VPN with NAT-T between OpenBSD and Microsoft ISA

Question

A customer of ours is setting up an ISA-Cluster in private network address range and we have to build a VPN connection with them. There is no way avoiding NAT-T and this is where we get to a problem:

in IKE request there is a field ENCAPSULATION_MODE where there should be a value of 3 for NAT-T if you go by the book (RFC3947).

However Ciscos and it seems Microsoft ISA still send historical value of 61443 which is accepted by OpenBSD (tolerant, good). But - there is no way to make OpenBSD send a request with ENCAPSULATION_MODE = 61443 and the "standard" value 3 is rejected by Microsoft ISA.

Anybody knows a solution to this?

It'd be nice to hear of a patch for MS ISA allowing it to accept the "3"...

Update: "The other side" has MS ISA 2006 Enterprise. "Our side" has OpenBSD 4.5.

Liiks like we'll have to either: a) hack our OBSD b) use a cisco — slovon, Sep 01 '09 at 05:45

score 1 · Accepted Answer · answered Sep 01 '09 at 13:18

1

The solution was to configure the VPN connection on the OpenBSD side totaly manually (isakmpd.conf instead of ipsec.conf) and use ENCAPSULATION_MODE=UDP_ENCAP_TUNNEL_DRAFT in quick mode custom transform definition.

Hooray for configurability!

answered Sep 01 '09 at 13:18

slovon

957
5
12

VPN with NAT-T between OpenBSD and Microsoft ISA

1 Answers1