Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and SmoothWall Express 2.0

  • Article

Firewall administrators attempting to implement Internet Protocol security (IPSec) in tunnel mode with Microsoft® Internet Security and Acceleration (ISA) Server 2000 were unsuccessful due to an incompatibility between the network address translation (NAT) driver of ISA Server and IPSec. (This same problem was also encountered when using NAT within Routing and Remote Access). This interrupted IPSec only in tunnel mode. Using Layer Two Tunneling Protocol (L2TP) was the suggested solution because L2TP uses a transport mode policy and does not encounter this problem.

With ISA Server 2004, the NAT interaction incompatibility has been removed, and IPSec tunnel mode is now possible. Note that in both Microsoft Windows Server™ 2003 and Windows® 2000 Server, there is still an incompatibility with Routing and Remote Access NAT.

For additional information about this scenario, refer to the following articles:

This guide avoids using the term "IPSec tunnel" to refer to the encapsulation between the two networks. Referring to an IPSec tunnel may cause confusion because the term is used when referring to any type of IPSec protection—either transport mode or tunnel mode. More properly, and to avoid confusion, this guide uses the term "IPSec tunnel mode policy" when referencing the configuration.

Configuring ISA Server 2004

Configuring the SmoothWall Express System

Reconciling the ISA Server and SmoothWall Express IPSec Tunnel Mode Policy

Testing

Network Captures of IPSec in Tunnel Mode

This section briefly describes how IPSec works in tunnel mode. For a diagram of the network topology, see Figure 4 later in this document.

In this example, traffic is transmitted from the client on the SmoothWall™ Internal network, traverses the IPSec tunnel mode policy, and is then received on the ISA Server network. When using Encapsulating Security Payload (ESP), traffic is typically encrypted using Data Encryption Standard (DES) or Triple DES (3DES) and authenticated with SHA1 or MD5. However, you can specify to use Null (no) Encryption so that the packets can be seen. An IPSec tunnel mode policy with Encryption is configured initially, and then Null Encryption is specified, so that the packet structure with ESP can be seen as it traverses the network.

Figure 1 shows a client, 172.25.3.10, pinging a server, 172.25.10.10, which is located across the IPSec tunnel mode policy. This is what the packet looks like before IPSec protection. The data in the right side of the bottom pane, abcdefghijklmnop..., is the payload that a Windows client uses for Internet Control Message Protocol (ICMP).

Figure 1   Capture taken from the network card on 172.25.3.10

Figure 2 shows the results when the search is protected by IPSec in tunnel mode with ESP encrypted with 3DES. In this image, in Source Address and Destination Address, the original client source address and server destination address are replaced. The source is now the external address of the SmoothWall firewall, 192.168.55.1, and the destination is ISA Server, 192.168.55.100. The client source IP address, destination IP address, and the data, abcdefghijklmnop..., below the IP header are encrypted, so you cannot decipher the packet structure further.

Figure 2   Capture taken from the external interface of ISA Server (192.168.55.100)

Figure 3 shows the results of the search when using ESP with null encryption and MD5 for authentication. The figure shows the IPSec IP header (highlighted with a solid black line) that was added, which contains the tunnel mode policy endpoints as the source and destination, the ESP header, the original IP header (highlighted in the black dash line), and the ICMP payload. Also, you can read the data in the bottom pane, abcdefghijklmnop..., even though it is within ESP.

Figure 3   Capture taken from the external interface of ISA Server (192.168.55.100)

Note

   Figure 3 is from Network Monitor, which is built in to Windows Server 2003. Network Monitor versions prior to this are unable to decipher ESP when using Null Encryption.

IPSec accomplishes this in two steps. The first step is called Main Mode and the second step is called Quick Mode. (There is another mode that replaces Main Mode called Aggressive Mode, but this is not included in any Windows operating system.) Comprehensive explanations of what Main Mode and Quick Mode accomplish are beyond the scope of this document, but are explained in detail in the Windows Server 2003 Resource Kit (https://go.microsoft.com/fwlink/?LinkId=32054).

Main Mode is responsible for authenticating both sides of the IPSec tunnel mode policy (either using certificates or a preshared key) and generating a Diffie-Hellman key used to secure the second portion (Quick Mode). There are additional parameters negotiated during Main Mode, but these two tasks are the primary functions.

