Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Use IPSec tunnel as it's default gateway?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Use IPSec tunnel as it's default gateway? - 28.Nov.2004 5:41:00 PM
|
|
|
wbplomp
Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
|
How can I configure a remote site connected to ISA Server to use the IPSec tunnel as it's default gateway??? (0.0.0.0)
When I configure a VPN device on a remote site to use the IPSec tunnel as it's default gateway, it is unable to complete Phase II.
There seems to be a QM (Quick Mode) Policy or actually a filter created by ISA Server wich allows only traffic defined on one of the ISA Server interfaces.
In some routers like Cisco they allow you to configure a setting like "Allow this remote site to use this tunnel as it's default gateway."
The network I'm working with is very large, and when a subnet changes I don't want to reconfigure over more than 60 remote sites.
First of all, the use of 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/12 is very difficult because of subnet overlapping.
Second of all, for security reasons I want consiledate all remote sites, all traffic must flow through main office.
Can someone p.l.e.a.s.e help me, because nowhere I can't find a solution for this problem and Microsoft does not respond to my e-mails.
Kind regards,
Boudewijn
[ November 28, 2004, 05:47 PM: Message edited by: Boudewijn Plomp ]
|
|
|
|
RE: Use IPSec tunnel as it's default gateway? - 6.Dec.2004 9:29:00 PM
|
|
|
wbplomp
Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
|
Is their nobody who can answer this question?
|
|
|
|
|
RE: Use IPSec tunnel as it's default gateway? - 7.Dec.2004 3:05:00 AM
|
|
|
jamesprice3
Posts: 10
Joined: 25.Jan.2004
From: FL
Status: offline
|
I don't think the problem is the gateway setting; I think the problem may be the quick mode aka Phase II negotiation. Once you've configured your site to site connection (ISA doesn't allow you to modify it initially) then you can edit your connection setting to match whatever you are connecting to on the other end Cisco, Sonicwall, Watchdog ...
If that doesn't help let me know and I'll be happy to work with you on it. I'm learning my way through this myself and have suffered under the extreme lack of documentation other that this site myself.
|
|
|
|
|
RE: Use IPSec tunnel as it's default gateway? - 7.Dec.2004 8:54:00 AM
|
|
|
wbplomp
Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
|
Hi James,
That's right. That what I mention also. Indeed it is a problem with the negotiation in Phase II. The routes are the policies itself. The only thing is, how can you edit it? I'm unable to edit it using the IPSec Management Console. They seem to be hidden.
|
|
|
|
|
RE: Use IPSec tunnel as it's default gateway? - 12.Dec.2004 11:42:00 PM
|
|
|
jamesprice3
Posts: 10
Joined: 25.Jan.2004
From: FL
Status: offline
|
Well, I'll assume you have the Ciscos configureed the way you want them and you just need to tweak the IPSec settings in ISA. If that's the case it's pretty straight forward. Open the ISA management console then expand the ISA server node -->Virtual Private Network and go to the Remote Sites tab. Select you remote site network, right-click and choose IPSec Policy Summary and you will see the IPSec configuration details ISA is using to bring up this tunnel. To edit these setting to match your Cisco, right-click and choose properties, click on the Connections tab and click on the button on the botton that says IPSec Settings. There you will be able to set the specific setting for this IPSec policy.
You bring up an interesting point though that that this policy doesn't appear in the IP Security Policies MMC, though interestingly enough if you open the IP Security Monitor MMC you can see the SA's you have configured in ISA...
James
|
|
|
|
|
RE: Use IPSec tunnel as it's default gateway? - 13.Dec.2004 2:34:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
There are 2 contexts for IPSec policies - Static and Dynamic. Static policies are configured through the IPSec Policy Management console and persist across a reboot. Dynamic policies are flushed upon stopping the "IPSec Services" service or a reboot and are configured through the command line itility NETSH in Win2003 (netsh ipsec dynamic). If you look in the Prograam Files\Microsoft ISA Server\VPN directory, there is a file that you can open with notepad to see the NETSH commands that were "pushed" into IPSec. Don't edit this file directly as it is only a snapshot of the commands that were most recently sent - changing this file won't affect what will get pushed next time.
With this in mind, I don't think there is a need to change the policy settings, other than the addresses that are listed in the "Remote Site" network. Right now, since you're failing in Quick Mode, most likely the Filter List on the Windows side doesn't match the crypto ACL on the Cisco side.
With the configuration you want, most likely you'll need to add all IP addresses, with the exception of your Internal network, into the Remote Site properties - in essence, this is telling Windows that "All IP address", other than the Internal, are "interesting traffic" and will need to be encapsulated within IPSec and tunneled to the Remote Site tunnel endpoint.
Just to be clear on the concept, you can't tell Windows or ISA to use the Remote Site endpoint as the "default gateway" literally, as that server is not on ISA's external segment (i.e. you can't specify a default gateway that isn't directly accessible). What this setting really means is that you want all traffic to be encapsulated within IPSec and sent to the Remote Site to be routed further.
[ December 13, 2004, 02:38 AM: Message edited by: ClintD ]
|
|
|
|
RE: Use IPSec tunnel as it's default gateway? - 14.Dec.2004 10:36:00 PM
|
|
|
wbplomp
Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
|
Hi,
First of all, thanks for your responce.
Still this doesn't give a solution for the problem, though you guys are very close.
The fact is I don't want to change de default gateway settings for sites on ISA Server.
I want ISA Server to accept IPSec encapsulation for 0.0.0.0 from the remote site.
(e.g. for a remote site; LOCAL RANGE: 10.155.1.0/24 REMOTE RANGE:0.0.0.0)
Only the Quick Mode Policy doesn't include such filter, so it refuses to connect.
The only way to get this running is by adding a lot of remote ranges.
And unfortunally that doesn't include the public ranges.
Do you guys know a way to change or add a QM Policy filter?
By the way, this problem exists on ALL vpn routers on remote sites, not only Cisco.
I'm in contact with Microsoft now, I hope they can help me with it.
Kind regards,
Boudewijn
[ December 14, 2004, 10:41 PM: Message edited by: Boudewijn Plomp ]
|
|
|
|
|
RE: Use IPSec tunnel as it's default gateway? - 15.Dec.2004 2:47:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
I didn't say that you had the change the default gateway setting of ISA. I said that you would need to include all IP addresses in the Remote Site properties that you have configured on ISA.
To change the Quick Mode filters, you need to change the addresses that are listed in the Remote Site - this is how ISA knows how to build it's Filter List for the Remote Site - it's a direct correlation. You could add your own using NETSH IPSEC DYNIAMIC... but these would be lost as ISA periodically refrehses it's configuration with IPSec so you'd have to constantly update the list.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
