Hey guys this is a report I prepared earlier this year as a technical implementation to get the VPN-1 client working under an ISA server environement. ***private documentation*** **************************************************************** Technical Implementation of Checkpoint VPN-1 SecuRemote / Client behind ISA Server Interchange Services VPN configuration Quick diagram of what we are trying to achieve: ClientApp -------> SecuRemote -------> ISA Server -------> Check Point VPN-1 This will not work. This however, *should* work, but is not feasible: ClientApp -------> SecuRemote -------> Win 2K ICS -------> Check Point VPN-1 (Internet Connection Sharing - Personally not tested) Internet Security and Acceleration Server Configuration Required: Make sure you allow IP routing *see link below* SecuRemote Client: SecuRemote version 4157 or higher with 3DES encryption Chekpoint FW-1: UDP encapsulation enabled By design, the SecuRemote software requires these ports to operate: UDP 500 (IPSEC Internet Key Exchange) TCP 264 (Check Point SecuRemote Topology Requests) IP Protocol 50 (IPSEC Encapsulating Security Payload Protocol) UDP 2746 (UDP Encapsulation) Additional info: (probably not needed) IP Protocol 94 bi-directionally when FWZ encapsulation is used. IP Protocol 51 bi-directionally when IKE is used. UDP port 259 Create those necessary rules on the ISA server IP Protocol 50 in IP Packet Filters, necessary TCP and UDP ports as Protocol Rules using Protocol Definitions (see receiving end requirements). I don't think you can make VPN-1 Securemote work through ISA, with either FWZ or IKE key exchange. The problem's in IPsec AH, which can't be NATed. IPSec and NAT don't get along with each other. Apparently, Firewall-1 can traverse ISA Server sNAT through UDP-encapsulated IPsec which is possible through SecuRemote. At this point, with SecuRemote behind ISA you will probably be able to even exchange keys and successfully authenticate with the VPN server, but that is as far as you'll get (no secure protocol will pass). You probably can't use SecuRemote through ISA. *** Personal Solution: So, end-to-end IPsec VPN through a firewall like ISA Server is not possible. In this case, the SecuRemote client can be installed on the ISA Server itself and firewall clients can share VPN tunnel by means of Web/Winsock/sNAT (whatever option you choose). - Install the VPN client on the Proxy host SecuRemote on the ISA server itself - Initiate connection SecuRemote will prompt for user/password and will exchange keys to authenticate - Clients use Winsock connectivity through IPsec Firewall client installed on end user machine *or* Secure NAT client (default gateway set to internal IP address of ISA server) With SecuRemote installed on the ISA box; log on to the VPN server from ISA and all clients will utilize the server connection. With the firewall client: Add the protocols you need for connectivity/usage testing. This will include service ports and protocols. The protocols should secure the traffic between the client and the VPN server. The SecuRemote application (with site available) is then proxied through to the firewall client across the VPN tunnel. Using Secure NAT (Network Address Translation) Again, create packet filtering rules to allow communication with VPN gateway. Same protocols to secure traffic, but you can further limit connections to a specific IP address(es) as necessary. That way you are not inadvertently allowing access through those rules for other applications. Furthermore an IPsec policy should be used to secure traffic to the gateway. If you are still having trouble check your packet filtering logs for diagnostic information - what are source and destination for the blocked packets. Double-check your allowing rules. **************************************************************** Helpful URLs: Microsoft ISA Server Firewall and Cache resource site http://www.isaserver.org/ TIP: Allowing Outbound PING and PPTP Connections http://www.isaserver.org/shinder/tips/tip_ping_pptp.htm Troubleshooting SecuRemote Connection Issues http://www.phoneboy.com/faq/0249.html FAQ: SecuRemote Client and NAT http://www.phoneboy.com/faq/0141.html **************************************************************** Personal Note: I am not a service professional and this information should only be considered as a technical supplement to aid in a successful implementation. When official documentation on this issue comes around I will be sure to send out a copy. Hope this helps. Fares Rihani fares@xxxxxxxxxx Rihani International, Inc. www.RIHANI.com -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] Sent: Wednesday, March 20, 2002 6:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec Hi David, can you post the protocol definitions and rules you have to create? I think UDP 500 send receive and UDP 10000 send receive is all you need. Correct? Regards, Stefaan