RE: VPN to a cisco VPN server that uses ipsec

• From: stefaan.pouseele@xxxxxxx
• To: isalist@xxxxxxxxxxxxx
• Date: Thu, 21 Mar 2002 07:20:01 -0700

Hi David,

your interpretation for UDP direction is somewhat different then my
interpretation ;-)

I quote from the docs: "You can configure the direction of the traffic
flow when you create a protocol definition. The way you specify the
direction of the traffic determines how packets will be communicated. For
TCP, the direction determines the direction of the initial communication.
For UDP, the direction determines the flow of traffic."

So, in my opinion the different values mean:
- SendReceive: Send and then receive (bi-directional flow).
- ReceiveSend: Receive and then send (bi-directional flow).
- SendOnly: exactly what it says (uni-directional flow).
- ReceiveOnly: exactly what it says (uni-directional flow).

I have verified it with the SDK documentation and they use the same
'language'.
As for as I know, all statefull firewalls uses for UDP a simulated
connection state. So, I think UDP SendReceive is the equivalent of TCP
Outbound and UDP ReceiveSend is the equivalent of Inbound.

Hmm... maybe I should test it some day ;-)

Regards,
Stefaan   

> Hi Stefaan
> 
> Because it is a question of which way the connection is initiated - not
> how traffic flows. Since ISA is a stateful inspection firewall, it
> allows or disallows packets based on state information. It knows which
> packets are
> Expected as replies to a connection initiated from the inside and allows
> them. That`s the reason we can work with protocol definitions and not be
> constrained to mere packet filtering.
> In my understanding, send/receive should work equally well, as it just
> says
> that the connection can be initiated either way. But I just could not
> get it to work. By trial and error, i found that the send only setting
> does work in this particular case. I would appreciate being enlightened.
> 
>  David Elmquist
> 
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]=20
> Sent: 21. marts 2002 11:39
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec
> 
> Hi David,
> 
> but if you say "it should be send only", how get the replies back?
> Really, I don't understand it :-(
> 
> Regards,
> Stefaan
> 
> -----Original Message-----
> From: David Elmquist [mailto:david@xxxxxxxxxx]
> Sent: donderdag 21 maart 2002 11:07
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec
> 
> 
> http://www.ISAserver.org
> 
> 
> 
> Hmm...my mistake again. It`s been a while, since I have seen a ISA
> server and I have no access to one right now.
> However, if the options you mention are the correct ones for UDP, I
> would say that it should be send only - not send/receive.
> 
> I think I`d better build med e new ISA server, before I forget where I
> put
> The CD :-)
> 
>  David Elmquist
> 
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]=20
> Sent: 21. marts 2002 09:46
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec
> 
> Hi David,
> 
> sorry, but in my ISA (SP1 v122.166) for UDP protocol directions you can
> NOT select direction outbound. The only choices are: send/receive
> (equivalent of TCP outbound), receive/send (equivalent of TCP inbound),
> send and receive. Could you clarify your definition of outbound.
> 
> Regards,
> STefaan
> 
> -----Original Message-----
> From: David Elmquist [mailto:david@xxxxxxxxxx]
> Sent: donderdag 21 maart 2002 8:11
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec
> 
> 
> http://www.ISAserver.org
> 
> 
> 
> I should clarify my mixup of the terminology:
> 
> The needed protocol definitions:
> 
> UDP 500 outbound
> UDP 10000 outbound
> 
> I tried the send receive mode first, but never got it to work.
> Can`t explain why.
> Some suitable protocol rule has to allow the definitions.
> It only works with securenat clients. Firewall clients has to be
> Disabled temporarily.
> 
>  David Elmquist
> 
> 
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]=20
> Sent: 21. marts 2002 00:37
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec
> 
> Hi David,
> 
> can you post the protocol definitions and rules you have to create?
> I think UDP 500 send receive and UDP 10000 send receive is all you need.
> Correct?
> 
> Regards,
> Stefaan
> 
> -----Original Message-----
> From: David Elmquist [mailto:david@xxxxxxxxxx]
> Sent: donderdag 21 maart 2002 0:26
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec
> 
> 
> http://www.ISAserver.org
> 
> 
> 
> Provided that you are using the 3000 series client, it will
> Provide the option of UDP encapsulation. It is up to you to enable
> It. You do not have to create packet filters, but you do have to
> Define the described protocol rules and disable the firewall client.
> I don`t know why, though I`m sure some tweaking of the clients .ini
> File could fix this
> 
>  David Elmquist
> 
> -----Original Message-----
> From: skip [mailto:skip@xxxxxxxxxxxxxxxxx]=20
> Sent: 20. marts 2002 23:47
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec
> 
> http://www.ISAserver.org
> 
> 
> I think If install the Cisco clients vpn software on the machine, then
> will it provide the udp encapsulation for me or do i have to apply
> filters
> to the isa server to allow this to go through?
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> david@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec
• » RE: VPN to a cisco VPN server that uses ipsec

1. Home
2. isalist
3. Archive
4. 03-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---