Quick Mode is responsible for negotiating the specific protocols, and source and destination addresses that will be included in the IPSec tunnel mode policy. Additionally, Quick Mode negotiates how this traffic will be protected (using the encryption algorithms DES or 3DES and the authentication algorithms SHA1 or MD5). There are other settings negotiated, but these are the primary tasks.

Diagram

The scenario described in this document is shown in the following figure.

Figure 4   Network topology

Configuring ISA Server 2004

After the ISA Server installation is complete, perform the following steps on the ISA Server computer to set up the IPSec tunnel mode configuration:

  1. Create a remote site network that defines the IP subnet behind the SmoothWall Express system and IPSec settings for the IPSec tunnel mode configuration.
  2. Create a network rule that defines how the traffic is passed to the SmoothWall Express network (either using NAT or routing the traffic).
  3. Create a firewall policy access rule that defines which traffic is allowed to pass to the SmoothWall Express network.

Create a Remote Site Network

A remote site network defines the network behind the SmoothWall system, and also defines the IPSec settings for the tunnel mode configuration. The New Site-to-Site Network Wizard creates a policy of IPSec settings that are not visible in the IPSec Policy Management console. The Main Mode and Quick Mode settings are dynamically inserted into the IPSec driver by the wizard. To create a remote site network, perform the following steps.

  1. To start the wizard, select the Virtual Private Networks (VPN) node in the ISA Server console, and then select the Remote Sites tab. On the Tasks tab, click Add Remote Site Network.
  2. In this example, a network definition that will specify the range of IP addresses that are accessible behind the SmoothWall Express system through the IPSec tunnel mode configuration will be created. Enter the name SmoothwallNet, and then click Next.
  3. Select IP Security protocol (IPSec) tunnel mode, and then click Next.
  4. Enter the tunnel mode endpoint addresses. The SmoothWall Express system is the remote VPN gateway and ISA Server is the local VPN gateway. Then, click Next.
  5. Select the type of authentication you want to perform for Main Mode negotiations. For this example, select Use pre-shared key for authentication and enter 123456789 for initial testing. Then, click Next.
  6. Click Add to add the range of IP addresses that will be accessible through the tunnel mode configuration (the subnet that is behind the SmoothWall Express system).
  7. If you want traffic destined for the SmoothWall Express system’s external interface included, specify its address. In the following example, the subnet 172.25.3.0 is defined as behind the SmoothWall Express system. Click OK.
  8. Click Next.
  9. Click Finish to complete the wizard. After the wizard is finished, click Apply to make the configuration change active.

After the changes are applied, you can view the IPSec settings from ISA Server or by using a command-line utility. There are two methods to view the settings from ISA Server. To use the first method to view the IPSec settings, perform the following steps.

  1. On the Remote Sites tab, select the remote site network object you just created.
  2. On the Tasks tab, click View Remote Site IPSec Policy. The following dialog box appears.

Or, to use another method to view the IPSec settings, perform the following steps.

  1. On the Tasks tab, click Configure Remote Site.
  2. Select the Connection tab, and then click IPSec Settings.
    Phase I (Main Mode) settings appear.
  3. Click the Phase II tab. Phase II (Quick Mode) settings appear.

You can also use the command-line utility NETSH to view these Main Mode and Quick Mode policies and filters:

  • Main Mode Policy "c:\netsh ipsec dynamic show mmpolicy all"
    IKE MM Policy Name         : ISA Server SmoothwallNet MM Policy
    IKE Soft SA Lifetime       : 28800 secs
     
    Encryption     Integrity        DH    Lifetime (Kb:secs)    QM Limit Per MM
    -------------------------------------------------------------------------------------------------------------------------------------------------------
    3DES           SHA1              2             0:28000              0
  • Main Mode Filters "c:\netsh ipsec dynamic show mmfilter all"
    Main Mode Filters: Generic
    -------------------------------------------------------------------------------
    Filter name                    : IPSec{4ECE7FAD-F0A7-45FB-BAF7-4E193EB814F6}
    Connection Type            : ALL
    Source Address             : <My IP Address>   (255.255.255.255)
    Destination Address        : 192.168.55.100       (255.255.255.255)
    Authentication Methods     : Preshared key
    Security Methods           : 1  3DES/SHA1/DH2/28000/QMlimit=0
    -------------------------------------------------------------------------------
    Filter name                    : IPSec{163EABB5-9F2B-44ED-B80E-4D7C462E4846}
    Connection Type            : ALL
    Source Address            : <My IP Address>   (255.255.255.255)
    Destination Address        : 192.168.55.1      (255.255.255.255)
    Authentication Methods     :        Preshared key
    Security Methods           : 1         3DES/SHA1/DH2/28000/QMlimit=0
     
    2 Generic Filter(s)
  • Quick Mode Policy "c:\netsh ipsec dynamic show qmpolicy all"
    QM Negotiation Policy Name : ISA Server SmoothwallNet QM Policy
     
    Security Methods           Lifetime (Kb:secs)       PFS DH Group
    -------------------------------------------------------------------------------------------------------------------
    ESP[3DES,SHA1]         0:3600            Medium (2)
  • Quick Mode Filters "c:\>netsh ipsec dynamic show qmfilter all"
    Quick Mode Filters(Tunnel): Generic
    -------------------------------------------------------------------------------
    Filter name                    : IPSec{F886828B-A23B-4659-9F29-0B6129A3C9F8}
    Connection Type            : ALL
    Source Address             : 172.25.10.0       (255.255.255.0  )
    Destination Address        : 172.25.3.0        (255.255.255.0  )
    Tunnel Source              : <Any IP Address>
    Tunnel Destination         : 192.168.55.1
    Protocol                       : ANY     Src Port: 0      Dest Port: 0
    Mirrored                       : no
    Quick Mode Policy          : ISA Server SmoothwallNet QM Policy
    Inbound Action             : Negotiate
    Outbound Action            : Negotiate
    -------------------------------------------------------------------------------
    Filter name                    : IPSec{DBC53B1F-5A48-47BF-9A2E-081793CE6555}
    Connection Type            : ALL
    Source Address             : 172.25.3.0        (255.255.255.0  )
    Destination Address        : 172.25.10.0       (255.255.255.0  )
    Tunnel Source              : <Any IP Address>
    Tunnel Destination         : 192.168.55.100
    Protocol                       : ANY     Src Port: 0      Dest Port: 0
    Mirrored                       : no
    Quick Mode Policy          : ISA Server SmoothwallNet QM Policy
    Inbound Action             : Negotiate
    Outbound Action            : Negotiate
    -------------------------------------------------------------------------------
    Filter name                    : IPSec{34C43528-2089-4CA8-B801-4D2A822F38C2}
    Connection Type            : ALL
    Source Address            : 192.168.55.100       (255.255.255.255)
    Destination Address       : 172.25.3.0        (255.255.255.0  )
    Tunnel Source              : <Any IP Address>
    Tunnel Destination         : 192.168.55.1
    Protocol                       : ANY     Src Port: 0      Dest Port: 0
    Mirrored                       : no
    Quick Mode Policy          : ISA Server SmoothwallNet QM Policy
    Inbound Action             : Negotiate
    Outbound Action            : Negotiate
    -------------------------------------------------------------------------------
    Filter name                    : IPSec{EA90C1F4-4CC2-44E4-BB88-D4B1E89B953C}
    Connection Type            : ALL
    Source Address             : 172.25.3.0        (255.255.255.0  )
    Destination Address       : 192.168.55.100       (255.255.255.255)
    Tunnel Source              : <Any IP Address>
    Tunnel Destination         : 192.168.55.100
    Protocol                       : ANY     Src Port: 0      Dest Port: 0
    Mirrored                       : no
    Quick Mode Policy          : ISA Server SmoothwallNet QM Policy
    Inbound Action             : Negotiate
    Outbound Action            : Negotiate
     
    4 Generic Filter(s)

You have now created a remote site network, and viewed the IPSec settings. Now that the remote site network has been defined, the next step is to define a relationship between the ISA Server Internal network and the SmoothWall Express remote network. In the next section, you will define whether you want the traffic to use NAT or be routed to the remote network.

Create a Network Rule

To create a network rule, perform the following steps.

  1. In the ISA Server console, select Configuration, select Networks, select the Network Rules tab, and then on the Tasks tab, click Create a New Network Rule.

  2. For this scenario, enter the name SmoothwallNet to ISANet - Route, and then click Next.

  3. On the Network Traffic Sources page, click Add

  4. Expand the Networks node.

  5. Select the Internal network, click Add, and then click Close.

  6. On the Network Traffic Sources page, click Next.

  7. On the Network Traffic Destinations page, repeat the same procedure as before, but select the network object SmoothwallNet.

  8. On the Network Traffic Destinations page, click Next.

  9. On the Network Relationship page, select Route, and then click Next.

    Note

       In this example, traffic is routed between the two networks. This is because the IP subnets are different. If your scenario has two IP subnets that overlap (both local and remote subnets are 192.168.0.x), you should consider either using NAT for the traffic or redefining one of the IP subnets so that there is no overlap.

  10. On the summary page, review the rule details and then click Finish.

  11. After the wizard is complete, click Apply to make the configuration changes effective.

You have now created a network rule. The next step is to create an access rule.

Create an Access Rule

Now that you have defined the remote site and the network rule, you need to define which traffic will pass through the IPSec tunnel mode configuration. You control this through the firewall policy by creating an access rule specifying the traffic you want to allow. To create an access rule, perform the following steps.

  1. In the ISA Server console, select Firewall Policy, right-click, select New, and then click Access Rule.
  2. Provide a name that describes accurately the source and destination networks, and the traffic allowed. For this scenario, enter the name SmoothwallNet to ISANet – Allow All, and then click Next.
  3. On the Rule Action page, select Allow, and then click Next.
  4. On the Protocols page, in This rule applies to, select All outbound protocols, and then click Next.
  5. Click Add.
  6. Expand Networks.
  7. Click Internal. You could optionally include Local Host if you want to allow ISA Server to send traffic to the remote network. Click Add, click Close, and then click Next.
  8. Click Add, and then click Networks.
  9. Click SmoothwallNet for the destination network. Click Add, click Close, and then click Next.
  10. Select which users to allow, and then click Next.
  11. Review the settings in the summary screen, and then click Finish to complete the wizard.
  12. After the wizard is complete, click Apply to make the configuration changes effective.
    ISA04_Operations_IPSecSmoothWall_34#15726c15-c5ed-43b7-8f0f-ef530b355a72

Note

   You must complete the same procedure to allow traffic from the SmoothwallNet subnet to the ISANet subnet. Routing rules (which you created earlier in this document) are mirrored, but access rules are "one-way."

You have now created a remote site network, a network rule, and an access rule. Now that ISA Server is configured, you will configure the SmoothWall Express system.

Configuring the SmoothWall Express System

This guide assumes that your SmoothWall Express system has already been installed.

Command-line configuration of IPSec settings on the SmoothWall Express system can be used. In this guide, the Web interface is used to set up the initial policy. If you want information about how to configure different options, see https://www.smoothwall.org/. (SmoothWall uses the Open Source FreeS/WAN implementation of IPSec. For more information, see https://www.freeswan.org/.)

To configure the SmoothWall Express system, perform the following steps.

  1. Access the SmoothWall Express Web interface by accessing https://172.25.3.1:441. (This is using the default SSL port accepted during the SmoothWall Express installation). You will see the following screen.
  2. Click the about your smoothie tab. On this page, you can see that the VPN service is currently stopped.
  3. Now select the VPN tab. For your initial testing, in Global settings, Local VPN IP, leave the box blank. As the page mentions, if this box is blank, the Red interface is used.
    ISA04_Operations_IPSecSmoothWall_36#934edffa-59e4-41fb-abae-353b12664ecc
  4. On the VPN tab, click the Connections navigation button. The concept of left and right is useful in visualizing the VPN setup. Either side can be left or right, as long as you are consistent when entering the respective subnet value. In this setup, the SmoothWall Express system will on the left and ISA Server on the right.
  5. In Name, enter ISANet, in Left, enter 192.168.55.1, and in Left subnet, enter 172.25.3.0/24. In Right, enter 192.168.55.100 and in Right subnet, enter 172.25.10.0/24. In Secret and Again, type 123456789. Then click Add.
    The ISANet connection information will appear under Current connections.
  6. After this is completed, on the VPN tab, click the Control navigation button. You should see the connection just created under Manual control and status. Its status will be Closed. Click Restart.
    The ISANet connection should change to Open.
  7. Now, click the about your smoothie tab, and then select the Advanced navigation button. The VPN service should now be running.

You have now configured the SmoothWall Express system.

Reconciling the ISA Server and SmoothWall Express IPSec Tunnel Mode Policy

The next step is to reconcile the IPSec tunnel mode policy. This involves changing one setting on the ISA Server computer. To reconcile the IPSec tunnel mode policy, perform the following steps.

