Re: IPSEC VPN NAT

That would be a workaround. But the configuration is difficult:
e.g. if two remote workers are in the same hotel then only one can work
online. The problem is, that I do not know which two persons are behind the
same nat! So I cannot pre-configure the Clients for differnet
IP-Addresses...

Any addidional thoughts appreciated!

Alex


"Julian Dragut" <julian.dragut@xxxxxxx> schrieb im Newsbeitrag
news:Ocnb1mLxGHA.3436@xxxxxxxxxxxxxxxxxxxxxxx
Alex,

The issue doesn't appear to be feature bug, but rather a config problem;
however, it seems that there's a quick fix for it:
add multiple IP addresses to ISA's VPN interface, and ask users from the
same site to connect to separate IP's. Resource permitting, setup a test
ISA/VPN and try to reproduce the setup, and start logging the vpn
connectivity without other production network garbage/noise.

HTH,

Julian

"Alex" <Alex@xxxxxxxxxx> wrote in message
news:e1HZe8FxGHA.2448@xxxxxxxxxxxxxxxxxxxxxxx
There is no problem with only one client behind a NAT-Device, but with
more than one clients!!
Any suggestions how to get it to work with more than one client at the
same time?

Alex


"Julian Dragut" <julian.dragut@xxxxxxx> schrieb im Newsbeitrag
news:uEN7qjowGHA.4688@xxxxxxxxxxxxxxxxxxxxxxx
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/vpnprotocol.mspx
NAT Traversal
There are a number of problems with using IPsec over NAT devices. A NAT
device changes packet information during the address translation
process. The process can either fail because information needed by the
NAT device for address translation is encrypted, or the address
translation process can cause the packet to be considered invalid by
IPsec. NAT traversal (NAT-T) overcomes these issues to allow IPsec peers
behind NAT devices to detect the presence of NAT devices, negotiate
IPsec security associations (SAs), and send ESP-protected data, despite
the fact that the addresses in the IPsec-protected packets are changed
by NAT. For more information, see IPsec NAT Traversal Overview.

To allow ISA Server 2004 and ISA Server 2000 to pass IPsec traffic to a
VPN server behind the ISA Server computer, the following is required:

. The VPN server must be running Microsoft Windows ServerT 2003.

. The L2TP over IPsec VPN protocol must be used.

. All VPN clients must be using the IPsec NAT-T VPN client.

Note An IPsec NAT-T client update is available, with improvements
to IPsec to better support VPN clients behind NAT devices. For computers
running Microsoft Windows® XP Service Pack 1 (SP1) and Windows 2000, a
download is available from article 818043, "L2TP/IPSec NAT-T update for
Windows XP and Windows 2000," in the Microsoft Knowledge Base. By
default, Windows XP Service Pack 2 (SP2) no longer supports establishing
IPsec NAT-T connections to servers that are located behind NAT
computers. For more information, see article 885407, "The default
behavior of IPSec NAT traversal (NAT-T) is changed in Windows XP SP2, in
the Microsoft Knowledge Base."




"Alex" <nospam@xxxxxxxxx> wrote in message
news:%232yBeq5vGHA.4576@xxxxxxxxxxxxxxxxxxxxxxx
Hello,

we implemented a VPN solution which uses the L2TP/IPSEC protocoll. The
ISA Server (ISA 2006 W2K3) is directly attached to the Internet
(without NAT). Clients use the VPN without problems, even over a NAT
Device.

But if there are multiple clients (XP SP2) behind the same NAT-Device
(client side) the second client gets no connection. We also tried
different DSL-Routers with features like IPSEC-Passthrough. But there
is no different behaviour if this feature is turned off or not. (I
think this feature is only usefull for Clients that could not use the
NAT-T protocol).

Is there a known restriction in the IPSec NAT-T protocoll, which would
explain that only one connection is possible over the same NAT
device???

A.









.

Relevant Pages

  • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
    ... My belief is that your NAT ... My understanding is that IPSec AH protocol does not work with NAT devices ... IPSec operates in either one of two modes - transport mode or tunnel mode. ... provide a VPN remote access solution. ...
    (microsoft.public.win2000.security)
  • Re: IPsec + NAT + mehrere Tunnelendpunkte
    ... >> Verbindung zu ihrem Firmennetz per VPN aufbauen können. ... Cisco verwendet zum Bleistift Port 2000 dafuer. ... >> weiteren IPsec Tunnel zu einem anderen Endpunkt aufbauen möchte. ... > Dieser USR^W3Com NAT-Router bei ihm, ...
    (de.comp.security.firewall)
  • Re: Linux v Dedicated NAT routers - secure remote differences
    ... I think I have got the core of the issue, I assume you are using an IPsec ... VPN, so here is a quote form a Cisco paper on VPNs: ... NAT After IPSec ... then your Linux may not forward GRE for some reason. ...
    (comp.security.firewalls)
  • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
    ... external VPN servers? ... > I did know you have Linux for NAT and my original suggestions still stand. ... > solution has IPsec passthrough, ...
    (microsoft.public.win2000.security)
  • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
    ... I did know you have Linux for NAT and my original suggestions still stand. ... Windows 2000 server through a Linux router with NAT. ... solution has IPsec passthrough, NAT breaks IPsec AH. ... regardless of what vendor you're using for NAT and VPN. ...
    (microsoft.public.win2000.security)