RE: VPN to a cisco VPN server that uses ipsec
- From: "Fares Rihani" <fares@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 20 Mar 2002 18:57:46 -0500
Hey guys this is a report I prepared earlier this year as a technical
implementation
to get the VPN-1 client working under an ISA server environement.
***private documentation***
****************************************************************
Technical Implementation of Checkpoint VPN-1 SecuRemote / Client behind ISA
Server
Interchange Services VPN configuration
Quick diagram of what we are trying to achieve:
ClientApp -------> SecuRemote -------> ISA Server -------> Check Point
VPN-1
This will not work. This however, *should* work, but is not feasible:
ClientApp -------> SecuRemote -------> Win 2K ICS -------> Check Point
VPN-1
(Internet Connection Sharing - Personally not tested)
Internet Security and Acceleration Server Configuration
Required: Make sure you allow IP routing *see link below*
SecuRemote Client: SecuRemote version 4157 or higher with 3DES encryption
Chekpoint FW-1: UDP encapsulation enabled
By design, the SecuRemote software requires these ports to operate:
UDP 500 (IPSEC Internet Key Exchange)
TCP 264 (Check Point SecuRemote Topology Requests)
IP Protocol 50 (IPSEC Encapsulating Security Payload Protocol)
UDP 2746 (UDP Encapsulation)
Additional info: (probably not needed)
IP Protocol 94 bi-directionally when FWZ encapsulation is used.
IP Protocol 51 bi-directionally when IKE is used.
UDP port 259
Create those necessary rules on the ISA server
IP Protocol 50 in IP Packet Filters, necessary TCP and UDP ports as Protocol
Rules
using Protocol Definitions (see receiving end requirements).
I don't think you can make VPN-1 Securemote work through ISA, with either
FWZ or IKE key exchange. The problem's in IPsec AH, which can't be NATed.
IPSec and NAT don't get along with each other. Apparently, Firewall-1 can
traverse ISA Server sNAT through UDP-encapsulated IPsec which is possible
through SecuRemote.
At this point, with SecuRemote behind ISA you will probably be able to even
exchange keys and successfully authenticate with the VPN server, but that is
as far as you'll get (no secure protocol will pass).
You probably can't use SecuRemote through ISA.
*** Personal Solution:
So, end-to-end IPsec VPN through a firewall like ISA Server is not
possible. In this case, the SecuRemote client can be installed on the ISA
Server itself and firewall clients can share VPN tunnel by means of
Web/Winsock/sNAT (whatever option you choose).
- Install the VPN client on the Proxy host
SecuRemote on the ISA server itself
- Initiate connection
SecuRemote will prompt for user/password and will exchange keys to
authenticate
- Clients use Winsock connectivity through IPsec
Firewall client installed on end user machine *or*
Secure NAT client (default gateway set to internal IP address of ISA
server)
With SecuRemote installed on the ISA box; log on to the VPN server from ISA
and all clients will utilize the server connection.
With the firewall client:
Add the protocols you need for connectivity/usage testing. This will
include service ports and protocols. The protocols should secure the
traffic between the
client and the VPN server. The SecuRemote application (with site available)
is then proxied through to the firewall client across the VPN tunnel.
Using Secure NAT (Network Address Translation)
Again, create packet filtering rules to allow communication with VPN
gateway.
Same protocols to secure traffic, but you can further limit connections to
a specific IP address(es) as necessary. That way you are not
inadvertently allowing access through those rules for other applications.
Furthermore
an IPsec policy should be used to secure traffic to the gateway.
If you are still having trouble check your packet filtering logs for
diagnostic information - what are source and destination for the blocked
packets. Double-check your allowing rules.
****************************************************************
Helpful URLs:
Microsoft ISA Server Firewall and Cache resource site
http://www.isaserver.org/
TIP: Allowing Outbound PING and PPTP Connections
http://www.isaserver.org/shinder/tips/tip_ping_pptp.htm
Troubleshooting SecuRemote Connection Issues
http://www.phoneboy.com/faq/0249.html
FAQ: SecuRemote Client and NAT
http://www.phoneboy.com/faq/0141.html
****************************************************************
Personal Note:
I am not a service professional and this information should only be
considered as
a technical supplement to aid in a successful implementation.
When official documentation on this issue comes around I will be sure
to send out a copy.
Hope this helps.
Fares Rihani
fares@xxxxxxxxxx
Rihani International, Inc.
www.RIHANI.com
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]
Sent: Wednesday, March 20, 2002 6:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec
Hi David,
can you post the protocol definitions and rules you have to create?
I think UDP 500 send receive and UDP 10000 send receive is all you need.
Correct?
Regards,
Stefaan
Other related posts:
