Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

2 Win 2k3 Server w/ISA 2004 S2S VPN using NAT-T

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> 2 Win 2k3 Server w/ISA 2004 S2S VPN using NAT-T Page: [1]
Login
Message << Older Topic   Newer Topic >>
2 Win 2k3 Server w/ISA 2004 S2S VPN using NAT-T - 5.May2006 6:58:00 AM   
wanpeterc

 

Posts: 5
Joined: 4.May2006
Status: offline 		Hi All,

I have the following network setup.........

                             (A) Win2k3 w/ISa2004 (Site 1) No NAT-T, Pure Public UP
                                  /      \
                                /          \
                              /              \
  (B)  Win2k3 w/ISA 2004        (c) Win2k3 w/ISA 2004
                 |                                          |
              linksys router                        linksys router
                  |                                          |
              internet                                    Internet   
                 

now (A)'s external adapter has a pure Public IP adress.
(B) and (C) are using S2S VPN back to (A) individualy.

What I want to do is complete the triangle conecting (B) to (C) using S2S L2TP/IP SEC
Dilemma: Both are behind NATs
Configred the routers to allow UDP 500 & 4500 back to their servers.

Does anyone have an ideas on how to conect 2 W2k3 servers w/ISA2004 behind a NAT device?

Any info will be helpful!








   
Post #: 1
RE: 2 Win 2k3 Server w/ISA 2004 S2S VPN using NAT-T - 7.May2006 8:59:30 PM   
tshinder

 

Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: online 		Hi Wan,

That should work. However, I don't know if Win2003 SP1 broke NAT-T like WinXP SP2. I'd have to do some research on this.

What errors do you see when the NAT-T connections fail? Does PPTP work (for testing only)

Is frag protection disabled?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to wanpeterc)
Post #: 2
RE: 2 Win 2k3 Server w/ISA 2004 S2S VPN using NAT-T - 8.May2006 5:04:01 AM   
wanpeterc

 

Posts: 5
Joined: 4.May2006
Status: offline 		Hi Tom,

Thanks for reply....

Ok, here's what I found.
After correcting a typo I made with the network name and login account, I was successful at getting S2S connection via PPTP. On the linksys I FWD PORT 1723 to the server and no problems.

I revert back to L2TP, FWD PORTs 500 and 4500 to the server (did this on BOTH Linksys Boxes).  And I got nothing.

On the server that makes the connection, I found something in the system Event Log. it says that it made the connection to the dest server, however, it did not respond. Upon closer inspection of the security log, I noticed that IKE made a successful association in MAIN mode and quick mode with the other server, then immediately, it closes the quick and logs an error with the main association reason "New Policies invalidated SAs formed with old policy"

Upon checking the dest server, I see in ISA monitor that a connection was made on port 500 IKE and 4500 NAT-T. But nothing else occurs. It then closes port 500 and that's it.

So to recap,
I got chatter, but they can't seem to close the deal on it.
But it works ok in PPTP mode which I could always resort to, but I'd rather have the better security level.

Any other thoughts?

BTW: I am able to connect to either of the 2 servers from Win XP Clients with the UDP Reg change. So I think the Certficates are good.

Thanks
Peter

< Message edited by wanpeterc -- 8.May2006 6:00:11 PM >

_____________________________

Just my 0.02$ Canadian
Peter Wan

(in reply to tshinder)
Post #: 3
RE: 2 Win 2k3 Server w/ISA 2004 S2S VPN using NAT-T - 21.May2006 9:05:36 PM   
tshinder

 

Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: online 		Hi Peter,

You might try this: configure the routers to all all traffic to the ISA firewalls, sort of like a DMZ mode, so that all traffic to and from the ISA firewalls is allowed.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to wanpeterc)
Post #: 4
RE: 2 Win 2k3 Server w/ISA 2004 S2S VPN using NAT-T - 22.May2006 2:31:14 AM   
wanpeterc

 

Posts: 5
Joined: 4.May2006
Status: offline 		Hi Tom,

An interesting concept...

and since the external adapter is NATed... The Linksys should be able to bear the brunt of the external forces prying on that IP address....
I shall experiment...

Thanks for the tip..
Appreciated as always...

_____________________________

Just my 0.02$ Canadian
Peter Wan

(in reply to tshinder)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> 2 Win 2k3 Server w/ISA 2004 S2S VPN using NAT-T Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts