Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Site to Site IPSec

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site to Site IPSec Page: [1]
Login
Message << Older Topic   Newer Topic >>
Site to Site IPSec - 19.Feb.2004 12:48:00 AM   
noheroes

 

Posts: 6
Joined: 12.Sep.2002
Status: offline 		Hi.

I need to connect to a Cisco VPN concentrator using IPSec IKE.

This is the configuration that we use:

Local Tunnel Endpoint: 64.76.XXX.XXX
Remote Tunnel Endpoint: 200.48.XXX.20

To allow HTTP proxy or NAT traffic to the local site,
the remote site configuration must contain the local
site tunnel end-point IP address.

IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication method: Pre-shared secret (TM1XXXXXX)
Security Association lifetime: 28800 seconds

IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: OFF
Diffie-Hellman group: Group 2 (1024 bit)
Time rekeying: ON
Security Association lifetime: 100000 seconds
Kbyte rekeying: OFF

Remote Network 'Remote VPN' IP Subnets:
Subnet: 200.48.xxx.xxx/255.255.255.255

Local Network 'Internal' IP Subnets:

this is the same as Cisco concentrator.

but when try to telnet to IP address of remote side i can't establish a connection.

i'm trying to telnet to port 80 of vpn concentrator and have and answer, but the administrator of remote side tell me that i'm not using the tunnel.

what's wrong, how can i establish a session with that vpn concentrator???, how can i probe that i'm connecting???

"[Frown]" thanks.
Post #: 1
RE: Site to Site IPSec - 19.Feb.2004 1:01:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Ruben,

It looks like you have the remote network addresses incorrectly configured. You need to include the Internal network addresses behind the remote site's VPN gateway *and* the address of the external interface of the remote VPN server.

HTH,
Tom

(in reply to noheroes)
Post #: 2
RE: Site to Site IPSec - 20.Feb.2004 1:25:00 AM   
noheroes

 

Posts: 6
Joined: 12.Sep.2002
Status: offline 		Hi Tom.

In this case the internal network address is one machine with the same TCP/IP class than a VPN concentrator.

200.48.xxx.xxx

thanks.

Ruben

(in reply to noheroes)
Post #: 3
RE: Site to Site IPSec - 20.Feb.2004 12:08:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Ruben,

The remote VPN server should have an internal and external interface, so the remote network would contain the internal interface network ID, as well as the external interface IP address of the remote VPN server.

HTH,
Tom

(in reply to noheroes)
Post #: 4
RE: Site to Site IPSec - 21.Feb.2004 12:02:00 AM   
noheroes

 

Posts: 6
Joined: 12.Sep.2002
Status: offline 		Hello Tom.

Thanks, the connection is working now, I added the IP address of external interfase of remote VPN and in the logging can see that the connection is established correctly.

But, when try to connect to a remote machine define in the configuration, obtain a connection denied...

I define a policy firewall to connect from internal network to vpn remote using TCP outbound 9030 port, that is open always in the remote side of vpn.

I forget any more configuration??

thanks

Ruben

(in reply to noheroes)
Post #: 5
RE: Site to Site IPSec - 21.Feb.2004 2:04:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Ruben,

That is interesting. Why are you using TCP 9030?

Thanks!
Tom

(in reply to noheroes)
Post #: 6
RE: Site to Site IPSec - 22.Feb.2004 1:58:00 AM   
noheroes

 

Posts: 6
Joined: 12.Sep.2002
Status: offline 		Hi Tom.

this port is used by a SMS server of a telco in my country.

best regards

Ruben

(in reply to noheroes)
Post #: 7
RE: Site to Site IPSec - 22.Feb.2004 7:49:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Ruben,

Is the problem that the VPN clients network cannot access the SMS server?

Thanks!
Tom

(in reply to noheroes)
Post #: 8
RE: Site to Site IPSec - 23.Feb.2004 7:25:00 PM   
noheroes

 

Posts: 6
Joined: 12.Sep.2002
Status: offline 		Hi Tom.

In this case, only can connect in site to site form, this is for a security requirement of telco.

the problem now is exactly this,from a computer in my internal network can't telnet remote VPN port 9030, in the monitoring panel of ISA 2004 i can see that receive a connection denied.

is this a wrong configuration in ISA???

thanks

Ruben

PD: Sorry but my english isn't good. [Frown]

(in reply to noheroes)
Post #: 9
RE: Site to Site IPSec - 24.Feb.2004 12:24:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Ruben,

Is the machine you want to connect to on port 9030 within the VPN tunnel, or it is somewhere on the Internet?

Thanks!
Tom

(in reply to noheroes)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site to Site IPSec Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts