Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN over intranet

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN over intranet Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
VPN over intranet - 6.Feb.2004 9:52:00 AM   
Turan

 

Posts: 13
Joined: 25.Mar.2002
Status: offline 		Hi all,

Our company has 25 sites connected by various wan connections excluding internet. One of our site has internet connection, and due some security reasons all these sites connected with vpn connection, also all sites connect to internet over one site. For now we use Astaro Linux FW on all sites.

I'd like to use ISA 2004 and made a test platform. Here is my test platform diagram:

""

I'd like to be identifying access policies between two sites, connect two sites via vpn, and also make available internet for "Site B" over "Site A".

I have "External", "internal", "local host" predefined network definitions on "Site A", identified correctly, and clients can connect to internet over "Site A".

To establish vpn over two sites and make a full connection over two sites without any restrictions, I did the following on "Site A"

1. Define a network connection as "vpn b" defined as "VPN Site-to-Site Network", select "IPSec Tunnel Mode", as remote VPN gateway 10.1.2.5, and as Local VPN Gateway 10.1.1.5. Enter a shared key, and specify network address range as 172.16.2.0-172.16.2.255.

2. Define a network rule as "Site B Connection" defined as source "internal", destination "vpn b" and define network relationship as "route"

3. Define a Firewall policy as "Full access to site B" (for now, it will not be full finally), "internal" as source, "vpn b" as destination, without any restrictions.

4. Make same configurations on "Site A" using the same vpn shared key.

5. And try to connect from "site a" to "site b", i couldn't be able to ping, or anything like that.

Let me say that there's no static routing or identified w2k3 routing&remote access rule on any isa server. Also there's no definition for wan network, 10.X.X.X.

From clients, when i try to ping, i get message "request time out", from isa server, "negotiating ip security" but never a successful ping reply "[Frown]"

What should be the problem? Am i missing something?

Thanks in advance..

[ February 06, 2004, 09:58 AM: Message edited by: Turan ]
Post #: 1
RE: VPN over intranet - 6.Feb.2004 1:53:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Turan,

If you're getting a negotiation of IPSec policy and then a failure, its possible that the policies don't match. I can't say for sure, but I'd start there. The rest looks OK to me.

HTH,
Tom

(in reply to Turan)
Post #: 2
RE: VPN over intranet - 6.Feb.2004 2:38:00 PM   
Turan

 

Posts: 13
Joined: 25.Mar.2002
Status: offline 		Hi tshinder,

IPSec Policies match exactly. shared keys are same, the source and destination adresses are opposite on each sites. What should i check else?

Also with PPTP or L2TP, how should i connect such a network? Could you also please help on this.

Now I change the policies a little bit. For "Site A" I added a network set as "All Sites" including "internal" and "vpn a" networks, and i created a policy as "Full Site Access" for source "All Sites" and destination "All Sites" with full access. I did the same for "Site B", but there's no change in behavior.

Also i'm always getting negotiation message from "ping -t", it does not change to an error.

[ February 06, 2004, 02:45 PM: Message edited by: Turan ]

(in reply to Turan)
Post #: 3
RE: VPN over intranet - 6.Feb.2004 3:38:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Turan,

It sounds like you are doing things correctly. I would suggest that you next try setting up two ISA2004 firewalls in the lab and try the same setup. It this works in the lab, then we know there is a problem with the configuration of the third party device on the other end. If it doesn't work, then we can troubleshoot issue with your ISA configuration.

I always use VMware for my lab testing. Works great and doesn't require me to use office space for a physical lab network.

HTH,
Tom

(in reply to Turan)
Post #: 4
RE: VPN over intranet - 6.Feb.2004 4:09:00 PM   
Turan

 

Posts: 13
Joined: 25.Mar.2002
Status: offline
quote:
Originally posted by tshinder:

I always use VMware for my lab testing. Works great and doesn't require me to use office space for a physical lab network.
Hi Tom,

This is not real life implementation. As i mentioned before we have over 25 sites with dozens of routers, bridges, and various type of connections. I'm doing this test on a vmware esx server, created virtual networks over it, and before installing isa servers, i tested if all connections are designed and worked correctly.

I will try to uninstall and reinstall all isa platform again. If i can reach a solution, i'll inform you.

Best regards..

(in reply to Turan)
Post #: 5
RE: VPN over intranet - 7.Feb.2004 6:29:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Turan,

Thanks! I'll be very interested in your results.

Tom

(in reply to Turan)
Post #: 6
RE: VPN over intranet - 7.Feb.2004 1:22:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

I'm seeing the same thing. The IPSec tunnel is established, but nothing routes through the tunnel.

I hope we can find out what's going on here.

Thanks!
Tom

(in reply to Turan)
Post #: 7
RE: VPN over intranet - 7.Feb.2004 2:31:00 PM   
mviljac

 

Posts: 3
Joined: 7.Feb.2004
Status: offline 		>3. Define a Firewall policy as "Full access to site B" (for now, it will not be full finally), "internal" as source, "vpn b" as destination, without any restrictions

Define Firewall policy "Full access from B to A", "vpn b" as source and "internal" as destination.

My configuration: IPSec tunnel between ISA2004 and Windows 2003 (http://support.microsoft.com/default.aspx?scid=kb;en-us;816514)

Mario

(in reply to Turan)
Post #: 8
RE: VPN over intranet - 7.Feb.2004 6:37:00 PM   
Turan

 

Posts: 13
Joined: 25.Mar.2002
Status: offline
quote:
Originally posted by Mario V.:
>3. Define a Firewall policy as "Full access to site B" (for now, it will not be full finally), "internal" as source, "vpn b" as destination, without any restrictions

Define Firewall policy "Full access from B to A", "vpn b" as source and "internal" as destination.

My configuration: IPSec tunnel between ISA2004 and Windows 2003 (http://support.microsoft.com/default.aspx?scid=kb;en-us;816514)

Mario
I did both, i couldn't solve the problem. Then i created a network group as "local networks", added "internal" and "vpn b" into it, and i defined a rule source "local networks" and destination "local networks", by this way i granted two way access but also this doesn't worked out.

As i said before i installed two isa servers from beginning, even the opsys, but i couldn't resolve the problem yet. In my first installation my isa server was a domain member, in documents i found this:
quote:
Typically, the ISA Server computer is not a member of a domain; in this case, a local IPSec policy can be used. However, if ISA Server is a member of a domain that has IPSec policy applied to all its members, the local IPSec policies are overwritten by the domain IPSec policies. To avoid policy collisions, create an organizational unit (OU) in the Active Directory directory service. Make the ISA Server copmuter a member of that OU. In this way, the local IPSec policy (on the ISA Server cmoputer) won't overwrite the domain policies.
So i didn't make isa servers domain member in my second installation, despide this, the result didn't change.

I'd like to know if anyone accomplish such a vpn configuration, even over internet. Or if anyone has a documentation how to accomplish vpn network. Included documentation does not have enough information.

Also i want to ask mario if all this tasks should be made for two isa2004 server over w2k3. Is there any additional windows configuration to accomplish vpn network. In help files, it's not mentioned so much, also written that if such a configuration made, isa policies wouldn't work correctly in some situations.

Best regards,

Turan

[ February 07, 2004, 06:52 PM: Message edited by: Turan ]

(in reply to Turan)
Post #: 9
RE: VPN over intranet - 8.Feb.2004 3:25:00 PM   
mviljac

 

Posts: 3
Joined: 7.Feb.2004
Status: offline 		Hi,

Do you have entries like this in Security log:
(on site A)

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 541
Date: 7.2.2004
Time: 14:19:29
User: NT AUTHORITY\NETWORK SERVICE
Computer: ISA2004
Description:
IKE security association established.
Mode:
Key Exchange Mode (Main Mode)

Peer Identity:
Preshared key ID.
Peer IP Address: 10.1.2.5

Filter:
Source IP Address 10.1.1.5
Source IP Address Mask 255.255.255.255
Destination IP Address 10.1.2.5
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 10.1.1.5
IKE Peer Addr 10.1.2.5
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Parameters:
ESP Algorithm Triple DES CBC
HMAC Algorithm SHA
Lifetime (sec) 28800
MM delta time (sec) 1

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 541
Date: 7.2.2004
Time: 14:19:29
User: NT AUTHORITY\NETWORK SERVICE
Computer: ISA2004
Description:
IKE security association established.
Mode:
Data Protection Mode (Quick Mode)

Peer Identity:
Preshared key ID.
Peer IP Address: 10.1.2.5

Filter:
Source IP Address 172.16.1.0
Source IP Address Mask 255.255.255.0
Destination IP Address 172.16.2.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 10.1.1.5
IKE Peer Addr 10.1.2.5
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Parameters:
ESP Algorithm Triple DES CBC
HMAC Algorithm SHA
AH Algorithm None
Encapsulation Tunnel Mode
InboundSpi 3732219283 (0xde752593)
OutBoundSpi 2581574899 (0x99dfb4f3)
Lifetime (sec) 3600
Lifetime (kb) 100000
QM delta time (sec) 0
Total delta time (sec) 1

My working configuration is :

Site A: Windows 2003 Standard (member of AD domain), ISA 2004 beta 2, IPsec wizard (IPsec tunnel with preshared key), routing between Internal and IPSec network , firewall rules "full access from A to B", and "full access from B to A"

Site B: Windows 2003 enterprise (not member of AD domain), RRAS, IPsec tunnel (Microsoft Knowledge Base Article - 816514)

Mario

(in reply to Turan)
Post #: 10
RE: VPN over intranet - 8.Feb.2004 5:22:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Mario,

In my configuration I have ISA2004 on both sides. I see the same thing in the Security log, so it appears that the IPSec tunnel is established. In addition, I see in the ISA2004 real time logging that the connection is established when I ping and telnet to the opposite side. I also see that the IKE connection is established. It appears that the routing is not working properly from what I can tell.

