Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site to Site VPN Linksys to ISA
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site to Site VPN Linksys to ISA - 16.Aug.2005 6:36:00 AM
|
|
|
jeroenHermans
Posts: 37
Joined: 4.Nov.2002
Status: offline
|
Hi,
I'm having a bit of a problem creating a site to site vpn. I'm using a Linksys BEFVP1 router with Firmware 1.41.1 on the remote site and ISA 2004 running on win2k3 on the main site.
This is what the config looks like on the Linksys router :
Linksys BEFVP1 (Firmware 1.41.1) VPN Settings
=============================================
Local Secure Group : IP Range IP:10.10.1.1~254
Remote Secure Group : IP Range IP:192.168.2.1~254
Remote Security Gateway : IP Addr. IP:123.123.123.123 (fake for posting purposes)
Encryption : 3DES
Authentication : SHA
Key Management : Auto. (IKE)
PFS : Enabled
Pre-shared Key : 123
Key Lifetime : 100000
Advanced settings
-----------------
Phase 1 Operation Mode : Main Mode
Proposal 1 : Encryption : 3DES
: Authentication : SHA
: Group : 1024-bit
: Key Lifetime : 28800 seconds
Phase 2
Proposal : Encryption : 3DES
: Authentication : SHA
: PFS : ON
: Group : 1024-bit
: key Lifetime : 100000 seconds
Other Options : NetBios broadcast : off
: Anti-Replay : off
: Keep-Alive : off
: If IKE Failed more than 5 times block this ip for 60 seconds : off
This is what the config looks like on the ISA box :
Local Tunnel Endpoint: 123.123.123.123 (fake for posting purposes)
Remote Tunnel Endpoint: 12.34.56.78 (fake for posting purposes)
To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.
IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication method: Pre-shared secret (Psix8iv4)
Security Association lifetime: 28800 seconds
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time rekeying: ON
Security Association lifetime: 100000 seconds
Kbyte rekeying: OFF
The log file of the Linksys shows this when it is trying to connect Please not that I had to replace smaller then and greater then signs by "left" and "right" as the forum does not allow them :
00:00:37 IKE[2] Tx RIGHT MM_I1 : 123.123.123.123 SA
00:00:37 @in UDP from 123.123.123.123:500 to 12.34.56.78:500
00:00:37 IKE[2] Rx LEFT MM_R1 : 123.123.123.123 SA, VID, VID, VID
00:00:37 IKE[2] ISAKMP SA CKI=[4e85693 b7cec08f] CKR=[10bed5f0 9a9accc0]
00:00:37 IKE[2] ISAKMP SA 3DES / SHA / PreShared / MODP_1024 / 28800 sec (*28800 sec)
00:00:37 IKE[2] Tx RIGHT MM_I2 : 123.123.123.123 KE, NONCE
00:00:38 IKE[2] Rx LEFT MM_R2 : 123.123.123.123 KE, NONCE
00:00:38 IKE[2] Tx RIGHT MM_I3 : 123.123.123.123 ID, HASH
00:00:38 IKE[2] Rx LEFT MM_R3 : 123.123.123.123 ID, HASH
00:00:38 IKE[2] Tx RIGHT QM_I1 : 123.123.123.123 HASH, SA, NONCE, KE, ID, ID
The ISA log file show this :
8/16/2005 12:09:56 PM 123.123.123.123 500 IKE Client Initiated Connection Allow VPN site-to-site traffic to ISA Server
8/16/2005 12:11:00 PM 123.123.123.123 500 IKE Client Closed Connection Allow VPN site-to-site traffic to ISA Server
Any Help please? On the isa side it looks as if it is connected briefly ( I can see the remote site in the sessions view), the linksys side keeps saying disconnected.
Thanks for the help,
Jeroen Hermans
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 16.Aug.2005 8:37:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
So you're getting to Quick Mode where the network definitions are negotiated...
I see this as a problem...
quote:
Local Secure Group : IP Range IP:10.10.1.1~254
Remote Secure Group : IP Range IP:192.168.2.1~254
On the ISA Server, compare this with the output of "c:\netsh ipsec dynamic show qmfilters all" and you'll see that they don't match.
ISA Server pushes filters into IPSec that contain the addresses of all the Network objects you have defined - most likely, the ISA host has filters for this...
10.10.10.0 / 255.255.255.0
192.168.2.0 / 255.255.255.0
When you defined the Internal network on the ISA Server, did you add the range 192.168.2.0 - 192.168.2.255? Lkewise, when you defined the Remote Site for the Linksys tunnel, did you define it ias 10.10.10.0 - 10.10.10.255?
Since the filters don't match exactly, Quick Mode will fail due to both parties not having matching filters. Redefine the Linksys IP Range for both and see if the behavior changes.
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 16.Aug.2005 9:01:00 AM
|
|
|
jeroenHermans
Posts: 37
Joined: 4.Nov.2002
Status: offline
|
Thanks for the quick respons.
When I run the command on the isa box, I get a whole bunch of filters.
When I check the ipsec policy summary, this is what I get :
Remote Network 'Genk' IP Subnets:
Subnet: 10.10.1.1/255.255.255.255
Subnet: 10.10.1.254/255.255.255.255
Subnet: 10.10.1.2/255.255.255.254
Subnet: 10.10.1.252/255.255.255.254
Subnet: 10.10.1.4/255.255.255.252
Subnet: 10.10.1.248/255.255.255.252
Subnet: 10.10.1.8/255.255.255.248
Subnet: 10.10.1.240/255.255.255.248
Subnet: 10.10.1.16/255.255.255.240
Subnet: 10.10.1.224/255.255.255.240
Subnet: 10.10.1.32/255.255.255.224
Subnet: 10.10.1.192/255.255.255.224
Subnet: 10.10.1.64/255.255.255.192
Subnet: 10.10.1.128/255.255.255.192
Subnet: 12.34.56.78/255.255.255.255
Local Network 'Internal' IP Subnets:
Subnet: 192.168.1.1/255.255.255.255
Subnet: 192.168.1.2/255.255.255.254
Subnet: 192.168.1.4/255.255.255.252
Subnet: 192.168.1.8/255.255.255.248
Subnet: 192.168.1.16/255.255.255.240
Subnet: 192.168.1.32/255.255.255.224
Subnet: 192.168.1.64/255.255.255.192
Subnet: 192.168.1.128/255.255.255.128
Subnet: 192.168.2.0/255.255.255.0
The internal network on the isa server has this range : 192.168.1.0 ~ 192.168.2.255
The internal network on the linksys is 10.10.1.0~10.10.1.255
I guess I need to change the remote secure group of the linksys? Problem here is that I can only add 1 range so that would be 192.168.1.0~255
and 192.168.1.0~192.168.2.255
Any ideas?
Thanks,
Jeroen
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 16.Aug.2005 10:01:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Interesting - can you add individual entries for the subnets?
192.168.1.0-192.168.1.255
192.168.2.0-192.168.2.255
The filters should show up correctly then. In your list above, ISA has broken the 192.16.1.x subnet into individual filters - the only time I have seen this is when the admin has defined the subnet as 192.168.1.1-192.168.1.254. There might be other scenarios where ISA does this, but I haven't seen them.
You can see that 192.168.2.x is defined correctly as ISA has provided a single filter for that entire subnet - 192.168.2.0/255.255.255.0.
As an aside, what subnet mask are you using on the Internal network card of ISA? 16 or 24 bit?
[ August 16, 2005, 10:07 AM: Message edited by: ClintD ]
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 16.Aug.2005 10:35:00 AM
|
|
|
jeroenHermans
Posts: 37
Joined: 4.Nov.2002
Status: offline
|
Hi,
Indeed I did enter the subnet as 192.168.1.1-192.168.1.254
I have removed all ip ranges from the internal network and added the NIC's again. I also removed the ip address of the remote gateway from the addresses tab of the remote site.
This is what I have listed now :
Remote Network 'Genk' IP Subnets:
Subnet: 10.10.1.1/255.255.255.255
Subnet: 10.10.1.2/255.255.255.254
Subnet: 10.10.1.4/255.255.255.252
Subnet: 10.10.1.8/255.255.255.248
Subnet: 10.10.1.16/255.255.255.240
Subnet: 10.10.1.32/255.255.255.224
Subnet: 10.10.1.64/255.255.255.192
Subnet: 10.10.1.128/255.255.255.128
Local Network 'Internal' IP Subnets:
Subnet: 192.168.1.0/255.255.255.0
Subnet: 192.168.2.0/255.255.255.0
I have 2 nic's on the isa server that are member of the internal network. the first one is called private and is set up like this :
192.168.2.2 - 255.255.255.0
The second one is called ILO and is setup like this :
192.1681.3 - 255.255.255.0
On te linksys box I have changed the following :
Local Secure Group : Ip range : 10.10.1.1~255
For the remote secure group I have 5 options I can choose : IP address, subnet, Ip range, host, any
If I choose IP range, I can only enter a network with maximum 255 clients which is not enough.
If I choose subnet, I can enter an IP with a mask
If I choose ip address, I can nly enter 1 ip address
If I choose Host, it says : "the same as Remote Security Gateway setting"
If I choe Any, it says : "the same as Remote Security Gateway setting"
What should I choose and what should I enter?
Thanks for helping
Jeroen
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 16.Aug.2005 2:00:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
I'm not sure - you might try IP Range and have 2 separate tunnels for the subnets.
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 16.Aug.2005 4:57:00 PM
|
|
|
jeroenHermans
Posts: 37
Joined: 4.Nov.2002
Status: offline
|
But then I would have to change something on the isa side aswell? I would need to have 2 internal networks, one for the 192.168.1.0 and one for the 192.168.2.0
Is that possible?
Thanks,
Jeroen
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 16.Aug.2005 6:18:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Naw - you should be good to go with the config you already have. ISA already has the correct filters in IPSec (192.168.1.0-255 and 192.168.2.0-255).
One thing I forgot to add - in the Remote Site properties, verify that you have 10.10.1.0-255 - it looks like you have 10.10.1.1-254 based on the filters you posted below.
If I'm missing some subtlety that is obvious to you, don't be shy about knockin me upside the head so I'm on the same page with ya.
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 17.Aug.2005 1:04:00 AM
|
|
|
jeroenHermans
Posts: 37
Joined: 4.Nov.2002
Status: offline
|
I think I indeed have 10.10.1.1-254 in the remote site properties. I will check it out tonight and let you know.
Many thanks again.
Jeroen
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 17.Aug.2005 5:19:00 PM
|
|
|
jeroenHermans
Posts: 37
Joined: 4.Nov.2002
Status: offline
|
I checked and I do have 10.10.1.1~10.10.1.255
It's still not working...
Isn't there any extensive logging that might have captured the actual error why it is not working?
Thanks,
Jeroen
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 17.Aug.2005 10:54:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
You'll have to get out the big guns and enable Oakley logging on the ISA Server.
Go into the registry and under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley, change the entry for EnableLogging to 1 and reboot the ISA Server (you can stop the IPSec Services service, but you'll have to restart the Firewall Service as well to get the IPSec filters re-plumbed into IPSec - it's not worth the hassle).
Once it restarts, try to communicate between the subnets (use a client behind ISA - don't test from ISA itself) and once this fails, post the contents of the C:\Windows\Debug\Oakley.log file and I'll help sort it out.
Feel free to change the public IP address references if you need to.
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 18.Aug.2005 1:14:00 AM
|
|
|
jeroenHermans
Posts: 37
Joined: 4.Nov.2002
Status: offline
|
Thanks,
I'll give that a go and post the results.
J.
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 18.Aug.2005 3:24:00 PM
|
|
|
jeroenHermans
Posts: 37
Joined: 4.Nov.2002
Status: offline
|
Hi,
I don't have that entry in the registry, all I have is Default and NLBSFlags
Do I need to create it manually perhaps? Is it a dword value?
Thanks,
Jeroen
|
|
|
|
|
RE: Site to Site VPN Linksys to ISA - 18.Aug.2005 3:42:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Yeah - sorry about that. EnableLogging \ REG_DWORD \ 1
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
