Welcome to ISAserver.org

Site-to-Site VPN Routing.

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> VPN >> Site-to-Site VPN Routing.

Page: [1]

Message

<< Older Topic Newer Topic >>

Site-to-Site VPN Routing. - 12.Dec.2007 10:00:43 AM

gawent

Posts: 1
Joined: 31.Jul.2007
Status: offline

Hi,

I have two sites, one with SBS 2000 and one with SBS 2003. I have configured two Sonicwall TZ180's at each site and configured an IPSec VPN tunnel between the two. The tunnel is visibly up and running and I can ping addresses from one site to the other with replies but only as far as the WAN NIC on the other and I believe an ISA routing issue is preventing this from happening.

This server has two NIC's, one with LAN configured on a private IP range and a WAN NIC with it's private IP address. This is in turn connected to a TZ180 with a corrseponding private address, then a public address to the internet and to the other site.

Linearly then the scenario is as follows:

Site A Internal LAN has a 10.0.0.x range with an SBS server assiging addresses on the LAN via DHCP. LAN NIC address is 10.0.0.2.

WAN NIC on this server has an address is 192.168.1.2, this is also the address of the ISA installation.

TZ180 at this site has an internal address of 192.168.1.3 and the public address to an ADSL router on to the internet.

The other site has the same ADSL router to TZ180 straight into the LAN at Site B.

From Site A I can ping any of the addresses in Site B, from Site B I can only ping 192.68.1.3 and 192.168.1.2 but no further.

With the TZ180 at Site B I can find a path through to the LAN addresses (SBS Server for example) but not ping any devices and I think ISA is the reason for this?

If someone could assist me with configuring ISA to allow incoming traffic to allow site to site communication via the VPN I'd be very grateful?

Regards

Gawen.

Post #: 1

Featured Links*

RE: Site-to-Site VPN Routing. - 15.Dec.2007 7:34:29 AM

AHIT

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

With the scenario you've described you've create a Site to Site VPN between the "private IP ranges in your 'public' network" but NOT within your internal private network.
eg:
LAN1 private IP -- SBS2000 -- ExternalPrivateIP1 -- TZ180-1 -- internet -- TZ180-2 -- Externalprivate2 -- SBS2003 -- LAN2 private IP.
so whilst there's a connection between "externalprivate1" and "externalprivate2", LAN! and LAN2 cannot see each other as there still ahve the ISA services between them. ie: 192.168.1.2 can see 192,168.1.3 but 10.0.0.2 cannot see LAN2/B's IP address range.

Suggest using site to site VPN on the ISA servers themselves and not via router-to-router VPN. You may need to enable GRE/port 47 forwarding on those routers/Sonicwalls thru to the respective ISAs. At present anything "outside" of ISA is seen as foreign to ISA and hence it cannot 'route' that traffic for LAN to LAN.

Hope that makes sense?
It's late Saturday night with red wine lubricating my mouth OK but making the mental synapses slide all over the place!!

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to gawent)

Post #: 2

RE: Site-to-Site VPN Routing. - 15.Dec.2007 9:03:40 AM

Jason Jones

Posts: 2137
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

quote:

ORIGINAL: AHIT

It's late Saturday night with red wine lubricating my mouth OK but making the mental synapses slide all over the place!!

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to AHIT)

Post #: 3

RE: Site-to-Site VPN Routing. - 17.Dec.2007 12:11:16 AM