Mario, have you tried it with ISA2004 on networks A and B?

Thanks!
Tom

[ February 08, 2004, 05:29 PM: Message edited by: tshinder ]

(in reply to Turan)
Post #: 11
RE: VPN over intranet - 9.Feb.2004 12:53:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

I've also noticed that L2TP/IPSec connections don't work either using a preshared key. I'm suspecting something wrong with maybe the firewall System Policy, but not sure. Will continue investigating.

Thanks!
Tom

(in reply to Turan)
Post #: 12
RE: VPN over intranet - 9.Feb.2004 2:33:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

I got L2TP/IPSec working. I forgot to set the answering gateway to use the pre-shared key in the RRAS console [Big Grin]

HTH,
Tom

(in reply to Turan)
Post #: 13
RE: VPN over intranet - 10.Feb.2004 11:38:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

I got it to work today. Not sure what I did differently, but it works fine between two ISA2004 machines. Using this network:



I created the remote networks, created a rule on the remote network that allowed all traffic from remote to local, and at the local network from remote to Internet. Worked great, and the Main and Quick Mode SAs show up like they're supposed to.

HTH,
Tom

(in reply to Turan)
Post #: 14
RE: VPN over intranet - 11.Feb.2004 7:27:00 AM   
Turan

 

Posts: 13
Joined: 25.Mar.2002
Status: offline 		Hi Tom,

If this is a test platform and not so confidential can you send me a backup of two isa server configurations as xml? I'd like to check what's different in my platform.

Best regards,

Turan

[ February 11, 2004, 07:33 AM: Message edited by: Turan ]

(in reply to Turan)
Post #: 15
RE: VPN over intranet - 11.Feb.2004 10:20:00 AM   
Addario

 

Posts: 3
Joined: 6.Feb.2004
From: CH
Status: offline 		Hi Mr. tschinder

Now i need your help, you wrote

"I got L2TP/IPSec working. I forgot to set the answering gateway to use the pre-shared key in the RRAS console"

What have you exactly changed?

When I make a ping to the Destination Network I recive this answer:

"Destination host unreachable"
This message ist very fast, four times!

Tanx Addario

[ February 11, 2004, 11:17 AM: Message edited by: Addario C ]

(in reply to Turan)
Post #: 16
RE: VPN over intranet - 11.Feb.2004 11:11:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Turan:
Hi Tom,

If this is a test platform and not so confidential can you send me a backup of two isa server configurations as xml? I'd like to check what's different in my platform.

Best regards,

Turan
Hi Turan,

No problem. I'll need to recreate the VMs, but the entire configuration is open. I'll put it back together today and post a link to download the backup files for the local and remote VPNs. I'm going to do this with all ISA2004 articles in the future: post either a backup file for the config, or at least the firewall rules.

Thanks!
Tom

(in reply to Turan)
Post #: 17
RE: VPN over intranet - 11.Feb.2004 11:12:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Addario C:
Hi Mr. tschinder

Now i need your help, you wrote

"I got L2TP/IPSec working. I forgot to set the answering gateway to use the pre-shared key in the RRAS console"

What have have exactly changed?

When I make a ping to the Destination Network I recive this answer:

"Destination host unreachable"
This message ist very fast, four times!

Tanx Addario
Hi Addario,

You can open the RRAS console and right click the server name in the left pane and click Properties.

In the Security tab you can configure the IPSec key for L2TP/IPSec VPN connections.

HTH<
Tom

(in reply to Turan)
Post #: 18
RE: VPN over intranet - 11.Feb.2004 11:28:00 AM   
Addario

 

Posts: 3
Joined: 6.Feb.2004
From: CH
Status: offline 		Hi tschinder

Thanx for your fast answer, but i can't change this value! I made this configurations:

web page

web page

thanx a lot!

(in reply to Turan)
Post #: 19
RE: VPN over intranet - 11.Feb.2004 12:07:00 PM   
Turan

 

Posts: 13
Joined: 25.Mar.2002
Status: offline 		Hi Tom,

Thanks for your answer. I'm looking forward to get links of backup files,

Thanks in advance [Smile]

(in reply to Turan)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN over intranet Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts