Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
"Creating a Site to Site" document - Problems
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
"Creating a Site to Site" document - Problems - 20.Aug.2006 9:02:40 PM
|
|
|
briano@ounsted.ca
Posts: 12
Joined: 15.Jul.2006
Status: offline
|
Hello
After reading part 1 and part 2 of "Creating a Site to Site VPN......" I really wanted to try and see if it was as incredibly easy as it seemed. Well, it is not, at least for me.
I followed the excellent instruction verbatim but with not-so-excellent results.
I used fresh copies of ISA2006 and server2003 on dedicated computers that are joined to operating domains. One of the server/ISA combos is a vmWare GSX virtual install. All with dedicated public IPs.
I guess what I found most frustrating is the lack of information from the logging. So far the only result I have had is 2 lines of the log pertaining to the VPN event at one end. And nothing at the other end. I have tried to initiate connections from both ends.
Ping initiated 192.168.0.16 – branch end 24.83.96.122
Log shows at the branch end everything was 'Denied - Default rule"
At the office end - shows pings from the outside interface - all Denied
------------------------------------------
Ping initiated 192.168.1.2 - office end 209.53.100.230
Log shows at the office end:
IKE Client Initiate ... (System) Allow VPN Site-to-site connection local Host External
L2TP Client Initiate...(System) Allow VPN Site-to-site connection local Host External
branch end:
24.83.96.124 Microsoft CIF5 (TCP) Denied default dule
192.168.1.2 Kerberos-Sec (UDP) Closed (System) Allow kerberos authentication from ISA Server ....
24.83.96.124 RPC (All Interfaces) Denied Default rule
192.168.1.2 RPC (All Interfaces) Closed (System) Allow RPC from ISA server to trusted servers
--------------------------------------------------------
I really don't know what might be pertenant here but there does not seem to be very much information.
From what little information I have from the logs it would seem the branch end is the problem. I don’t see a tunnel ever built. I have been over and over the configuration and can find nothing seemingly wrong. I have logged into other computers using the VPN login credentials and that works OK.
What I need is some leads or a troubleshooting guide. In any event I sure need help
Thanks
Brian O
|
|
|
|
|
RE: "Creating a Site to Site" document - Prob... - 21.Aug.2006 5:23:32 PM
|
|
|
tshinder
Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Brian,
1. Never troubleshoot at or to the ISA firewall, the site to site VPN connects the networks, not the firewalls
2. Ping from a host behind one of the ISA firewalls to a host behind the other ISA firewall
3. Make sure the pre-shared key is correct
4. Make sure you have created the demand-dial interface user accounts, named them properly, and enabled both of them for dial-up permissions
5. Make sure, in your testing ONLY, that the external interfaces of each ISA firewall is on the same network ID
6. When getting into more advanced testing, make sure the external interfaces of each ISA firewall is a on a different network ID and that you have a router in between them that knows how to route the requests
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: "Creating a Site to Site" document - Prob... - 21.Aug.2006 8:34:23 PM
|
|
|
briano@ounsted.ca
Posts: 12
Joined: 15.Jul.2006
Status: offline
|
1. Never troubleshoot at or to the ISA firewall, the site to site VPN connects the networks, not the firewalls
At the moment my troubleshooting is limited to the ISA logging information.
Also, since no tunnel has been built there is nothing in the session log
2. Ping from a host behind one of the ISA firewalls to a host behind the other ISA firewall
My pinging is limited to host 192.168.1.40 to host 192.168.0.16
And at the other end host 192.168.0.8 to host 192.168.1.2
3. Make sure the pre-shared key is correct
I have checked it several times and if you look at the site-to-site
summary you can see exactly what the key is.
4. Make sure you have created the demand-dial interface user accounts, named them properly,
and enabled both of them for dial-up permissions
This has been done at the domain controller, and also the
computers 2K3/ISA is installed on dial-in access at
the active directory level The dial-up users and password
were checked by logging manually into a local computer.
5. Make sure, in your testing ONLY, that the external interfaces of each ISA firewall is on the same network ID
Don’t quite understand what is meant by this statement.
Both outside interfaces are on public internet IPs.
6. When getting into more advanced testing, make sure the external interfaces of each ISA firewall is a on a
different network ID and that you have a router in between them that knows how to route the requests
Also don’t quite understand. Routers on the internet
are beyond my control.
I have never had problems with client VPN access, but site-to-site is a different story.
For some reason, very problematic. I never did get my PIX-ISA site-to-site working.
I simply gave up.
Again, I appreciate your help
Brian O.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
