Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
IPSec tunnel ISA2k4 - Routefinder
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
IPSec tunnel ISA2k4 - Routefinder - 11.Feb.2004 11:32:00 AM
|
|
|
Linke Loe
Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
|
Hi all.
I have an ISA 2k4 at work and a Multitech Routefinder 660 at a branch office. I want to set up an IPsec VPN tunnel between them.
I create the remote network in both the machines and on the Routefinder I can see the VPN tunnel is established.
I create a packet filter on the routefinder to allow all traffic from the internal LAN to the remote LAN. On the ISA-box I tried several network and firewall rules allowing all traffic, but I can't send a ping to the other side.
Is there anyone who has this kind of configuration working, or can anyone tell me what rules I have to configure?
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 11.Feb.2004 1:16:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Linke,
On the ISA 2004 firewall, create a rule that allows everything from the remote network to the Internal network.
HTH,
Tom
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 11.Feb.2004 2:18:00 PM
|
|
|
Linke Loe
Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
|
quote:
Originally posted by tshinder:
Hi Linke,
On the ISA 2004 firewall, create a rule that allows everything from the remote network to the Internal network.
HTH,
Tom
Hmmmm, done that. Still no ping...
Is there anything I need to enable first? Right now, I only have a network rule with a routing relationship between the Internal Network and the remote network and a firewall rule allowing all outbound protocols from the remote network to the internal network.
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 11.Feb.2004 6:31:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Linke,
They should be inbound connections from the remote network to the internal network.
That's all you should need on the ISA side. Haven't seen your type of router, though.
HTH,
Tom
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 11.Feb.2004 10:33:00 PM
|
|
|
Linke Loe
Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
|
quote:
Originally posted by tshinder:
Hi Linke,
They should be inbound connections from the remote network to the internal network.
That's all you should need on the ISA side. Haven't seen your type of router, though.
HTH,
Tom
And how do I enable all inbound protocols? There is a standard definition "All Outbound Protocols" but nothing like "All Inbound Protocols"...
I don't know if the Routefinder is a much-seen router in the US, but I've seen it several times here in Europe. If you want more info: http://www.multitech.com/PRODUCTS/Families/RouteFinderVPN/
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 15.Feb.2004 11:23:00 PM
|
|
|
Linke Loe
Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
|
On the routefinder I configure a packet filter allowing all access through all ports, so it should work on the remote side.
But I think I'm going to test things out on a second ISA 2k4 machine this week. Let's see is that will work...
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 16.Feb.2004 12:23:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Linke,
Let us know how it works out for you.
Thanks!
Tom
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 17.Feb.2004 4:41:00 PM
|
|
|
Linke Loe
Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
|
I sure will.
I'm setting up the second server as I speak and going to test things out later tonight.
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 17.Feb.2004 9:33:00 PM
|
|
|
Linke Loe
Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
|
It works!
I have set up a second ISA 2k4 server at my branch office, configured the remote networks on both machines, routing rules and full access rules and it works. I can browse for shares on the remote network. Only when I ping from any ISA server to any IP on the remote network, I get the reply "Negotiating IP Security". Ping from an internal host to the remote network works fine. Does anyone know how to solve this?
Now I only have to know why this damned routefinder won't work...
[ February 17, 2004, 10:28 PM: Message edited by: Linke Loe ]
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 17.Feb.2004 11:13:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
You are most likely receiving this because of a Filter mismatch on the Route Finder.
When you create the Remote Network object and use IPsec Tunnel Mode, 4 filters are created (If Win2003, use the command line "netsh ipsec dynamic show qmfilters all" to see these filters)
ISA External IP -> Remote Subnet
ISA Private net -> Remote Subnet
ISA External IP <- Remote Subnet
ISA Private net <- Remote Subnet
When you PING from the network behind ISA, the filter "ISA Private Net -> Remote Subnet" gets invoked and works because you have a corresponding filter on the Route Finder. When you PING from ISA, you invoke the "ISA External IP -> Remote Subnet" filter which most likely is not on the Route Finder.
I'm not sure how Route Finder refers to filters (Cisco uses Access Lists, different vendors use other terminology), but you'll need to see what the "relationship" is between the RouteFinder and ISAs external IP addresr.
I ran into this problem while testing interoperability with my PIX and CheckPoint installs and after adding the corresponding filter/access list on the remote site, everything worked.
[ February 17, 2004, 11:18 PM: Message edited by: ClintD ]
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 18.Feb.2004 4:40:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Clint,
Thanks! Great info.
Tom
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 18.Feb.2004 10:13:00 PM
|
|
|
Linke Loe
Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
|
Clint,
Thanks for your reply, I now understand what can go wrong, but I still didn't manage to get trafic going on the VPN-tunnel between the ISA and the routefinder. I installed a second ISA-server on the remote site and built a VPN between the two ISA servers. When I ping from one ISA server to the remote network I get this message, while pinging from behind the ISA server works fine.
Does your filter-story still apply to this scenario and if so, do you know how to resolve this issue?
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 19.Feb.2004 1:09:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Linke,
Did you use my guide for creating a site to site VPN with IPSec tunnel mode between two ISA 2004 firewalls?
Thanks!
Tom
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 19.Feb.2004 1:49:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
It helps, but this ends up coming down to a filter mismatch.
What OS is ISA 2004 installed on?
If Win2003, go to a command prompt and run...
netsh ipsec dynamic show qmfilters all
Compare the filters that are shown here to make sure they match on both sides. Again, we're looking for
ISA1 -> Remote Subnet
Local Subnet -> Remote Subnet
ISA1 <- Remote Subnet
Local Subnet ,- Remote Subnet
If Win2000, it's a little more difficult - let me know if this is the case and I'll try to find the IPSECPOL command line syntax to dump out the filters created.
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 19.Feb.2004 9:49:00 PM
|
|
|
Linke Loe
Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
|
The problem is solved.
I didn't quite follow your article, Tom. I forgot to add the public IP addresse of the remote networks to the network definitions. When I added these addresses, I could ping from the ISA server. Do you have an explanation for this?
|
|
|
|
|
RE: IPSec tunnel ISA2k4 - Routefinder - 20.Feb.2004 12:10:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Linke,
You need to do that when using a NAT relationship, and when you enable Web Proxy connections.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
On the ISA box, the configuration would be "outbound" from Remote network to Internal network. Don't know what you would configure on the router, though.