A customer of ours is setting up an ISA-Cluster in private network address range and we have to build a VPN connection with them. There is no way avoiding NAT-T and this is where we get to a problem:
in IKE request there is a field ENCAPSULATION_MODE where there should be a value of 3 for NAT-T if you go by the book (RFC3947).
However Ciscos and it seems Microsoft ISA still send historical value of 61443 which is accepted by OpenBSD (tolerant, good). But - there is no way to make OpenBSD send a request with ENCAPSULATION_MODE = 61443 and the "standard" value 3 is rejected by Microsoft ISA.
Anybody knows a solution to this?
It'd be nice to hear of a patch for MS ISA allowing it to accept the "3"...
Update: "The other side" has MS ISA 2006 Enterprise. "Our side" has OpenBSD 4.5.
The solution was to configure the VPN connection on the OpenBSD side totaly manually (isakmpd.conf instead of ipsec.conf) and use ENCAPSULATION_MODE=UDP_ENCAP_TUNNEL_DRAFT in quick mode custom transform definition.
Hooray for configurability!