Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site2Site -> unable to connect to the remote office?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site2Site -> unable to connect to the remote office? - 17.Jun.2007 9:03:06 AM
|
|
|
Thanquol
Posts: 15
Joined: 28.Feb.2007
Status: offline
|
Hi,
i hope you can help us!
I hope my english is good enough, to explain the problem!
We have the following situation:
2 ISA Servers with a L2TP VPN Site2Site Connection with a pre-shared key (no certs..)
The MST-ISA Server initiates the Site2Site connection, and gets a valid ip adress (192.168.1.14x)
I've created a Rule on both ISA servers: Allow all traffic from local to remote and from remote to local office. (Just for testing)
on the MST-ISA i can ping all computers @ local office, connect via RDP etc.. its working perfect!
but all the other remote-office pcs cannot ping or connect otherwise to the local office servers!
Of course the MST-ISA is the default gateway for all other pcs.
If i take a look at the Diakonie-ISA Monitoring while trying to open a RDP-Session:
From: MST-ISA(192.168.1.140) TO: XXX(192.168.1.1) Protocoll: RDP Allowed
but:
From: MST-PC1(192.168.8.32) TO: XXX(192.168.1.1) Protocoll: RDP Denied by default rule
The MSt-ISA with the 192.168.1.xx IP is allows to pass, the other pcs with 192.168.8.xxx aren't allowed to pass! :(
Even a network rule exists (Allowing all traffic from 192.168.8.xxx to internal at the diakonie-isa server :(
Whats wrong here? I'm searching for hours now.. and i can't see any mistake :(
Thanks for your advice!
Greetings from Germany,
Florian
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 18.Jun.2007 12:32:11 PM
|
|
|
Thanquol
Posts: 15
Joined: 28.Feb.2007
Status: offline
|
Hi,
Access rules exist on both ISA Servers allowing the complete traffice from and to the remote office and Networkrules exist on both Servers, configured as Route.
Do i have to install a RIP Protocol or something like this?
Thanks!
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 28.Jun.2007 6:07:35 PM
|
|
|
Thanquol
Posts: 15
Joined: 28.Feb.2007
Status: offline
|
Hi,
of course the ISA Server is the Standardgateway!
When i'm trying to ping the remote-office, i always geht a"FWX_E_UNREACHABLE_ADDRESS"
I found some similar problems with google but no solution! :(
Thanks
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 30.Jun.2007 4:39:43 AM
|
|
|
Thanquol
Posts: 15
Joined: 28.Feb.2007
Status: offline
|
Yes, a Route was created on both ISAs.
We called Microsoft last week, but they have no idea whats wrong :/
Florian
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 30.Jun.2007 8:12:11 PM
|
|
|
Thanquol
Posts: 15
Joined: 28.Feb.2007
Status: offline
|
Hi,
no, only SP1 and all Patches except SP2 are installed!
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 2.Jul.2007 4:57:13 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Florian,
Can you put the site-to-site summary from both ISAs here?
A quick look there will give us a good start on what's configured on your ISAs.
Also if you run ISA BPA do you see something(I know the word something is relative but maybe BPA will come up with some info)?
Best regards!
< Message edited by justmee -- 2.Jul.2007 9:40:22 AM >
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 4.Jul.2007 1:05:32 PM
|
|
|
Thanquol
Posts: 15
Joined: 28.Feb.2007
Status: offline
|
Hi,
the case was now escalated to Level 3 ;)
Support Level 2 wasn't able to help us!
Here is the summary from ISA2: (its the german Version)
Remotegatewayadresse: 80.152.133.4
VPN-Netzwerkauthentifizierungsprotokolle (ausgehend):
MS-CHAP v2
Authentifizierungsprotokolle für allgemeine VPN-Einstellungen (eingehend):
MS-CHAP v2
Lokaler Benutzer: Netz1
Remotestandortbenutzer: MST-Server
IP-Adressen des Standort-zu-Standort-Netzwerks: 10.0.0.10, 192.168.1.0-192.168.1.255
Routingfähige lokale IP-Adressen: 10.0.0.10, 192.168.1.0-192.168.1.255, 192.168.8.0-192.168.8.255
Because the PPTP Connection is initialised by ISA2, there is no Remote Network configured at ISA1.
ISA BPA doesn't show any errors!
Thanks,
Florian
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 5.Jul.2007 4:15:54 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Florian,
I have asked you this information just to clarify some things.
ISA2 means MST-ISA which initiates the site-to-site connection thus acting as the Calling Gateway.
ISA1 is at the local office and in your case is behaving as the Answering Gateway.
Now what's wrong on this site-to-site summary from ISA2 is:
Routingfähige lokale IP-Adressen: 10.0.0.10, 192.168.1.0-192.168.1.255, 192.168.8.0-192.168.8.255
Exactly 192.168.1.0-192.168.1.255 must not be there.
German is not one of the languages I understand very good but:
Routingfähige lokale IP-Adressen means Routable Local IP Addresses.
If so 192.168.1.0-192.168.1.255 is not local to ISA2.
This routable Local IP Addresses is given to ISA by the network rule(route) you have defined between the Internal Network of ISA2)192.168.8.0-192.168.8.255) and the remote site network 192.168.1.0-192.168.1.255.
Only 192.168.8.0-192.168.8.255 should be there.
What I cannot get from your picture is where 10.0.0.10 sits.
"Because the PPTP Connection is initialised by ISA2, there is no Remote Network configured at ISA1."
Wow!
No!
Now it's a PPTP connection?
A typo maybe?
Or according to this site-site summary is this correct because for IPSec I can't see the authentication method ?
For ISA1 to be able to initialiaze a connection(thus acting as the Calling Gateway) it must have specified a user account(user account which much match the name of the demand-dial interface created on the remote site).
The Remote Network must be configured on ISA1 so that ISA1 knows how to forward packets and replies to the remote network 192.168.8.0-192.168.8.255.
This Remote Network on ISA1 must be defined as 192.168.8.0-192.168.8.255.
On ISA1 also a network rule as route must be defined between the Internal Network(192.168.1.0-192.168.1.255) and the remote site 192.168.8.0-192.168.8.255.
Also on both ISA1 and ISA2 access rules must exist between Internal and Remote and Remote and Internal(depending on what traffic you are passing). For troubleshooting you might allow all protocols in both ways.
And do not test from ISA2(actually do not initialize the connection from here). Do the test from a client behind ISA2 in order to see that the "tunnel" is coming up and the security policies for this traffic are applied correctly.
And another question: are ISA1 or/and ISA2 behind NAT devices ?
< Message edited by justmee -- 5.Jul.2007 6:50:31 AM >
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 18.Jul.2007 11:29:08 AM
|
|
|
Thanquol
Posts: 15
Joined: 28.Feb.2007
Status: offline
|
Hi,
thanks for your help, but it didn't work :(
Now we have configurated a IPSEC Tunnel... and it worked after 30Minutes!..
But now i have another little problem:
I cant get a IPSEC Connection if both IPs are in the same Subnet
Does this work:
ISA1: 10.0.1.1 <-LAN-Cable-> ISA2:10.0.1.10
ISA1 tells me, it has no valid Route to ISA2
ISA2 does the same.
Or do i have to install a little router an add fix routes?
ISA1: 10.0.1.1 <-ROUTER-> ISA2:10.0.2.1
thanks
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 18.Jul.2007 3:53:59 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
You need to configure a default gateway on both the ISA Firewall's external interfaces. Without a default gateway, IPSec tunnel mode won't work.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 18.Jul.2007 6:50:05 PM
|
|
|
Thanquol
Posts: 15
Joined: 28.Feb.2007
Status: offline
|
Hi,
does the ISA Server accept a permanet Route over another gateway? (not our default one?)
thanks
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 19.Jul.2007 10:29:38 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Sure, but you need a default gateway configured on the ISA Firewall's external interface in order to get IPSec tunnel mode to work.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Site2Site -> unable to connect to the remote off... - 12.Aug.2007 5:47:51 PM
|
|
|
Thanquol
Posts: 15
Joined: 28.Feb.2007
Status: offline
|
hi,
only for information:
we weren't able to get a ipsec tunnel work with a fix route :(
but it's no problem, we've chosen another configuration (every user makes a pptp connection himself, that works)
thanks for your help!
Florian
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
