Welcome to ISAserver.org

L2TP in back to back ISA

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> VPN >> L2TP in back to back ISA

Page: [1]

Message

<< Older Topic Newer Topic >>

L2TP in back to back ISA - 12.Oct.2004 12:11:00 PM

yasser_abbass

Posts: 25
Joined: 17.Jul.2002
Status: offline

Hi all,

I'm trying to establish a VPN in back to back configuration.
I'm using ISA 2000 windows 2000, IAS internal server.

it's working fine but i want to ask a couple of questions here.
1) can I publish the internal ISA VPN server
instead of creating 2 tunnels.
2) How can i authenticate the users at the external firewall. do i need to install another IAS on the internal ISA so the external one can authenticate throught, since it wont work on DMZ

thanks alot

yasser

Post #: 1

Featured Links*

RE: L2TP in back to back ISA - 12.Oct.2004 7:57:00 PM

spouseele

Posts: 12826
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi yasser,

check out http://www.isaserver.org/articles/isa2000vpndeploymentkit.html .

HTH,
Stefaan

(in reply to yasser_abbass)

Post #: 2

RE: L2TP in back to back ISA - 13.Oct.2004 1:01:00 PM

yasser_abbass

Posts: 25
Joined: 17.Jul.2002
Status: offline

thanks for answering

I've went through all of the documents before but I didn't find a quick answer for my questions ?

can anybody help please

thanks

(in reply to yasser_abbass)

Post #: 3

RE: L2TP in back to back ISA - 13.Oct.2004 9:12:00 PM

spouseele

Posts: 12826
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi yasser,

check out http://www.isaserver.org/img/upl/vpnkitbeta2/b2bnat-t.htm .

Keep in mind that when you terminate the VPN on the outer ISA server, the VPN clients will only have access to the DMZ and the services published on the external interface of the inner ISA server. However, if you terminate the VPN on the inner ISA server the the VPN clients will have full access to the internal network behind the inner ISA server and the DMZ hosts.

HTH,
Stefaan

(in reply to yasser_abbass)

Post #: 4

RE: L2TP in back to back ISA - 14.Oct.2004 4:10:00 PM

yasser_abbass

Posts: 25
Joined: 17.Jul.2002
Status: offline

Hi spouseele

thanks alot for your help
well I did read and follow the instruction on the link but had another issue Error 791
so i started network monitor on both external and internal ISA.
both are receiving request and some traffic is there
I also upgraded to KB818043 but no luck
the oakley.log states that No policy configured
so I created a new connection directly to the internal server and setup the client to have an IP on the DMZ. it worked

but when connection through the External it does not
what a puzzel ha?

and this had rasied another issue it seems that if i've multiple IP's bound to the client interface the VPN connection just pick one of these IP's to make the connection which is a big problem

for example the internal interface is bound to these IP's
192.168.1.100 internal
192.168.2.100 DMZ
194.x.x.x External

what is happining at the moment is when i connect to the internal ISA it goes from 194.x.x.x

any Help

thanks alot for your help

yasser

(in reply to yasser_abbass)

Post #: 5

RE: L2TP in back to back ISA - 14.Oct.2004 9:48:00 PM

spouseele

Posts: 12826
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi yasser,

quote:
for example the internal interface is bound to these IP's
192.168.1.100 internal
192.168.2.100 DMZ
194.x.x.x External

The internal interface from which device? [Confused]

HTH,
Stefaan

(in reply to yasser_abbass)

Post #: 6

RE: L2TP in back to back ISA - 16.Oct.2004 9:56:00 AM

yasser_abbass

Posts: 25
Joined: 17.Jul.2002
Status: offline

sorry for that

I mean if the client is bound to multiple IP's when VPN client start it just select one of these IP's

as for error 791 nothing works with regards to it

any help

thanks

(in reply to yasser_abbass)

Post #: 7

RE: L2TP in back to back ISA - 17.Oct.2004 2:11:00 PM

spouseele

Posts: 12826
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi yasser,

why making things so complicated by assigning multiple IP's from different Network ID's to the VPN client? Play it by the book and it will work as it should! [Razz]

In a B2B ISA DMZ scenario the outer ISA server is doing NAT. Therefore you will have to use L2TP/IPSec with NAT-T. That means that:

1) the inner ISA server *must* run on Win2003 because NAT-T is only supported on that OS or higher.

2) you'll have to disable the IPSec service on the outer ISA server because otherwise the IPSec will be handled by the outer ISA server. Note that the outer ISA server may run on Win2000.

3) you'll have to server publish the IKE and NAT-T protocols from the external interface of the inner ISA server on to the external interface of the outer ISA server.

4) it might be necessary to disable IP Fragment filtering on the inner and outer ISA server in the IP Packet Filter Properties.

5) if the VPN client runs on WinXP-SP2 then check out http://www.lanarchitect.net/Articles/FixSP2VPN/ for the required registry fix.

HTH,
Stefaan

(in reply to yasser_abbass)

Post #: 8

RE: L2TP in back to back ISA - 18.Oct.2004 9:28:00 AM

yasser_abbass

Posts: 25
Joined: 17.Jul.2002
Status: offline

Hi Stefaan

thanks alot for your help well actually I've done all of that except for the windows 2003 part
i was working on windows 2000
this explains why it didn't work

thanks alot

best regards

yasser

(in reply to yasser_abbass)

Post #: 9

RE: L2TP in back to back ISA - 18.Oct.2004 8:04:00 PM