2

A customer of ours is setting up an ISA-Cluster in private network address range and we have to build a VPN connection with them. There is no way avoiding NAT-T and this is where we get to a problem:

in IKE request there is a field ENCAPSULATION_MODE where there should be a value of 3 for NAT-T if you go by the book (RFC3947).

However Ciscos and it seems Microsoft ISA still send historical value of 61443 which is accepted by OpenBSD (tolerant, good). But - there is no way to make OpenBSD send a request with ENCAPSULATION_MODE = 61443 and the "standard" value 3 is rejected by Microsoft ISA.

Anybody knows a solution to this?

It'd be nice to hear of a patch for MS ISA allowing it to accept the "3"...

Update: "The other side" has MS ISA 2006 Enterprise. "Our side" has OpenBSD 4.5.

slovon
  • 957
  • 5
  • 12

1 Answers1

1

The solution was to configure the VPN connection on the OpenBSD side totaly manually (isakmpd.conf instead of ipsec.conf) and use ENCAPSULATION_MODE=UDP_ENCAP_TUNNEL_DRAFT in quick mode custom transform definition.

Hooray for configurability!

slovon
  • 957
  • 5
  • 12