Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site2Site VPN Problems (IPSec ISA-ISA)
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site2Site VPN Problems (IPSec ISA-ISA) - 23.Apr.2004 4:55:00 PM
|
|
|
davehocking
Posts: 15
Joined: 19.Jan.2004
From: Rochdale, UK
Status: offline
|
Hi all, I posted in the ISA2004 general board earlier, so excuse the slight cross-post.
I say slight cross post because I discovered some more information by running the NETSH IPSEC DYNAMIC command, and SHOW QMFILTER ALL.
On one end of the tunnel (the same as my primary DC) I have four filters available. On the other end of the tunnel (the remote site that needs connectivity to the domain, I have a 2nd DC ready to roll) I get the following error;
ERR IPSec[06133] : Generic Quickmode Filters not available.
Now, this ISA server is part of the domain (was joined when local to DC1) but obviously is in a dis-joined state as it has no VPN tunnel. Do you think that it's dis-joined domain state could be the cause of this error, or am I barking up the wrong tree?
Any thoughts?
|
|
|
|
RE: Site2Site VPN Problems (IPSec ISA-ISA) - 23.Apr.2004 5:54:00 PM
|
|
|
davehocking
Posts: 15
Joined: 19.Jan.2004
From: Rochdale, UK
Status: offline
|
The mystery deepens...
I removed the server from the domain, to see if my hunch was right, and the firewall services failed to come back up.
So, I reinstalled ISA2004, checked the services started, and began again.
Now it has transpired that the addition of a remote site, with an IPSec link, manages to make the firewall services fail on their next startup.
The services won't come back up until the remote site has been removed. Now here's the odd part, this is a fresh install of 2003, and the site to site link is nothing special. I'm just using the add new site wizard, defining a remnote IP range, defining the endpoints, and finishing. I've not touched the IPSec settings in the slightest.
Any one shed any light on this one?!
|
|
|
|
|
RE: Site2Site VPN Problems (IPSec ISA-ISA) - 25.Apr.2004 3:34:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dave,
I sent you the site to site doc, so things should be working for you now.
Let us know!
Thanks!
Tom
|
|
|
|
|
RE: Site2Site VPN Problems (IPSec ISA-ISA) - 29.Apr.2004 11:40:00 PM
|
|
|
davehocking
Posts: 15
Joined: 19.Jan.2004
From: Rochdale, UK
Status: offline
|
No joy yet I'm afraid..
After skimming the first few pages relating to the IPSec tunnel I decided to go for an L2TP/IPSec tunnel, utilizing my existing PKI.
This is where we start to hit some problems...
The documentation is using screengrabs from what looks to be a newer build of ISA than the one I have (downloaded from the MSDN site in Jan). I notice the wording in the manual is more, errrr, production release than I have on my screen. For example, instead of "Send Original Host Header" which I see on my screen, there is a much longer "Send the original host header, not the one mentioned above" noted in the manual. The longer description tells me it's nearer a release build than I have currently. Anyway, on to the problem, one of the stages in the manual is relating to changing the system policy to allow ISA to visit a certifcate revocation list site (CRL), but on opening the system policy, there is no such setting! The settings to the top and bottom of what I am after are there, but the CRL setting is not. (chapter 10, pg 10)
Try as I might to get the ISA server to visit the certsrv site on my CA, I still cannot get it to allow me access.
Tom, have you got the same build of ISA as I have?
Version: 4.0.1872.0
|
|
|
|
|
RE: Site2Site VPN Problems (IPSec ISA-ISA) - 2.May2004 5:00:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dave,
OK, try this: create an access rule from Local Host to Internal, all IP traffic. Go to the Web enrollment site and get the certificate.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
