Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
From PPTP to IPsec with Pre-Shared key
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
From PPTP to IPsec with Pre-Shared key - 31.Mar.2008 4:20:24 PM
|
|
|
greyhorsecorp
Posts: 15
Joined: 31.Mar.2008
Status: offline
|
I need to switch over from PPTP-> IPSec with Pre-Shared key. On both ends are ISA 2004 Std. with SP2.
May I do it by just deleting Network entries on both ends and create new ones that will have the same subnet entries, but with IPsec and different authentication methods?
Is this going to have any impact on RRAS and do I need to stop any service prior making any chnage?
I assume Network Rule can be left alone as it is in "Route" relationship and Firewall Rules could also remain intact, bacause after applying changes in Defined Networks, that should get inhereted into the existing Firewall Policy Rule.
After all, can I just disable Remote site in Remote Sites Tab under Virtual Private Networks, or I have to delete that entry as well and create new one?
I don't know whay MS didn't provide this as an option to chnage from PPTP to IPsec in already running config, but only option is available to switch over from PPTP-L2TP/IPsec, while at the same time, if you start creating from the scratch, ISA allows you to create IPSec tunnel.
If anyone has ever done this and has process for it, I would greatly appreaciate.
Link to any info of that type would help me a lot.
Thank you,
Z
|
|
|
|
|
RE: From PPTP to IPsec with Pre-Shared key - 1.Apr.2008 5:35:32 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Grey,
Why not from PPTP to L2TP/IPsec since both ends are ISA firewalls ?
Regards,
J
|
|
|
|
|
RE: From PPTP to IPsec with Pre-Shared key - 1.Apr.2008 12:38:54 PM
|
|
|
greyhorsecorp
Posts: 15
Joined: 31.Mar.2008
Status: offline
|
hi justmee,
Well, because, I have 3rd party routers in other sites and I want to them all to have the same tunnel type. Other existing tunnels are already on IPSec, and because of interoperability between different vendors we already have in production.
After all, both ISA's are Std. version, so we would need to have Enterprise (correct me if I am wrong) to have automatic VPN Failover Capability (currently not in place) and that is another limit I am facing with.
I found document that explains switching over from PPTP -> L2TP/IPsec, but that is not an issue, even if it is with the Pre Shared key, since ISA gives you that option in already running configuration, but as I said before, this option doesn't exist if I want to go from PPTP->IPsec on ISA server that has already established PPTP with another site.
I am pretty sure that tunnel has to go down for some time (when I decide to do this), vs. PPTP-> L2TP/IPsec that cabn be done with almost no downtime.
Thanks again,
Grey
|
|
|
|
|
RE: From PPTP to IPsec with Pre-Shared key - 1.Apr.2008 2:27:47 PM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Grey,
Since the the site-to-site conection is between two ISAs, interoperability is not a concern(unless you plan in the future to replace one of the ISA Servers with a VPN gateway from aother vendor).
You may like to read this:
http://blogs.isaserver.org/shinder/2006/04/02/reason-456-for-using-l2tpipsec-over-ipsec-tunnel-mode/
And this(scroll bellow for Site-to-Site VPN performance guides):
http://www.microsoft.com/technet/isa/2004/plan/bestpractices.mspx
If you still want to use IPsec Tunnel Mode after reading the above links, then you will have to do it correctly: delete the current VPN site-to-site connection(you can't delete it until you delete the network and firewall rules which use the remote site first) and use the wizard to create the new site-to-site connection.
Regards,
J
|
|
|
|
|
RE: From PPTP to IPsec with Pre-Shared key - 1.Apr.2008 3:57:52 PM
|
|
|
greyhorsecorp
Posts: 15
Joined: 31.Mar.2008
Status: offline
|
Thanks justmee,
Exactly, I want to switch over to the 3rd party in front of both ISA's and that's why I need IPSec. Otherwise I would use L2TP/IPsec that is even more secure.
What about RRAS, since it is tightly connected to ISA.
Do I need to stop the service, or...
When I delete networks (I am aware that ISA won't allow me to create IPSec tunnel, until I delete rule and networks first), do I need to do anything with the RRAS?
Do I need to delete local accounts on both ISA's that I was using for PPTP, or I can leave them there too?
So many questions, but since I have no LAB, then I want to play it safe.
Thanks,
Grey
|
|
|
|
|
RE: From PPTP to IPsec with Pre-Shared key - 1.Apr.2008 4:51:41 PM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Grey,
You do not need to do anything in the RRAS console. Just delete the site-to-site VPN connection and apply your config. If ISA asks you to restart the service click OK(I do not recall exactly what happens with ISA 2004 when you click apply after you have deleted the old remote site, I did not touch ISA 2004 for quite a while, used only ISA 2006 lately).
If those accounts are not used anymore then you should delete them.
Regards,
J
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
