IPSec VPN tunnel with hardware gateway

Hi,

I am using a "classical" SBS 2003 setup with 2 NIC's - one to my
internal LAN and the other to a dlink di-604 router (no ISA).
I am trying to establish an *IPsec only* tunnel (pre-shared key) to a
3rd party VPN router (linksys, netgear, etc).
To do this, I have set up an IP security policy on the SBS server as
explained at http://support.microsoft.com/kb/816514. Also, I have
enabled IPsec pass-through on the router and forwarded udp port 500
and 4500. Since the external NIC is set with RAS to do NAT, I also
opened these ports on the server.
Unfortunately I am unable to get this to work. I wonder if this kind
of set up is actually possible, since Windows 2003 supports NAT-T and
the router only supports IPsec pass-through. This brings me to yet
another question - is there a difference between IPsec pass-through
and NAT-T ?
The following is a log of an IPsec client I've been trying to use. I
should also mention that the initiating client is also behind a NAT
(no open ports though).

Initiating IKE Phase 1 (IP ADDR=212.189.15.221)
SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
RECEIVED<<< ISAKMP OAK MM (SA, VID 3x)
Peer is IKE fragmentation capable
IKE fragmentation disabled
Peer is NAT-T draft-02 capable
SENDING>>>> ISAKMP OAK MM (KE, NON, NAT-D 2x, VID 3x)
RECEIVED<<< ISAKMP OAK MM (KE, NON, NAT-D 2x)
NAT is detected for Client and Peer
Floating to IKE non-500 port
SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
RECEIVED<<< ISAKMP OAK MM (Retransmission)
SENDING>>>> ISAKMP OAK MM *(Retransmission)
RECEIVED<<< ISAKMP OAK MM (Retransmission)
^^^^^^^^^^^^^^^^^^^ these retransmissions are the problem....

Hi Danny:
Let me see if I understood your scenario. You are trying to do a connection
from a client in the public side on the network to a server that is behind
tha NAT and to who´s IP you are forwaring UDP traffic port 500/4500 right?..
In this scenario your client has to be able to do NATT if it is a MS product
make sure you got the update necesary to do this; there is an update for XP
and Windows2000. Also make sure you are using policies without
Authentication Header this is a limitation of the NAT scenario .
I hope this helps...
Thanks
JC
"Danny L" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hi,
>
> I am using a "classical" SBS 2003 setup with 2 NIC's - one to my
> internal LAN and the other to a dlink di-604 router (no ISA).
> I am trying to establish an *IPsec only* tunnel (pre-shared key) to a
> 3rd party VPN router (linksys, netgear, etc).
> To do this, I have set up an IP security policy on the SBS server as
> explained at http://support.microsoft.com/kb/816514. Also, I have
> enabled IPsec pass-through on the router and forwarded udp port 500
> and 4500. Since the external NIC is set with RAS to do NAT, I also
> opened these ports on the server.
> Unfortunately I am unable to get this to work. I wonder if this kind
> of set up is actually possible, since Windows 2003 supports NAT-T and
> the router only supports IPsec pass-through. This brings me to yet
> another question - is there a difference between IPsec pass-through
> and NAT-T ?
> The following is a log of an IPsec client I've been trying to use. I
> should also mention that the initiating client is also behind a NAT
> (no open ports though).
>
> Initiating IKE Phase 1 (IP ADDR=212.189.15.221)
> SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
> RECEIVED<<< ISAKMP OAK MM (SA, VID 3x)
> Peer is IKE fragmentation capable
> IKE fragmentation disabled
> Peer is NAT-T draft-02 capable
> SENDING>>>> ISAKMP OAK MM (KE, NON, NAT-D 2x, VID 3x)
> RECEIVED<<< ISAKMP OAK MM (KE, NON, NAT-D 2x)
> NAT is detected for Client and Peer
> Floating to IKE non-500 port
> SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
> RECEIVED<<< ISAKMP OAK MM (Retransmission)
> SENDING>>>> ISAKMP OAK MM *(Retransmission)
> RECEIVED<<< ISAKMP OAK MM (Retransmission)
> ^^^^^^^^^^^^^^^^^^^ these retransmissions are the problem....