RE: Windows XP SP2: start L2TP/IPSec IKE negotiation on UDP port 4500 instead of 500
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Thu, 19 Jan 2006 08:34:38 -0700
Hi Tom,
if you have a brain dead NAT device than it works flawless! It are those
boxes who think they should do something 'intelligent' with IPSec traffic.
They are designed before IPSec NAT-T was common!
Stefaan
> Hi Stefaan,
>
> I thought these brain dead NAT devices allowed everything outbound,
> which removes the requirement for a "Open Port" button for outbound
> connections.=20
>
> So, they actually are so malevolent to block outbound UDP 500 after the
> first connection? Are they going out of their way to cheat the customer
> with no valid tech reason to explain why they do this?
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
> =20
>
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]=20
> > Sent: Thursday, January 19, 2006 9:13 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE=20
> > negotiation on UDP port 4500 instead of 500
> >=20
> > http://www.ISAserver.org
> >=20
> > Tom,=20
> >=20
> > Yep, that's it. Well at least it is what I think is happening=20
> > because it
> > doesn't work with more than one host behind the sharing device.=20
> >=20
> > Now, if you disable that so called 'IPSec passthrough'=20
> > feature, UDP port 500
> > is completely blocked!=20
> >=20
> > Stefaan
> >=20
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]=20
> > Sent: donderdag 19 januari 2006 16:04
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE=20
> > negotiation on
> > UDP port 4500 instead of 500
> >=20
> > http://www.ISAserver.org
> >=20
> > Hi Stefaan,
> >=20
> > Interesting. You really have to hand it to the "hardware" NAT=20
> > device guys.
> > The really take advantage of their hapless customers :\
> >=20
> > So, this is actually an outbound issue for the NAT device? If=20
> > the horked NAT
> > device "sees" an outbound UDP 500 connection, then it blocks=20
> > all subsequent
> > UDP 500 attempts while that pseudo-session is active?
> >=20
> > Tom
> >=20
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >=20
> > =20
> >=20
> > > -----Original Message-----
> > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > > Sent: Thursday, January 19, 2006 8:50 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE=20
> > > negotiation on UDP port 4500 instead of 500
> > >=20
> > > http://www.ISAserver.org
> > >=20
> > > Hi Tom,
> > >=20
> > > It's the ipsec hack (IPSec passthrough option) that causes trouble,=20
> > > not the NAT. Apparently, if those sharing devices see=20
> > outbound traffic=20
> > > to UDP 500 they 'lock' all further IKE/IPSec traffic to the=20
> > first host=20
> > > who originated the UDP 500 traffic. Therefore, a second host can't=20
> > > setup another IKE negotiation.
> > >=20
> > > If we could start the negotiation on UDP 4500 than I think=20
> > that those=20
> > > sharing devices will not be aware that it is in fact also IKE/IPSec=20
> > > traffic and therefore will handle that traffic as 'normal' traffic.
> > >=20
> > > Thanks,
> > > Stefaan
> > >=20
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: donderdag 19 januari 2006 15:29
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Windows XP SP2: start L2TP/IPSec IKE=20
> > > negotiation on UDP port 4500 instead of 500
> > >=20
> > > http://www.ISAserver.org
> > >=20
> > > Hi Stefaan,
> > >=20
> > > I don't understand the problem. What's the difference if=20
> > they start on=20
> > > 500 or 4500?
> > >=20
> > > Tom
> > >=20
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >=20
> > > =20
> > >=20
> > > > -----Original Message-----
> > > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > > > Sent: Thursday, January 19, 2006 3:54 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] Windows XP SP2: start L2TP/IPSec IKE
> > > negotiation on
> > > > UDP port 4500 instead of 500
> > > >=20
> > > > http://www.ISAserver.org
> > > >=20
> > > > Hey guys,
> > > >=20
> > > > Is it possible to configure Windows XP SP2 to start the IKE=20
> > > > negotiation of a L2TP/IPSec VPN connection directly on UDP
> > > port 4500
> > > > instead of UDP port 500?
> > > > According to the RFC's this is a valid configuration.=20
> > > >=20
> > > > The reason for this question is that a lot of cheap=20
> > sharing devices=20
> > > > limit the number of IPSec connections to one because of=20
> > their IPSec=20
> > > > hack implemention (aka IPSec passthough). If we switch off
> > > the IPSec
> > > > passthrough setting in the sharing device then UDP port 500 is=20
> > > > completely blocked.
> > > >=20
> > > > Thanks,
> > > > Stefaan
> > > >=20
> > > >=20
> > > > ------------------------------------------------------
Other related posts:
