VPN between 2 Cisco routers behind Wingate, need info.

[Alen]

Hi all.
Happy new year!

I have the following task: I have Wingate 6 in the head office and Cisco router plus one more Cisco in our branch. Now I need to create IPSec (ESP + ISA KMP protocols) VPN between this 2 Ciscos and want to know the following:
- how to allow ESP + ISA KMP protocols to pass through Wingate (I want to forward them to the Cisco)?
I know ISA KMP utilizes UDP port 500 (or UDP port 4500, when NATed by NAT-T, which I believe Wingate makes), but I cann't see the way how to make a hole for ESP, which is "ip protocol N50"!? How to do it?

Besides, I want to connect 2 ISPs to Wingate to have redundancy for Internet connection, and have some more questions for it:
- is it ok if I install 4 NICs (2x WAN, 1x LAN, 1x DMZ) in Wingate machine (XP SP3)?
- how to provide simultaneous functioning of two Internet connections to utilize the whole bandwidth?
- when having multiple ISPs, how Wingate define if one of the Internet connections becomes non-operational?
I am asking, because most part of our issues with Internet connection take place when our ISP himself has no connection to Internet (but we still have good connectivity to the ISP, i.e. our gateway is available). Is it possible for Wingate to check Internet availability itself, not just its gateway? (Of course the question is what is then "Internet connection"? Pinging google.com or what? I don't know the answer, may be you can give an advise...)
- in case of above mentioned VPN, Cisco ip will also be NATed by Wingate, and I can not understand, how Wingate will do it, if it has two Internet connections (=> 2 public ips)?
Each time (i.e. for each VPN session) use only one public ip or what?

Thank you.

[logan]

Hi Alen,

how to allow ESP + ISA KMP protocols to pass through Wingate (I want to forward them to the Cisco)?

ISAKMP is done over TCP/UDP, so you can forward this through WinGate's firewall from Extended Networking.
Protocol 50 (ESP) on the other hand is automatically handled by WinGate's extended networking driver, so does not need to be forwarded at all.

is it ok if I install 4 NICs (2x WAN, 1x LAN, 1x DMZ) in Wingate machine (XP SP3)?

That's fine.

how to provide simultaneous functioning of two Internet connections to utilize the whole bandwidth?

Some WinGate services have a Gateways configuration section which lets you specify how the service will utilize internet gateways available on the machine. Set the connection scheme to "Use specific connections in rotation" and add the two internet connections to the list of connections. This will make the service rotate outgoing connections around both the internet gateways.

when having multiple ISPs, how Wingate define if one of the Internet connections becomes non-operational?

WinGate regularly pings the gateways to determine if each gateway is alive or not. WinGate actually pings one step past the gateway so that it can also test if the gateway has an internet connection or not. Should a ping test suddenly fail, WinGate will detect this and adjust it's behavior accordingly by no longer using that gateway until it is tested to be alive again. This detection of dead gateways must be enabled manually from GateKeeper -> System -> Extended Networking -> General -> Enable 'Monitor for dead gateways'.

in case of above mentioned VPN, Cisco ip will also be NATed by Wingate, and I can not understand, how Wingate will do it, if it has two Internet connections (=> 2 public ips)? Each time (i.e. for each VPN session) use only one public ip or what?

WinGate will use the public IP that the VPN clients connected to. So if the client connected to the first internet connection, that VPN session will remain on the first internet connection. If the client connected to the second internet connection, the VPN session would remain on the second internet connection. So WinGate has no control over which internet connection is used for VPN sessions. This is entirely up to which IP the clients connect to.

[Alen]

Thank you for your reply, Logan.

ISAKMP is done over TCP/UDP, so you can forward this through WinGate's firewall from Extended Networking.Protocol 50 (ESP) on the other hand is automatically handled by WinGate's extended networking driver, so does not need to be forwarded at all.

So, ESP will be allowed even if firewall settings are Block by default (Internet 2 LAN)?!
Another question: is Wingate making NAT-T? I am asking, because ISA KMP initially uses UDP 500, but NAT-T removes its port to UDP 4500.

Some WinGate services have a Gateways configuration section which lets you specify how the service will utilize internet gateways available on the machine. Set the connection scheme to "Use specific connections in rotation" and add the two internet connections to the list of connections. This will make the service rotate outgoing connections around both the internet gateways.

Clear.
But I cann't see gateway settings for NAT and SMTP proxy services!? Only for web, ftp and pop. As NAT is important, I'll think about subsidiary "border" Cisco.

To be clear: I am choosing between 2 main variants:
LAN - Core Cisco - Wingate - 2 ISPs vs
LAN - Core Cisco - Wingate - Border Cisco - 2 ISPs.

In light of your info only the second variant allows me to simultaneously use 2 lines for all services (including NAT). The only thing is I'll be using double NAT (on Wingate and then on the Border Cisco), but I hope it will not create problems for me?! Especially for SSL connections.

Besides, in this variant I can create also a separate connection between the Core Cisco and Border Cisco for the VPN. I'll think about it...

WinGate actually pings one step past the gateway so that it can also test if the gateway has an internet connection or not.

How is it possible? How Wingate can know who is there - after its gateway?

WinGate will use the public IP that the VPN clients connected to. So if the client connected to the first internet connection, that VPN session will remain on the first internet connection. If the client connected to the second internet connection, the VPN session would remain on the second internet connection. So WinGate has no control over which internet connection is used for VPN sessions. This is entirely up to which IP the clients connect to.

There is no clients as you mean, the VPN is created only one, between two Ciscos, and two local networks are connected at whole by these routers. So there is only one VPN.
Anyway, as I understand, the VPN will use only one ISP line - the one "whoes turn was" at the moment of VPN initiation (if Gateways rotation is used). And this is the second reason, why I should use additional Border Router - in that case I'll be able to create a separate connection between the Core Cisco and Border Cisco and then make VPN not on the Core Cisco but on the Border one and this will allow to create 2 VPN channels and use them simultaneosly!

Well, I think I am inclining to use subsidiary Border Router to be able to use 2 ISP lines simultaneously for all Wingate Internet services and 2 simultaneosuly working VPN channels between head and branch LANs.

[Alen]

Report:
Issue 1 - VPN (ESP + ISAKMP) between Cisco routers through Wingate: I realized VPN between Ciscos directly, bypassing Wingate. Simpler is better.

Issue 2 - Simultaneous use of 2 ISPs: I used additional border Cisco for it, installed after Wingate, which pings one reliable Internet area server per each ISP line to check Internet availability via that ISP.
Because I wanted Wingate to control all my Internet users, including NAT users, I had to make double NAT (on Wingate, then on Cisco). 2 weeks in production - all is ok.


Still have unanswered academic questions:
1. As I understand, ESP is allowed automatically by Wingate even if firewall settings (Internet 2 LAN) are Block by default?!

2. Is Wingate making NAT-T? (The question was important, because ISA KMP initially uses UDP 500, but NAT-T "removes" its port to UDP 4500. So which one has to be forwarded on Wingate?).

3. Wingate 6.x can not use 2 ISP connections (simultaneously or even as autobackup) for NAT and SMTP proxy services. Is this correct?

4. You wrote: "WinGate actually pings one step past the gateway so that it can also test if the gateway has an internet connection or not".
Can you explain in details what do you mean, and how Wingate know which one is "one step past"? Tracerouting wingate.com? ;-)
I also want you to pay attention on the fact ISP may have 2 or more "next hops" inside his network before going out...

[adrien]

Report:
Issue 1 - VPN (ESP + ISAKMP) between Cisco routers through Wingate: I realized VPN between Ciscos directly, bypassing Wingate. Simpler is better.

Agree.

Issue 2 - Simultaneous use of 2 ISPs: I used additional border Cisco for it, installed after Wingate, which pings one reliable Internet area server per each ISP line to check Internet availability via that ISP.
Because I wanted Wingate to control all my Internet users, including NAT users, I had to make double NAT (on Wingate, then on Cisco). 2 weeks in production - all is ok.


Still have unanswered academic questions:
1. As I understand, ESP is allowed automatically by Wingate even if firewall settings (Internet 2 LAN) are Block by default?!

I just looked through the code. I can't see anywhere where ESP packets are subjected to any checks. However, an incoming ESP packet won't be able to be forwarded unless it is part of an existing ESP "connection", since we don't create hash (connection) entries in the driver for unknown inbound traffic - except where there are redirection entries in port security, which only occurs for TCP / UDP.

2. Is Wingate making NAT-T? (The question was important, because ISA KMP initially uses UDP 500, but NAT-T "removes" its port to UDP 4500. So which one has to be forwarded on Wingate?).

WinGate doesn't do any special processing I don't think for this. If the port moves, it will just be another UDP NAT connection. So it should go through.

