Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unable to connect to a external VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Unable to connect to a external VPN Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Unable to connect to a external VPN - 10.May2007 7:26:39 AM   
delaghetto

 

Posts: 29
Joined: 19.Feb.2007
Status: offline 		Hi, we have the following configuration in our office.
 
a DSL router is conected to the internet and to our ISA 2006 server's external NIC. Our internal LAN computers are conected to the isa server's internal NIC through a switch.
 
So, I conected a Win XP Pro computer directly to the DSL router, so that it's not filtered by the ISA Server, and had no problems to connect to the external VPN, after I followed the instructions in article http://support.microsoft.com/kb/885407/, setting the AssumeUDPEncapsulationContextOnSendRule key to value 2.
 
Now, the same Win XP Pro computer behind the ISA server is not able to connect, when I try to dial, it doesn't find the external VPN server and it timeouts. I think it must be something to configure in the ISA server. I've created a rule to allow all traffic from the internal LAN to external. Everything is working fine.. web browsing, mail, etc.., but I can't make it to connect to this VPN. I also tried to add the external VPN server's IP as a new network, and set the relation from internal to this network to route mode instead of NAT mode, but nothing changes.
 
Please, can someone help me find out the solution to this?? Thanks..
Post #: 1
RE: Unable to connect to a external VPN - 10.May2007 11:34:47 AM   
elmajdal

 

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Hi,

1- set your client as securenat

2- creat a rule : allow > protocols > from internal > to external > all users
make sure that the condition is All Users

3-make sure to put anonymouse rules ( all users ) before authenticated rules


HTH,
Tarek

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to delaghetto)
Post #: 2
RE: Unable to connect to a external VPN - 10.May2007 12:31:56 PM   
delaghetto

 

Posts: 29
Joined: 19.Feb.2007
Status: offline 		Hi.. thanks for ur answer..

For testing purposes, at present the first rule in my ISA server is to allow all protocols for all users as you said.

I undertand that setting a client as a secureNat means that it's default gateway must be the IP adress of the ISA Server's internal NIC. All clients in my LAN have this gateway set by DHCP...

Is there anything else I have to do in order to set a client as a SecureNat??..

Any idea about what else can be blocking the VPN connection??

Thanks..


(in reply to elmajdal)
Post #: 3
RE: Unable to connect to a external VPN - 10.May2007 2:09:00 PM   
elmajdal

 

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

Is there anything else I have to do in order to set a client as a SecureNat??..

Nope. just make sure that your Internal DNS Server can forward requests to your ISP DNS Server.

read this :  http://www.elmajdal.net/ISAServer/Internal_DNS_Forwarding.aspx

also, if you have the Firewall Client installed, disable it and try establishing a vpn connection


one last thing that came to my mind:
How many NICs you have on ISA , and whats there configuration

HTH,
Tarek

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to delaghetto)
Post #: 4
RE: Unable to connect to a external VPN - 10.May2007 2:54:26 PM   
delaghetto

 

Posts: 29
Joined: 19.Feb.2007
Status: offline 		Thanks again for helping..

I'll try the DNS forwarding solution you're giving me, but anyway, all web browsing is working fine behind the firewall, and for the VPN conection, there is no name resolution, I just type the remote VPN server's IP adress

Can you be more clear about the firewall client??.. I'm using the same computer that I use when I connect without been filtered by the ISA server.. So i don't have any firewall client installed.. anyway.. if this firewall client only affects when I'm behind the ISA server, can you give more details on how to disable it??

The ISA server has 2 NICs.. the configuration is as follows..

The DSL router is connected to the Internet, and has IP adress 192.168.10.1
I have a connection from the ISA server's external NIC to the DSL router, and it's configuration is:
IP: 192.168.10.175
Mask: 255.255.255.0
Gateway: 192.168.10.1

Then I have the internal NIC of the ISA server with
IP: 172.16.0.1
Mask: 255.255.0.0
Gateway: No Gateway

The isa server is also my DNS server, so Primary DNS on both NICs is 192.192.10.175

All computers in my LAN are with IP 172.16.X.X, and connected to the ISA server through a ethernet Switch

Hope this gives a hint on what can be wrong... Thanks..

(in reply to elmajdal)
Post #: 5
RE: Unable to connect to a external VPN - 10.May2007 3:00:43 PM   
elmajdal

 

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

Can you be more clear about the firewall client??.. I'm using the same computer that I use when I connect without been filtered by the ISA server.. So i don't have any firewall client installed.. anyway.. if this firewall client only affects when I'm behind the ISA server, can you give more details on how to disable it??

If you didnt install the Firewall Client, how then you can disable it

quote:

The isa server is also my DNS server, so Primary DNS on both NICs is 192.192.10.175

The External NIC should not have any entry for the DNS, keep it empty !



_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to delaghetto)
Post #: 6
RE: Unable to connect to a external VPN - 11.May2007 4:36:55 AM   
delaghetto

 

Posts: 29
Joined: 19.Feb.2007
Status: offline 		OK.. so no ideas about what's blocking the conection??

It's very strange that I have all setup and I'm only able to conect to the external VPN when I'm not behind ISA...

What's happening here?? is there someway to monitor this activity and see if something is getting blocked???

DNS doesn't solve anything.. I'm using directly de IP adress of the VPN server..

I even went to the networks section, and disabled the compatibility for firewall client in the internal network....

I also got this reply in a newsgroup..
quote:

VPN depends on the GRE Protocol
The GRE Protocol is not a "proxyable",...ISA only proxys TCP & UDP which is the
same as most any brand of proxy.
Therefore only SecureNAT (based on NAT) can establish their own independent VPN
Connection.

All SecureNAT Sessions are "anonymous" and letting an anonymous session run its
own independent VPN Connection to another LAN is a horrible security risk,...so
much so, that it should not even have to be mentioned.



Any opinion about that??.. anyway I will take the risk, because it's important for us to connect to that VPN, so how do I enable this GRE protocol or whatever it is I need??

< Message edited by delaghetto -- 11.May2007 5:09:05 AM >

(in reply to elmajdal)
Post #: 7
RE: Unable to connect to a external VPN - 14.May2007 6:55:33 AM   
delaghetto

 

Posts: 29
Joined: 19.Feb.2007
Status: offline 		Hmm.. so no more ideas left on this issue??

(in reply to delaghetto)
Post #: 8
RE: Unable to connect to a external VPN - 14.May2007 9:18:15 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi delaghetto,
first: make sure you have followed the steps Tarek recommended to you.
second: what are you using: PPTP or L2tp/IPSec(I assume L2tp/IPSec because you have enabled NAT-T)?
if you are using L2tp/IPSec you don't need gre(ip protocol 47 not port 47). you just need to allow the following  protocols on ISA: IKE client and IPSec NAT-T client.
you only need gre if you are using PPTP but you don't need to configure abything just make sure the PPTP filter is bind because the PPTP enables gre.
what are ISA's logs saying?
is ISA allowing/blocking IKE?
also take a wireshark trace on ISA's side to see what happens to the packets.
ISA has no problem allowing what you are trying to pass.
please read this:
http://www.isaserver.org/articles/IPSec_Passthrough.html

(in reply to delaghetto)
Post #: 9
RE: Unable to connect to a external VPN - 15.May2007 7:01:41 AM   
delaghetto

 

Posts: 29
Joined: 19.Feb.2007
Status: offline 		Thanks for ur answer..

The VPN connection is L2TP/Ipsec.. I can see in the log that some IKE client conections have been made from the client's IP to the VPN server, allowed by the rule I created to enable all protocols..

Also with wireshark, I can see packets going from client to VPN server, from VPN server to my ISA Server and from ISA server to client...

This is so strange, but I'm sure something is blocking my connection here, what drives me nuts is that everything is setup and however I'm only able to connect when I'm not behind ISA..

(in reply to justmee)
Post #: 10
RE: Unable to connect to a external VPN - 15.May2007 8:03:06 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
quote:

I also tried to add the external VPN server's IP as a new network, and set the relation from internal to this network to route mode instead of NAT mode, but nothing changes.

I hope that this is not still in place!
there might be a problem with this double NAT from your setup.
can you post somewhere the wireshark trace?
if not do you see the switch to UDP port 4500 from UDP 500 and also how long IKE negotiations goes(phase I and phase II complete or not)?

(in reply to delaghetto)
Post #: 11
RE: Unable to connect to a external VPN - 15.May2007 11:52:45 AM   
delaghetto

 

Posts: 29
Joined: 19.Feb.2007
Status: offline 		Hi..

Ok I uploaded Wireshark's information over here..

http://usuarios.lycos.es/sindhiniggas

One file has the info I got from my ISA server's external NIC and the other one from the external one.The shift to UDP 4500 is never made... The last packet is the one generated when I cancel the connection as the inicial negotiation never seems to end..

Hope this gives some info on what can be the cause... Thanks..

This is some information for easy reading:
Client's IP: 172.16.0.25
ISA Server Internal: 172.16.0.1 (Client's Gateway)
ISA External NIC: 192.192.10.175
DSL Router: 192.192.10.1
The VPN server is the 212.X.X.X address..

One thing I notice is that the packets from the VPN server go to the ISA's internal NIC.. shouldn't they be going to the Client's IP??.. On the DSL router, port 500 and 4500 UDP are redirected to ISA's Internal NIC, but shouldn't ISA be redirecting them to the Client??

< Message edited by delaghetto -- 15.May2007 12:11:08 PM >

(in reply to justmee)
Post #: 12
RE: Unable to connect to a external VPN - 15.May2007 3:08:07 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi delaghetto,

the culprit is the the VPN box you are connecting to!

If you look at trace on the Internel NIC, you only see the *first* IKE message (Responder Cookie is 0):
quote:

Frame 1 (354 bytes on wire, 354 bytes captured)
Ethernet II, Src: Intel_a4:a7:e2 (00:0e:35:a4:a7:e2), Dst: Intel_dd:b3:57 (00:04:23:dd:b3:57)
Internet Protocol, Src: 172.16.0.25 (172.16.0.25), Dst: 212.40.241.50 (212.40.241.50)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
  Initiator cookie: 7300131CDD8FC829
  Responder cookie: 0000000000000000
  Next payload: Security Association (1)
  Version: 1.0
  Exchange type: Identity Protection (Main Mode) (2)
  Flags: 0x00
  Message ID: 0x00000000
  Length: 312
  Security Association payload
  Vendor ID payload
  Vendor ID payload
  Vendor ID payload
  Vendor ID payload

Also, look at the time stamps.

Now, look at the trace on the External NIC and you see a number of times the following sequence:
quote:

Frame 1 (354 bytes on wire, 354 bytes captured)
Ethernet II, Src: Intel_dd:b3:56 (00:04:23:dd:b3:56), Dst: Cisco-Li_8b:4d:93 (00:18:39:8b:4d:93)
Internet Protocol, Src: 192.192.10.175 (192.192.10.175), Dst: 212.40.241.50 (212.40.241.50)
User Datagram Protocol, Src Port: 18270 (18270), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
  Initiator cookie: E4150D54AA78BE54
  Responder cookie: 0000000000000000
  Next payload: Security Association (1)
  Version: 1.0
  Exchange type: Identity Protection (Main Mode) (2)
  Flags: 0x00
  Message ID: 0x00000000
  Length: 312
  Security Association payload
  Vendor ID payload
  Vendor ID payload
  Vendor ID payload
  Vendor ID payload

Frame 2 (210 bytes on wire, 210 bytes captured)
Ethernet II, Src: Cisco-Li_8b:4d:93 (00:18:39:8b:4d:93), Dst: Intel_dd:b3:56 (00:04:23:dd:b3:56)
Internet Protocol, Src: 212.40.241.50 (212.40.241.50), Dst: 192.192.10.175 (192.192.10.175)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
  Initiator cookie: E4150D54AA78BE54
  Responder cookie: 348B44A4D462DC8C
  Next payload: Security Association (1)
  Version: 1.0
  Exchange type: Identity Protection (Main Mode) (2)
  Flags: 0x00
  Message ID: 0x00000000
  Length: 168
  Security Association payload
  Vendor ID payload
  Vendor ID payload
  Vendor ID payload
  Vendor ID payload

The first frame is the *first* IKE message (Responder Cookie is 0) sent by the ISA Server. Pay particular attention to the UDP source port number.
Now look at frame two, the answer from the VPN box. What do you see as UDP destination port number? ISA isn't expecting traffic on that one and will drop that UDP packet!

Clearly the VPN box you are connecting to is not NAT-T aware (or not correctly configured).

HTH,
Stefaan

< Message edited by spouseele -- 15.May2007 3:11:47 PM >

(in reply to delaghetto)
Post #: 13
RE: Unable to connect to a external VPN - 16.May2007 8:05:47 AM   
delaghetto

 

Posts: 29
Joined: 19.Feb.2007
Status: offline 		The strange thing is that if I connect the client directly to the DSL router, the VPN connections works perfectly..I've uploaded the wireshark information over here..

http://www.megaupload.com/?d=SQ8Y2FQV

Here you can see that when I'm not behind ISA, all the initial negotiation is properly done in port 500 and the switched to port 4500

Why is ISA switching to port 18270 anyway?? My customer wont change it's configuration as they say everyone is able to connect from a normal DSL line, and they attribute the problem to our ISA configuration, if I wasn't able to connect from my DSL router the story would be different... Can't I make my ISA server behave as the dsl router??

(in reply to spouseele)
Post #: 14
RE: Unable to connect to a external VPN - 16.May2007 9:18:22 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi delaghetto,
quote:

Why is ISA switching to port 18270 anyway?? My customer wont change it's configuration as they say everyone is able to connect from a normal DSL line, and they attribute the problem to our ISA configuration,

Your customer is joking right?
In case he does not, he should read RFC3947 where is the explanation of this behaviour:
quote:

The NAT may change the IKE UDP source port, and recipients MUST be
able to process IKE packets whose source port is different from 500.
The NAT does not have to change the source port if:

o only one IPsec host is behind the NAT, or

o for the first IPsec host, the NAT can keep the port 500, and the
NAT will only change the port number for later connections.

Recipients MUST reply back to the source address from the packet (see
[RFC3715], section 2.1, case d).

you would like to read one of my posts here.
it seems that the customers VPN device only accepts connections from source UDP port 500 in case which it is not RFC compliant.
this means that the ball is in his game court!
An interesting thing to see is what is doing your DSL router to the packet. Maybe the problem lies here. With what source port is traffic reaching the customer when ISA is on?

(in reply to delaghetto)
Post #: 15
RE: Unable to connect to a external VPN - 16.May2007 2:34:10 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi justmee,



Stefaan

(in reply to justmee)
Post #: 16
RE: Unable to connect to a external VPN - 18.May2007 8:18:54 AM   
delaghetto

 

Posts: 29
Joined: 19.Feb.2007
Status: offline 		Hmm.. I don't have access to the customers Network, so I can't analize that..anyway they think they are too great and their VPN is perfect and not gonna change anything.. so.. whateva.. I can't do anymore by my side, if all what can be done has been done..

Thank you all anyway for ur help.. keep in touch..

(in reply to spouseele)
Post #: 17
RE: Unable to connect to a external VPN - 18.May2007 2:19:04 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi delaghetto,

are they Cisco admins? That would be typical...    

Stefaan


(in reply to delaghetto)
Post #: 18
RE: Unable to connect to a external VPN - 31.May2007 7:11:22 AM   
delaghetto

 

Posts: 29
Joined: 19.Feb.2007
Status: offline 		Hi again..

I'm gonna reopen this post, as we need to solve this issue... The guys from the remote VPN have agreed to cooperate with us, so I told them I'll help them configure their Server...

So what I see is that my ISA Server is changing the IKE packets to port 18270, but the remote VPN server is responding to port 500 (You can see the wireshark I posted above..

http://www.megaupload.com/?d=SQ8Y2FQV

So.. why is the remote server not responding to port 18270, what is missing in their configuration and what do they have to do in the server supossing they have Windows 2003 server...

(in reply to spouseele)
Post #: 19
RE: Unable to connect to a external VPN - 31.May2007 8:19:08 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi delaghetto,
first we need to know what is the VPN gateway on the other end.
is it a Strongswan VPN server?
also does your DSL router something called ipsec/vpn passthrough?
if so disable it.
I can see that the remote VPN server responds with the VID for NAT-T based on the draft and also with the NAT-D payloads.
It would be interesting to see in which shape does the first IKE packet reaches the remote VPN server(ports used as source and destination).

(in reply to delaghetto)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Unable to connect to a external VPN Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts