Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Discussion about article on publishing VPN servers
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Discussion about article on publishing VPN servers - 19.Sep.2004 10:38:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
This thread is for discussing the article on publishing VPN servers over at http://isaserver.org/articles/2004pubvpn.html
Answers to the questions:
1. What VPN protocols does the ISA firewall support for remote access connections?
Answer: PPTP and L2TP/IPSec
2. What VPN protocols does the ISA firewall support for site to site VPN connections?
Answer: PPTP, L2TP/IPSec and IPSec tunnel mode
3. What route relationship is required to publish non-NAT-T IPSec tunnel mode connections?
Answer: A route relationship is required. You can set the route relationship by configuring a Network Rule.
4. What port number is used by IETF IPSec NAT-T?
Answer: UDP port 4500.
5. Which is more secure? PPTP with complex passwords and or IPSec tunnel mode with pre-shared keys?
Answer: PPTP using complex passwords or user certificate authentication is more secure than IPSec tunnel mode using pre-shared keys.
6. Which protocols must you publish to allow connections to a back-end ISA firewall/VPN server when the route relationship between the external interface and the DMZ network on the front-end ISA firewall is set to NAT?
Answer: For PPTP, you can use the PPTP Server Protocol Definition. For L2TP/IPSec, you can use the L2TP/IPSec NAT-T protocols -- this requires that you publish UDP 500 for IKE and UDP 4500 for the IPSec NAT-T protocol.
Thanks!
Tom
[ September 20, 2004, 03:15 AM: Message edited by: tshinder ]
|
|
|
|
|
RE: Discussion about article on publishing VPN servers - 28.Oct.2004 1:57:00 PM
|
|
|
achkarab
Posts: 14
Joined: 28.Sep.2004
Status: offline
|
hello Mr tom
i need to have your help and your advice if u permit
i have a back to back topology to be implemented , internet(leased line-digital modem)--->3 com super stack firewall --->DMZ---->isa 2004
i would like to have a theory how to make things work well for: where to make static route,where to enable routing , where to publish ?
-the VPN site to site(as i have multiple servers and specific ports to be open)
-internet (allowing access rule? packet filtering for the vpn connection
-smtp (internal exchange ,what to do for the isa and for the 3com firewall
-what do u suggest to use as firewall client for servers and for workstation ..secure nat , web client .....
thank u .
|
|
|
|
|
RE: Discussion about article on publishing VPN servers - 27.Jan.2005 5:00:00 PM
|
|
|
bspengler
Posts: 1
Joined: 27.Jan.2005
From: Stockton, IL
Status: offline
|
My front firewall is a Pix 501 and my back firewall is an ISA Server 2004. Using parts of your article I was able to get a PPTP VPN client to connect just fine through the Pix to the back firewall--works great.
Even though I have the Pix set up for IPSEC passthrough (sysopt connection permit-ipsec), I cannot get LT2P to connect through to the ISA Server. I am using Windows XP with SP 2 and the VPN client configured for LT2P and a preshared key that matches that of the ISA 2004 Server. I followed your article for this part of things. For L2TP, the Windows XP vpn client says: "connecting to Ip: XXX.XXX.XXX.XXX", hangs for a while, and then errors out with one of two errors, either, "Error: 789 The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer" " or "Error 792: The L2TP connection attempt failed because security negotiation timed out."
Again PPTP works great, but I am trying also to get LT2P to work.
Any help would be appreciated. (I have tried various PIX settings beyond sysopt connection permit-ipsec, also including fixup protocol esp-ike and isakmp nat-t, but nothing seems to matter). I am not sure this is a Pix passthrough problem.
|
|
|
|
|
RE: Discussion about article on publishing VPN servers - 19.Apr.2005 12:04:00 PM
|
|
|
cs1364
Posts: 3
Joined: 23.Aug.2004
From: Denmark
Status: offline
|
I have the exact same problem... Any resolution?
Cheers
Christian
|
|
|
|
|
RE: Discussion about article on publishing VPN servers - 19.Apr.2005 12:29:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Abdo Achkar:
hello Mr tom
i need to have your help and your advice if u permit
i have a back to back topology to be implemented , internet(leased line-digital modem)--->3 com super stack firewall --->DMZ---->isa 2004
i would like to have a theory how to make things work well for: where to make static route,where to enable routing , where to publish ?
-the VPN site to site(as i have multiple servers and specific ports to be open)
-internet (allowing access rule? packet filtering for the vpn connection
-smtp (internal exchange ,what to do for the isa and for the 3com firewall
-what do u suggest to use as firewall client for servers and for workstation ..secure nat , web client .....
thank u .
Hi Abdo,
If you're not good with routing and configuing the 3COM, I would recommend that you forward everything from the Internet to the external interface of the ISA firewall. If the router has a "DMZ" feature, just configure it to use the ISA firewall's external interface as its "DMZ" host, so that everything is allowed inbound and outbound from the ISA firewall's external interface.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on publishing VPN servers - 19.Apr.2005 12:31:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by lotstolearn:
My front firewall is a Pix 501 and my back firewall is an ISA Server 2004. Using parts of your article I was able to get a PPTP VPN client to connect just fine through the Pix to the back firewall--works great.
Even though I have the Pix set up for IPSEC passthrough (sysopt connection permit-ipsec), I cannot get LT2P to connect through to the ISA Server. I am using Windows XP with SP 2 and the VPN client configured for LT2P and a preshared key that matches that of the ISA 2004 Server. I followed your article for this part of things. For L2TP, the Windows XP vpn client says: "connecting to Ip: XXX.XXX.XXX.XXX", hangs for a while, and then errors out with one of two errors, either, "Error: 789 The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer" " or "Error 792: The L2TP connection attempt failed because security negotiation timed out."
Again PPTP works great, but I am trying also to get LT2P to work.
Any help would be appreciated. (I have tried various PIX settings beyond sysopt connection permit-ipsec, also including fixup protocol esp-ike and isakmp nat-t, but nothing seems to matter). I am not sure this is a Pix passthrough problem.
Hi Lots,
Are you using the updated L2TP/IPSec VPN client, so that you can NAT between the Internet and the external interaface of the ISA firewall?
Thanks!
Tom
|
|
|
|
|
RE: Discussion about article on publishing VPN servers - 21.Jun.2005 8:02:00 PM
|
|
|
Guest
|
My problem is similar.
2 hosts:
first - VPN Server (Windows 2003 SP1) - L2TP/IPSec
second - Windows 2003 SP1 with ISA 2004 SP1
ISA publishing VPN Server (UDP 500 & 4500).
When I try to connect I get error 678 The remote computer did not respond.
I read article KB885407 The default behavior of IPsec NAT traversal (NAT-T) is changed in Windows XP Service Pack 2 - and add registry key with value 2 - but I still have the same error.
When I look in IP Security Monitor snap-in everything looks fine.
My client is WIndows XP SP2.
I use preshared key (direct connection to vpn server without ISA work fine).
Any ideas?
Regards,
Marcin
|
|
|
|
|
RE: Discussion about article on publishing VPN servers - 24.Aug.2005 12:57:00 PM
|
|
|
jcotelo
Posts: 2
Joined: 13.Jul.2005
From: Montevideo, Uruguay
Status: offline
|
Hi,
This is my first time into this forums, please apologize me if I have did something wrong doing this post.
I have a Front-End Cisco Pix 520 with 3 interfaces and a Back-End Isa 2004. I am planing the deployment but now they have asked me to allow VPN Connections. I have read your article but I am not quite shure how to allow the vpn clients pass through the PIX.
Any help would be great.
Thanks
Jorge
|
|
|
|
|
RE: Discussion about article on publishing VPN servers - 24.Aug.2005 7:18:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jorge,
I'll let someone else jump in here to correct me, but I'm pretty sure pix doesn't have a PPTP NAT editor. However, if you're not using NAT, then you just need to allow IP Protocol 47 and the PPTP control channel TCP 1723.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on publishing VPN servers - 20.Dec.2005 1:00:45 PM
|
|
|
karmi
Posts: 32
Joined: 5.Nov.2004
Status: offline
|
Hello,
I have two quesations,
1- I have configured two ISA servers front/back, now when I connect to the Back server directly on PPTP it works, but when connect to it on the FRONT ISA IP ( from internet ), I am unable, it hanges on verifying password screen, I defined protocol 47 GRE, since I found it on the denied access list when monitored the connection, now it appeares as failed, and still have the problem.
2- I am unable to connect directly to another ISA server from internet using L2TP, neither with shared key nor using certificates.
NOTE THAT: I was to able to connect to it ( L2TP with valid Certificates ) from internal computer on the ISA internal IP address with no problems, when I disconnect the network from my computer and dial to my ISP to connect to the server from internet, it does not connect L2TP , and gives me "negotiations timed out", I tried form other computers outside as well with no luck.
I checked the followings
- IP Fragments are not blocked on the ISA
- Certificates ok in LOCAL Computer store (Server in Personal / CA in Root) on server (Client and CA) on client
- IPSec is enabled on both server and client
- L2TP Ports are created on RAS ( and I was able to connect locally as I said )
- Access Networks checked, both external and internal
But I get in the logging Several "Denied connection" as follows
Client IP Destination Port Result code Transport
--------- -------------- -------- ---------------- -----------
ISA Extarnal IP ISA External IP different random ports ... UNREACHABLE_ADDRESS UDP
What could be the problem?
Thanks
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
