Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unwanted Automatic IPSec filter creation

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Unwanted Automatic IPSec filter creation Page: [1]
Login
Message << Older Topic   Newer Topic >>
Unwanted Automatic IPSec filter creation - 17.Jan.2007 2:47:56 PM   
aswatogor

 

Posts: 14
Joined: 22.Nov.2002
From: toronto
Status: offline 		Does anyone know of reference material on how ISA 2006 generates its IPSec filters? I currently have Site to Site VPNs to about 10 sites. When I look at the Quick Mode filters, I see that I have IPSec filters for traffic to and from remote sites--filters that do not include any of my local subnets.

For example:

If my local subnet is 10.1.1.0/24 and I have VPNs to Site A (remote network = 10.5.5.0/24) and Site B (remote network = 10.6.6.0/24). I can see in my filter list filters for Source: =10.5.5.0/255.255.255.0 Destination = 10.6.6.0/255.255.255.0 and Destination Tunnel endpoint = the remote peer address for the tunnel. These filters are mirrored, so the reverse filters are present too.

Obviously, this creates a lot of unnecessary filters. Every time I make changes to ISA configuration, it takes longer and longer for the changes to apply. I can see the netsh process running hard for 10-15 minutes. I am afraid this won't scale very well as I add more and more sites.

Has anyone else seen this? Am I doing something wrong or is this just how ISA 2006 works?

Does anyone know of any reference material?
TIA
Post #: 1
RE: Unwanted Automatic IPSec filter creation - 22.Jan.2007 11:06:27 AM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		Is there an ISA Firewall on both sides of the site to site VPN connection?

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to aswatogor)
Post #: 2
RE: Unwanted Automatic IPSec filter creation - 23.Jan.2007 11:22:53 AM   
aswatogor

 

Posts: 14
Joined: 22.Nov.2002
From: toronto
Status: offline 		No. We have tunnels to many different sites, but as far as I know no one on the other side is using ISA. We use create IPSec tunnels using preshared keys. I think people on the other side generally use Cisco products, but not exclusively.

(in reply to tshinder)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Unwanted Automatic IPSec filter creation Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts