[vpn-help] Connecting to VPN Servers Through ISA Server

Stefan Bauer stefan.bauer at cubewerk.de
Tue Mar 2 13:37:13 CST 2010

Am 26.02.2010 16:59, Greg Wilkerson schrieb:
> Hello,
> Here is my configuration: Windows 7 x64 Ultimate running ShrewSoft 2.1.5 on
> a laptop.
> I am connecting to a Cisco VPN Server (don't know much more than that).  The
> connection definition for one was manually created from values provided to
> me.  Another connection was configured by importing a PCF.
> I have no troubles connecting to either of these VPN servers and accessing
> all the resources on the networks when connected via wi-fi hotspots, etc.  
> I do have troubles when connecting to these environments from my office.  I
> have an ISA Server 2003 as my firewall.  The ISA server logs show no
> denials.  Actually, I see no messages in the log related to ShrewSoft
> connections (port 500, 4500) in the ISA server logs.  When I connect to
> either of these environments from an XP desktop with the Cisco VPN client
> (5.00.360) located at my office, I have no troubles.  So, that seems to rule
> out port issues on my office network.  

Not in general. IIRC cisco's vpn solutions are also able to tunnel
ipsec and ike in tcp. Shrew's default is to use udp 500(ike) and
4500 (nat-t) as well as porto 50 (ipsec) o0(i hope i remember that

> Since I can connect to these clients
> using my laptop and the ShrewSoft client when not in my office, that would
> seem to rule out port issues on my laptop.  So, that leaves the specific
> configuration of using ShrewSoft from within my office and going through an
> ISA server.  I have no issues with configuring the appropriate ports, but I
> have no idea what to configure.

In most cases, the problem occures, when vendor's are trying to deal
with ipsec passthrough. Ipsec itself is able to detect natted
deviced and act correctly by using nat-t. Some vendors break down
this behaviour by trying to deal with ipsec forwarding/passthrough.

> I have examined the ShrewSoft log files.  I compared the log files from a
> successful connection to a failed connection.  The most prominent text to
> note was multiple (4, I think) attempts to connect to the VPN server using
> port 500, for failed attempts.  I see only a single port 500 connection
> attempt made for successful connections.  This would suggest port 500
> issues, but I do not see a denial (or an allow) for port 500 in the ISA
> server firewall logs.

I will have a look at your logs you have supplied but dont give much
about my opinion, i'm just a regular ipsec user :)


Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------

More information about the vpn-help mailing list