Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site to Site VPN
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site to Site VPN - 16.Nov.2007 2:15:41 AM
|
|
|
jmcfadyen
Posts: 8
Joined: 21.Mar.2005
From: Sydney
Status: offline
|
hi all,
I am having issues with connecting IPSEC L2TP vpn in ISA 2006 site to site.
I have been monitoring both firewalls and can see the traffic hits the ISA external interfaces and is then published to the internal addresses.
Both 500 IKE ports and 4500 ports are open and allowing traffic flow.
After enabling auditing I can see that I am getting a number of event logs ID541, 542, 543 according to Stephan P's troubleshooting guide these are good results.
Reading these logs it looks as though the tunnel is established (both main mode and quick mode) it appears to be setting up encryption levels all IP addresses are recorded at both ends correctly (internal and external)
It then starts a session on 1701 UDP which from a monitor point of view doesnt exist. (one assumes this is because it is within the IPSEC tunnel).
after this happens a number of times in the logs the dial up connections seem to time out. (ps I am testing with dial connections as it seemed to be more reliable from a test perspective)
I have double checked all preshared keys which are the same at each end. I wonder wether this is actually a networking issue as opposed to a IPSEC issue.
any pointers on how to track this issue down would be appreciated.
|
|
|
|
|
RE: Site to Site VPN - 16.Nov.2007 11:58:55 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi jmcfadyen,
First, is there any NAT device between the firewalls?
Because I see port 4500 mentioned there.
Are both firewalls ISA devices?
From what you are saying the IKE MM and QM phases appear to be fine.
The first packet after QM exchanges, in a normal situation, will be a packet starting the L2TP tunnel. However you cannot see it because it's encapsulated inside IPsec ESP.
I'm not sure what you are saying with those dial up connections.
If you use the RRAS console, within Network Interfaces, you should see you demand-dial interfaces named after your remote site. If you right-click it, there might be a Unreacheability Reason.
What about the user accounts used for you site-to-site connection ?
Are they matching the name of your remote sites and dial-in permissions et to allow?
Example:
ISA1:
Site name: ISA2
User name used for connecting to ISA 2: ISA1
User account with dial-in permissions: ISA2
ISA2:
Site name: ISA1
User name used for connecting to ISA 1: ISA2
User account with dial-in permissions: ISA1
If user authentication fails you will not be able to use the "tunnel".
Regards!
|
|
|
|
|
RE: Site to Site VPN - 19.Nov.2007 2:58:45 AM
|
|
|
jmcfadyen
Posts: 8
Joined: 21.Mar.2005
From: Sydney
Status: offline
|
ok i created dial up entries as they seem to give better feedback in relation to error codes etc.
this way I could dial on demand and also recieve the actual error codes received by the dial up session.
either way with the dial up entry and or the demand dial the session fails.
in relation to your earlier questions both are ISA boxes are behind NAT'd routers hence the 4500udp ports. (forwarding seems to be working from the routers to the firewalls)
looking at the event logs the tunnel seems to be created and its getting as far as selecting an encryption mode. (maybe even completing this)
i have about 50 events of ID 541, 542, 543 which are in line with Stephan Poulesses troubleshooting guide.
now correct me if I am wrong here but my understanding was the tunnel was supposed to be between the two internal network addresses. all the event logs appear to be terminating at the external ISA interface addresses. (not sure if my understanding is correct here)
the dial up error code is 678 which says the remote end is not responding.
thanks for your assistance so far!
|
|
|
|
|
RE: Site to Site VPN - 19.Nov.2007 3:02:04 AM
|
|
|
jmcfadyen
Posts: 8
Joined: 21.Mar.2005
From: Sydney
Status: offline
|
one other thing the accounts used do match the vpn network names as (local accounts)
|
|
|
|
|
RE: Site to Site VPN - 19.Nov.2007 4:19:47 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
I'm not sure I'm following you with those "dial-up entries" and the "publishing stuff".
When you are using the VPN site-to-site wizard on ISA, automatically by ISA within RRAS a demand-dial interface with the name of the remote site will be created. The demand-dial term might be confusing, since the tunnel is persistent. The tunnel will be up once traffic for it will exist and will stay so.
You must use the wizard on ISA and do not touch the RRAS console and to not publish anything.
The RRAS console must be touched because you might need to prevent the demand-dial interface to register itself with DDNS. This is what you should do.
The IKE negotiation "are between" the External IP addresses on both ISA.
The demand-dial interfaces will obtain internal IP addresses(if you are using DHCP for your VPN clients).
You might like to read this(the reg hack part):
http://forums.isaserver.org/fb.aspx?m=2002054552
|
|
|
|
|
RE: Site to Site VPN - 19.Nov.2007 6:36:13 PM
|
|
|
jmcfadyen
Posts: 8
Joined: 21.Mar.2005
From: Sydney
Status: offline
|
what i meant by the dial up was instead of a site to site connection I setup one ISA server then removed all config on the second server.
then created a non ISA dial up networking L2TP connection. the result is the same as using ISA to ISA connections.
it seems the tunnel is there but the DHCP addresses are not being assigned. I am using a DHCP relay at one end (the main branch).
|
|
|
|
|
RE: Site to Site VPN - 21.Nov.2007 8:05:59 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
I do not see what you get doing so. Maybe more confusion.
If you want to test the "path", just enable the VPN server on of the ISA and then connect with a VPN client. Actually you can do that in both ways. Since your VPN servers are behind NAT device do not forget the reg hack for XP SP2 or Vista clients.
Doing so you can see if the path "cooperates" and if your clients receive a valid IP address.
ISA will grab some IP addresses from your DHCP server(if you are using DHCP for IP addresses for VPN clients) so make sure ISA can reach the DHCP server. Check on it if any IP addresses were leased.
If everything is OK simply run the wizards and setup the site-to-site connection.
|
|
|
|
|
RE: Site to Site VPN - 21.Nov.2007 8:55:48 PM
|
|
|
jmcfadyen
Posts: 8
Joined: 21.Mar.2005
From: Sydney
Status: offline
|
ok heres what I have done.
Using two fresh ISA boxes built up ISA - Router - Router - ISA
Setup the VPN worked like a charm. I removed the same boxes that successfully established a connection and put them behind internet based NAT routers.
As soon as I did this all VPN failed to connect. I do see IKE and NAT-T traversal at both ISA servers so the routers are forwarding the appropriate ports.
My ISA servers are not using published addresses on the external interfaces.
In the oakley log I see a number of items showing
src 62.x.x.x dst 10.7.1.1 (which is my isa ext behind NAT address)
should I be using public addresses here. I feel like i should be
|
|
|
|
|
RE: Site to Site VPN - 22.Nov.2007 3:13:05 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
ISA will use its own IP address. From here the tunnel start. The other "end" of the tunnel is the public IP address of your NAT device from a "see" point of view. Of course the tunnel is terminated behind the NAT device on the other ISA.
Have you tried the reg hack that I mention ?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
