RE: ISA/VPN comparison

From: James D. Stallard (
Date: 07/30/04

To: <>
Date: Fri, 30 Jul 2004 22:27:36 +0100


The following link concerns IPSec NAT-T issues on XP:

However, it is possible that your problem isn't NAT-T. It sounds to me like
the firewalls at the more secure sites are not allowing outbound the
necessary ports for VPN traffic:

L2TP Requirements: Protocol 50, IPSec NAT-T UDP 4500, IKE UDP 500
PPTP Requirement: Protocol 47, PPTP TCP 1723

Possibly, when the more secure sites solve the problem with a fixed IP they
are also opening up outbound ports for VPN traffic?

PPTP cannot handle NAT-T period, where L2TP over IPSec can, with the above
update. Most home routers/gateways do NATting, which is why I believe you're
problem is more likely to be blocked ports. Hence your proposed solution may
not actually help.

Hope this helps


James D. Stallard

-----Original Message-----
From: Middleton, Marc A. [mailto:Marc.Middleton@Visalign.COM]
Sent: 29 July 2004 14:26
Subject: ISA/VPN comparison

I have a client who is currently running checkpoint 4.1 firewall (pre-AI).
The VPN ports have been opened to allow employees access from home/other
sites via the built in VPN client in XP. This works fine from most home
routers/gateways. However from many of the more secure client sites, the MS
VPN has issues with NAT tranversal through the more hardened firewalls
without being given a static IP inside the client site. Will ISA do a better
job of this or would an upgrade to the latest version of checkpoint be
recommended? The current version of checkpoint's VPN will connect with no
issue through the hardened firewalls without issue in the tests I have done,
but I want to make the best recommendation.