Hi Tom, It's the ipsec hack (IPSec passthrough option) that causes trouble, not the NAT. Apparently, if those sharing devices see outbound traffic to UDP 500 they 'lock' all further IKE/IPSec traffic to the first host who originated the UDP 500 traffic. Therefore, a second host can't setup another IKE negotiation. If we could start the negotiation on UDP 4500 than I think that those sharing devices will not be aware that it is in fact also IKE/IPSec traffic and therefore will handle that traffic as 'normal' traffic. Thanks, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 19 januari 2006 15:29 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500 http://www.ISAserver.org Hi Stefaan, I don't understand the problem. What's the difference if they start on 500 or 4500? Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, January 19, 2006 3:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Windows XP SP2: start L2TP/IPSec IKE negotiation on > UDP port 4500 instead of 500 > > http://www.ISAserver.org > > Hey guys, > > Is it possible to configure Windows XP SP2 to start the IKE > negotiation of a L2TP/IPSec VPN connection directly on UDP port 4500 > instead of UDP port 500? > According to the RFC's this is a valid configuration. > > The reason for this question is that a lot of cheap sharing devices > limit the number of IPSec connections to one because of their IPSec > hack implemention (aka IPSec passthough). If we switch off the IPSec > passthrough setting in the sharing device then UDP port 500 is > completely blocked. > > Thanks, > Stefaan > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx