RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 19 Jan 2006 15:49:42 +0100
Hi Tom,
It's the ipsec hack (IPSec passthrough option) that causes trouble, not the
NAT. Apparently, if those sharing devices see outbound traffic to UDP 500
they 'lock' all further IKE/IPSec traffic to the first host who originated
the UDP 500 traffic. Therefore, a second host can't setup another IKE
negotiation.
If we could start the negotiation on UDP 4500 than I think that those
sharing devices will not be aware that it is in fact also IKE/IPSec traffic
and therefore will handle that traffic as 'normal' traffic.
Thanks,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 19 januari 2006 15:29
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on
UDP port 4500 instead of 500
http://www.ISAserver.org
Hi Stefaan,
I don't understand the problem. What's the difference if they start on 500
or 4500?
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, January 19, 2006 3:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Windows XP SP2: start L2TP/IPSec IKE negotiation on
> UDP port 4500 instead of 500
>
> http://www.ISAserver.org
>
> Hey guys,
>
> Is it possible to configure Windows XP SP2 to start the IKE
> negotiation of a L2TP/IPSec VPN connection directly on UDP port 4500
> instead of UDP port 500?
> According to the RFC's this is a valid configuration.
>
> The reason for this question is that a lot of cheap sharing devices
> limit the number of IPSec connections to one because of their IPSec
> hack implemention (aka IPSec passthough). If we switch off the IPSec
> passthrough setting in the sharing device then UDP port 500 is
> completely blocked.
>
> Thanks,
> Stefaan
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
