RE: ISA/VPN comparison

From: James D. Stallard (james_at_leafgrove.com)
Date: 07/30/04


To: <focus-ms@securityfocus.com>
Date: Fri, 30 Jul 2004 22:27:36 +0100

Marc

The following link concerns IPSec NAT-T issues on XP:
http://support.microsoft.com/?kbid=818043

However, it is possible that your problem isn't NAT-T. It sounds to me like
the firewalls at the more secure sites are not allowing outbound the
necessary ports for VPN traffic:

L2TP Requirements: Protocol 50, IPSec NAT-T UDP 4500, IKE UDP 500
PPTP Requirement: Protocol 47, PPTP TCP 1723

Possibly, when the more secure sites solve the problem with a fixed IP they
are also opening up outbound ports for VPN traffic?

PPTP cannot handle NAT-T period, where L2TP over IPSec can, with the above
update. Most home routers/gateways do NATting, which is why I believe you're
problem is more likely to be blocked ports. Hence your proposed solution may
not actually help.

Hope this helps

Cheers

James D. Stallard

-----Original Message-----
From: Middleton, Marc A. [mailto:Marc.Middleton@Visalign.COM]
Sent: 29 July 2004 14:26
To: focus-ms@securityfocus.com
Subject: ISA/VPN comparison

I have a client who is currently running checkpoint 4.1 firewall (pre-AI).
The VPN ports have been opened to allow employees access from home/other
sites via the built in VPN client in XP. This works fine from most home
routers/gateways. However from many of the more secure client sites, the MS
VPN has issues with NAT tranversal through the more hardened firewalls
without being given a static IP inside the client site. Will ISA do a better
job of this or would an upgrade to the latest version of checkpoint be
recommended? The current version of checkpoint's VPN will connect with no
issue through the hardened firewalls without issue in the tests I have done,
but I want to make the best recommendation.

---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Router-to-router VPN
    ... Have made sucessful router to router vpn connection - great! ... For use to traveling laptops that vpn to the server. ... "firewall" is acting as the VPN Server and that the VPN Server is not behind ... terminating at the firewalls which is not the same thing. ...
    (microsoft.public.windows.server.networking)
  • Re: AD Consolidation Question
    ... Each forest represents a seperate location across the US and there are ... by firewalls and replication over firewalls, ... If you use a VPN and don't filter on those VPN interfaces the info on ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Consolidation Question
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Each forest represents a seperate location across the US and there are ... by firewalls and replication over firewalls, ... If you use a VPN and don't filter on those VPN interfaces the info on ...
    (microsoft.public.windows.server.active_directory)
  • Re: site to site VPN - need suggestions on VPN routers and folder synchronization
    ... the Watchguard firewalls are very good. ... assigned to each firewall in order to build the IPSEC VPN. ... You can build similar infrastructure with Cisco routers and firewalls. ...
    (microsoft.public.windows.server.sbs)
  • RE: Firewalls on VPNs - Best Practice Advice
    ... | Subject: RE: Firewalls on VPNs - Best Practice Advice ... | Microsoft Online Partner Support ... | | I use the PC for connecting to various remote networks via VPN. ... | | connections is not recommended, ...
    (microsoft.public.windowsxp.work_remotely)