Hi Tom, if you have a brain dead NAT device than it works flawless! It are those boxes who think they should do something 'intelligent' with IPSec traffic. They are designed before IPSec NAT-T was common! Stefaan > Hi Stefaan, > > I thought these brain dead NAT devices allowed everything outbound, > which removes the requirement for a "Open Port" button for outbound > connections.=20 > > So, they actually are so malevolent to block outbound UDP 500 after the > first connection? Are they going out of their way to cheat the customer > with no valid tech reason to explain why they do this? > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > =20 > > > -----Original Message----- > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]=20 > > Sent: Thursday, January 19, 2006 9:13 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE=20 > > negotiation on UDP port 4500 instead of 500 > >=20 > > http://www.ISAserver.org > >=20 > > Tom,=20 > >=20 > > Yep, that's it. Well at least it is what I think is happening=20 > > because it > > doesn't work with more than one host behind the sharing device.=20 > >=20 > > Now, if you disable that so called 'IPSec passthrough'=20 > > feature, UDP port 500 > > is completely blocked!=20 > >=20 > > Stefaan > >=20 > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]=20 > > Sent: donderdag 19 januari 2006 16:04 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE=20 > > negotiation on > > UDP port 4500 instead of 500 > >=20 > > http://www.ISAserver.org > >=20 > > Hi Stefaan, > >=20 > > Interesting. You really have to hand it to the "hardware" NAT=20 > > device guys. > > The really take advantage of their hapless customers :\ > >=20 > > So, this is actually an outbound issue for the NAT device? If=20 > > the horked NAT > > device "sees" an outbound UDP 500 connection, then it blocks=20 > > all subsequent > > UDP 500 attempts while that pseudo-session is active? > >=20 > > Tom > >=20 > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > >=20 > > =20 > >=20 > > > -----Original Message----- > > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > > Sent: Thursday, January 19, 2006 8:50 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE=20 > > > negotiation on UDP port 4500 instead of 500 > > >=20 > > > http://www.ISAserver.org > > >=20 > > > Hi Tom, > > >=20 > > > It's the ipsec hack (IPSec passthrough option) that causes trouble,=20 > > > not the NAT. Apparently, if those sharing devices see=20 > > outbound traffic=20 > > > to UDP 500 they 'lock' all further IKE/IPSec traffic to the=20 > > first host=20 > > > who originated the UDP 500 traffic. Therefore, a second host can't=20 > > > setup another IKE negotiation. > > >=20 > > > If we could start the negotiation on UDP 4500 than I think=20 > > that those=20 > > > sharing devices will not be aware that it is in fact also IKE/IPSec=20 > > > traffic and therefore will handle that traffic as 'normal' traffic. > > >=20 > > > Thanks, > > > Stefaan > > >=20 > > > -----Original Message----- > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > > Sent: donderdag 19 januari 2006 15:29 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE=20 > > > negotiation on UDP port 4500 instead of 500 > > >=20 > > > http://www.ISAserver.org > > >=20 > > > Hi Stefaan, > > >=20 > > > I don't understand the problem. What's the difference if=20 > > they start on=20 > > > 500 or 4500? > > >=20 > > > Tom > > >=20 > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://spaces.msn.com/members/drisa/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > **Who is John Galt?** > > >=20 > > > =20 > > >=20 > > > > -----Original Message----- > > > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > > > Sent: Thursday, January 19, 2006 3:54 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] Windows XP SP2: start L2TP/IPSec IKE > > > negotiation on > > > > UDP port 4500 instead of 500 > > > >=20 > > > > http://www.ISAserver.org > > > >=20 > > > > Hey guys, > > > >=20 > > > > Is it possible to configure Windows XP SP2 to start the IKE=20 > > > > negotiation of a L2TP/IPSec VPN connection directly on UDP > > > port 4500 > > > > instead of UDP port 500? > > > > According to the RFC's this is a valid configuration.=20 > > > >=20 > > > > The reason for this question is that a lot of cheap=20 > > sharing devices=20 > > > > limit the number of IPSec connections to one because of=20 > > their IPSec=20 > > > > hack implemention (aka IPSec passthough). If we switch off > > > the IPSec > > > > passthrough setting in the sharing device then UDP port 500 is=20 > > > > completely blocked. > > > >=20 > > > > Thanks, > > > > Stefaan > > > >=20 > > > >=20 > > > > ------------------------------------------------------