  1. Select the Virtual Private Networks (VPN) node in the ISA Server console, and then click the Remote Sites tab. Select SmoothwallNet, and then on the Tasks tab, click Configure Remote Site.
  2. Verify that Enable the VPN site-to-site connection is selected.
  3. Click the Connection tab, and then click IPSec Settings.
    The Phase I settings are displayed.
  4. Click the Phase II tab.
  5. Under Generate a new key every, change the seconds to 28800, to match the SmoothWall Express settings.

This setting is not visible in the SmoothWall Express Web interface. Examining the Oakley logs on the computer running Windows Server 2003 shows that the SmoothWall Express system sends a Session Key Lifetime setting that is different from the setting in the ISA Server wizard. The following is an explanation of an excerpt from the Oakley log, showing the Quick Mode failure.

  • Line 1 is the Incoming Quick Mode offer from the SmoothWall system with the Initiator and Responder cookies set in lines 3 and 4.
  • Line 12 is Proposal 0, which specifies the use of ESP. (Proposals can contain many different transforms that are combinations of encryption algorithms DES or 3DES, hashing algorithms MD5 or SHA1, Diffie-Hellman settings, and IP addresses pertinent to the IPSec tunnel mode policy.)
  • Lines 13 through 18 contain the settings for Transform 0 and have the following settings:
    • 3DES (line 13)
    • Perfect Forward Secrecy (PFS) is group 2, which is the Diffie-Hellman group (line 14)
    • Tunnel mode is specified (line 15)
    • Session key lifetime is 28800 seconds (lines 16 and 17)
    • MD5 (line 18)
  • Lines 19 through 24 contain settings for Transform 1, which has all the same settings except for the hashing algorithm that is specified as SHA1 (line 24).

The following is an excerpt from the Oakley log, showing the Quick Mode failure:

12-09: 22:36:20:818:fec Receive: (get) SA = 0x0137ec60 from 192.168.55.1.500

12-09: 22:36:20:818:fec ISAKMP Header: (V1.0), len = 316

12-09: 22:36:20:818:fec   I-COOKIE 5e20729eafbcf84d

12-09: 22:36:20:818:fec   R-COOKIE d02a42ac5868c79c

12-09: 22:36:20:818:fec   exchange: Oakley Quick Mode

12-09: 22:36:20:818:fec   flags: 1 ( encrypted )

12-09: 22:36:20:818:fec   next payload: HASH

12-09: 22:36:20:818:fec   message ID: d4629cf2

12-09: 22:36:20:858:fec Negotiated Proxy ID: Src 172.25.3.0.0 Dst 172.25.10.0.0

12-09: 22:36:20:858:fec Src id for subnet.  Mask 255.255.255.0

12-09: 22:36:20:858:fec Dst id for subnet.  Mask 255.255.255.0

12-09: 22:36:20:858:fec Checking Proposal 0: Proto= ESP(3), num trans=2 Next=0

12-09: 22:36:20:858:fec Checking Transform # 0: ID=Triple DES CBC(3)

12-09: 22:36:20:858:fec  group description for PFS is 2

12-09: 22:36:20:858:fec  tunnel mode is Tunnel Mode(1)

12-09: 22:36:20:858:fec  SA life type in seconds

12-09: 22:36:20:858:fec  SA life duration 28800

12-09: 22:36:20:858:fec  HMAC algorithm is MD5(1)

12-09: 22:36:20:858:fec Checking Transform # 1: ID=Triple DES CBC(3)

12-09: 22:36:20:858:fec  group description for PFS is 2

12-09: 22:36:20:858:fec  tunnel mode is Tunnel Mode(1)

12-09: 22:36:20:858:fec  SA life type in seconds

12-09: 22:36:20:858:fec  SA life duration 28800

12-09: 22:36:20:858:fec  HMAC algorithm is SHA(2)

12-09: 22:36:20:858:fec Finding Responder Policy for SRC=172.25.3.0.0000 DST=172.25.10.0.0000, SRCMask=255.255.255.0, DSTMask=255.255.255.0, Prot=0 InTunnelEndpt 6437a8c0 OutTunnelEndpt 137a8c0

