solutions are at the moment vendor specific. So, the VPN client
and Gateway must be from the same vendor.
 
Regards,
Stefaan
----- Original Message ----- 
From: gops <mailto:gopi.tadi@xxxxxxxxxxxxxxx>  
To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx>  
Sent: Thursday, February 07, 2002 7:53 PM
Subject: [isalist] ip protocal 50
 
http://www.ISAserver.org <http://www.ISAserver.org> 
HI,
 
Can any one help me out how to enable ip protocol 50 step by step
 
Gops,
 
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx <mailto:stefaan.pouseele@xxxxxxx> 
To unsubscribe send a blank email to $subst('Email.Unsub')
<mailto:$subst('Email.Unsub')>  
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gopi.tadi@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
kegan@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 02-2002