[nsp] VPN Clients through Border Manager

Bob Arthurs bob_arthurs at hotmail.com
Tue Jul 20 16:59:05 EDT 2004 

Nooooo....

What happens is this:

IPsec peers negotiate IKE (ISAKMP). ISAKMP messages use UDP port 500 (unless 
your IPsec boxes are capable of using NAT traversal, in which case they may 
switch to UDP port 4500).

IKE has 2 phases. During phase 1, a single bi-directional IKE SA is 
negotiated.  During phase 2, two or more unidirectional IPsec SAs are 
negotiated. These SAs may be AH, ESP, or even PCP/IPComp.

It is only after IKE phase 2 has completed that AH, ESP, or AH/ESP (it is 
possible to have AH and ESP protection) packets are sent between IPsec 
peers.

Now, as for NAT - you get around NAT using standard NAT traversal (uses UDP 
port 4500), or Cisco's proprietory UDP/TCP encap on a port of your choosing.

Other ways of getting around problems with NAT *include* using ESP instead 
of AH (NAT breaks the AH integrity check on the outer IP header), and using 
tunnel mode instead of transport mode (tunnel mode can alleviate problems 
with IKE identifiers, etc.).

As for firewalls, to allow IPsec to function through them you should allow 
the following (depending on your specific configuration):

UDP port 500 (ISAKMP)
IP protocol 51 (AH)
IP protocol 50 (ESP)
UDP port 4500 (if your boxes use standard NAT traversal)
And the custom UDP/TCP ports configurable on the VPN 3000 (if you have 
configured them)

Much more on IPsec in "Troubleshooting Virtual Private Networks" from Cisco 
Press, if you have the pennies :) It covers pretty much anything and 
everything that can go wrong with IPsec (plus all the solutions!). Check it 
out!

Regards.



>From: <info at beprojects.com>
>To: "Cisco Nsp" <cisco-nsp at puck.nether.net>
>Subject: Re: [nsp] VPN Clients through Border Manager
>Date: Tue, 20 Jul 2004 09:25:56 -0500
>
>Change the VPN3005 to use tcp connections and set the users to transparent
>tunneling through tcp.  This will allow virtually any user to connect from
>anywhere and it doesn't matter if they are NAT'd or not.
>
>In a typical IPSec VPN, the user initiates a connection on udp port 500,
>then the server initiates an ESP connection back to the user.  Most
>firewalls are smart enough to figure out how to send this back to one
>internal user, but when a second user tries to connect, they don't know 
>what
>to do.  There is no port info in an ESP packet, so typically it drops the
>first user.  If you switch to tcp, you only use one tcp connection per user
>so there are no esp issues.  It is a much better solution.
>
>
>----- Original Message -----
>From: "Voll, Scott" <Scott.Voll at wesd.org>
>To: <cisco-nsp at puck.nether.net>
>Sent: Tuesday, July 20, 2004 8:51 AM
>Subject: [nsp] VPN Clients through Border Manager
>
>
> > OK, I'm stumped.
> >
> > I have a client that needs to get around a Border Manager / filter
> > server / firewall via a VPN connection to us, to use our web application
> > over Citrix.  When the first person uses there Cisco VPN client and
> > connect to our VPN (3005) they make the connection, and can use the web
> > application.  But when the second person tries to connect to the same
> > VPN the Connection gets dropped.
> >
> > I initially thought it was maybe a NAT issue.  But both users have
> > publicly addressed computers that just go through.  I also thought that
> > maybe it was that the Border Manager was only allowing one VPN
> > connection but the second user can connect to a second VPN (3005 also).
> >
> > It looks like the only problem is when multiple users try to connect to
> > one VPN at the same time.  Both user can connect to this one VPN, just
> > not at the same time.  Any ideas????  I do not have access to this
> > Border Manager, but if I have something for the Admin at this site to
> > try, I believe he is willing.
> >
> > Thanks for any comments, suggestions, or thoughts.
> >
> > Scott
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________
Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo

More information about the cisco-nsp mailing list