12-09: 22:36:20:868:fec Failed to get TunnelPolicy 13015

12-09: 22:36:20:868:fec Responder failed to match filter(Phase II) 13015

12-09: 22:36:20:908:fec Data Protection Mode (Quick Mode)

12-09: 22:36:20:908:fec Source IP Address 172.25.10.0  Source IP Address Mask 255.255.255.0  Destination IP Address 172.25.3.0  Destination IP Address Mask 255.255.255.0  Protocol 0  Source Port 0  Destination Port 0  IKE Local Addr 192.168.55.100  IKE Peer Addr 192.168.55.1  IKE Source Port 500  IKE Destination Port 500  Peer Private Addr

12-09: 22:36:20:908:fec Preshared key ID.  Peer IP Address: 192.168.55.1

12-09: 22:36:20:908:fec Me

12-09: 22:36:20:908:fec No policy configured

12-09: 22:36:20:908:fec ISAKMP Header: (V1.0), len = 68

12-09: 22:36:20:908:fec   I-COOKIE 5e20729eafbcf84d

12-09: 22:36:20:918:fec   R-COOKIE d02a42ac5868c79c

12-09: 22:36:20:918:fec   exchange: ISAKMP Informational Exchange

12-09: 22:36:20:918:fec   flags: 1 ( encrypted )

12-09: 22:36:20:918:fec   next payload: HASH

12-09: 22:36:20:918:fec   message ID: ab623176

12-09: 22:36:20:918:fec Ports S:f401 D:f401

If you compare these settings to the Phase I and Phase II settings on the ISA Server IPSec policy, the session key for Phase II is the only mismatch that needs to change, as shown previously.

After you make this change, you can add the IPSec Monitor snap-in and view the settings. Perform the following steps.

  1. On the computer running Windows Server 2003, click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in, and add the IPSec Monitor snap-in.
  3. Expand Console Root to view the Main Mode and Quick Mode security associations. Under Main Mode, click Security Associations. You should see the following screen, which details the Main Mode (Phase I) security association.
  4. Under Quick Mode, click Security Associations. You should see the following screen, which details the Quick Mode (Phase II) security association.

Note

   Quick Mode (Phase II) actually has two security associations—Inbound and Outbound, but the IPSec Monitor only shows the Outbound security association. Clients from behind each system should be able to access the remote site through the IPSec tunnel mode policy. (If not, you will need to consider routing tables on the clients.)

Testing

The testing process uses different application layer and transport layer protocols to ensure that data is encrypted and decrypted correctly as it passes through the IPSec tunnel. The following data transfer tests can be used to determine the success of the IPSec tunnel connection:

  • FTP Transfer
    The FTP process uses an FTP GET of a single 100 megabyte (MB) file, renames the file, and then uses an FTP PUT to transfer the new file back to the FTP server. After the two transfers are completed, a comparison is performed, using Windiff.exe from the Windows 2000 Server Resource Kit, at the FTP server to ensure the two files are identical.
  • TFTP Transfer
    The TFTP copy process replicates the FTP tests, with the only difference being that a 20 MB file is transferred rather than the 100 MB file transferred using FTP. Because Windows Server 2003, Windows XP, and Windows 2000 Server do not include a TFTP server, a third-party TFTP server (SolarWinds TFTP Server https://www.solarwinds.com) is used as a TFTP server for the tests, and a Windows XP host using the command line utility TFTP.EXE is used as the client.
  • CIFS Transfer
    The CIFS copy process transfers a folder structure with three subfolders containing a total of 311 files approximately 50 MB in size between the two computers. The data is transferred from the source computer to the target computer using the Resource Kit utility ROBOCOPY.exe and by copying within Windows Explorer. The files are then copied from the target computer to the source computer into a different folder structure. The folders are then compared using Windiff.exe from the Windows 2000 Resource Kit to ensure that the data is not corrupted during transmission.
  • PING with specific sizes
    PING packets are sent from the target to the source computer using specific packet sizes to test packet fragmentation and reassembly through the IPSec tunnel. Specifically, packets sizes of: 2, 3, 4, 5, 6, 7, 8, 9, 10, 20, 40, 80, 160, 320, 640, 1280, 1460, 1461, 1462, 1463, 1464, 1465, 1466, 1467, 1468, 1469, 1470, 1471, 1472, 1473, 1474, 1475, 1476, 1477, 1478, 1479, 1480, 1500, 3000, 6000, 12000, 24000, 48000, and 65500 bytes.