3. nate 6.x can not use 2 ISP connections (simultaneously or even as autobackup) for NAT and SMTP proxy services. Is this correct?

For NAT, WinGate sorts the route table and puts entries with the lowest metric first, then uses the first one. So even if you have 2 default routes with the same metric, WinGate will always use the one that is first in its route table. So, you are correct, for NAT it will only use 1 connection.

4. You wrote: "WinGate actually pings one step past the gateway so that it can also test if the gateway has an internet connection or not".
Can you explain in details what do you mean, and how Wingate know which one is "one step past"? Tracerouting wingate.com? ;-)
I also want you to pay attention on the fact ISP may have 2 or more "next hops" inside his network before going out...

WinGate sends a packet with a TTL of 3, so it's like tracert. It expects to get an ICMP error packet back saying the TTL expired. the packet is actually an ICMP echo request packet destined for 192.5.6.30 which is a.gtld-servers.net, a root DNS server.

[Alen]

I just looked through the code. I can't see anywhere where ESP packets are subjected to any checks. However, an incoming ESP packet won't be able to be forwarded unless it is part of an existing ESP "connection", since we don't create hash (connection) entries in the driver for unknown inbound traffic - except where there are redirection entries in port security, which only occurs for TCP / UDP.

So, it was impossible to do what I wanted through Wingate!? (Because VPN connection should become up by request of both sides, not only Wingate behind one)
I am glad I did not try that variant and spent time.

the packet is actually an ICMP echo request packet destined for 192.5.6.30 which is a.gtld-servers.net, a root DNS server.

I made almost the same in Cisco, just choose other servers. I thought I invented a bicycle;-) (I thought a lot to whom ping to count I have\have not Internet connection, when understand: it should be a service - global and critical for the whole Internet).
P.S. IMHO, TTL=3 is too small. ISP could freely have more than 3-6 hops inside his network.
I'll tell you more: quite often one of the global ISPs (which provides connection for our ISPs) have no connection to Internet. Tracert shows we have ~ 15-20 hops before quiting the country...

[adrien]

I just looked through the code. I can't see anywhere where ESP packets are subjected to any checks. However, an incoming ESP packet won't be able to be forwarded unless it is part of an existing ESP "connection", since we don't create hash (connection) entries in the driver for unknown inbound traffic - except where there are redirection entries in port security, which only occurs for TCP / UDP.

So, it was impossible to do what I wanted through Wingate!? (Because VPN connection should become up by request of both sides, not only Wingate behind one)
I am glad I did not try that variant and spent time.

I'm not certain about that until testing, since I would expect the server behind on WinGate would send an ESP packet, and that would create a hash entry thereby allowing return packets from the other end back into the network.

the packet is actually an ICMP echo request packet destined for 192.5.6.30 which is a.gtld-servers.net, a root DNS server.

I made almost the same in Cisco, just choose other servers. I thought I invented a bicycle;-) (I thought a lot to whom ping to count I have\have not Internet connection, when understand: it should be a service - global and critical for the whole Internet).
P.S. IMHO, TTL=3 is too small. ISP could freely have more than 3-6 hops inside his network.
I'll tell you more: quite often one of the global ISPs (which provides connection for our ISPs) have no connection to Internet. Tracert shows we have ~ 15-20 hops before quiting the country...

hmmm, perhaps a configurable option for TTL would be useful.

In fact in the driver code we implemented checking using several methods, ARP (only checks if next hop is responding to ARP), ICMP echo (expecting echo reply), and ICMP echo expecting TTL timeout (tracert). We also considered UDP or even TCP tracert, but these could cause issues for intermediaries.

[Alen]

hmmm, perhaps a configurable option for TTL would be useful.

I think yes.
May be even allow users to change the server against which checking is made (but hide it in advanced settings)?
You decide...

In fact in the driver code we implemented checking using several methods, ARP (only checks if next hop is responding to ARP), ICMP echo (expecting echo reply), and ICMP echo expecting TTL timeout (tracert). We also considered UDP or even TCP tracert, but these could cause issues for intermediaries.

The problem with several checking methods is: what to do, when one part of tests pass, while another - don't? ...


For this topic I think I got all answers I needed. Thank you very much.

[adrien]

actually sorry I wasn't clear... we only use one of those methods. I mentioned it because I mentioned extending it to allow user-defined TTL, could then also allow user-defined method.

So there's no problem of what if one method works and another fails, since we only try one.

Regards

Adrien