Welcome to ISAserver.org

VPN problem

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN problem

Page: [1] 2 next > >>

Message

<< Older Topic Newer Topic >>

VPN problem - 7.Jul.2005 4:52:00 PM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Hi all,
I want to start all over again and see if someone can help me with this
issue. I have ISA 2004 enterprise on win2k3 first time installation.
The setup for VPN was created using this documentation on chapter 4
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/isa2004se_vpnkit-rev%201%2004.doc#Chapter4
Base on several post Phil suggest to create a Network Rule for VPN clients
to Internal Network using Route relationship.
Also I create a firewall rule for All Users to open All Outbound traffic for
VPN clients to Internal Network.
On the VPN client I have to change the workgroup name to match my domain
name of the internal Network.
The VPN client is using windows XP pro and I can connect to the ISA VPN
server but I can't ping or have connection with any box on the internal
Network.
Someone tell me that it's a problem with the VPN server firewall but I
thought ISA is the firewall "[Smile]"

... thinking about that I put off the firewall
on the XP pro VPN client.
I'm trying this for couple days without any luck.
Does anyone have any ideas in how to solve this issue?
Tks in advance
JFB

Post #: 1

Featured Links*

RE: VPN problem - 7.Jul.2005 5:33:00 PM

ClintD

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

What is the client behind when it connects? A NAT deivce? What subnet ID is behind that NAT device if so?

What addresses do you hand out to VPN Clients?

Do these 2 subnets overlap?

(in reply to JFBV2000)

Post #: 2

RE: VPN problem - 8.Jul.2005 9:31:00 AM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

I'm using PPTP protocol to connect the client. The clients are getting auto IP from DHCP, when I connect the client shows like this
IP : 192.168.1.15
subnet : 255.255.255.255
gateway : 192.168.1.15
DNS : 192.168.1.65 (right DNS)
In other newsgroup Phil said that this is correct even if the gateway have the same number as ip, he said this is the way it works.
A regular internal pc use different subnet 255.255.255.0.
Tks.

(in reply to JFBV2000)

Post #: 3

RE: VPN problem - 12.Jul.2005 2:49:00 PM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

I have a week wiht this problem.
Any one have an idea in how to reset and start from scratch VPN again.
Tks
JFB

(in reply to JFBV2000)

Post #: 4

RE: VPN problem - 12.Jul.2005 4:04:00 PM

ClintD

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

The client is behind a NAT device right? It isn't by chance using 192.168.1.x as well for that subnet as well is it?

If so, then this is a classic problem - both the local and VPN subnet are the same and Windows chooses the lower metric interface to send the traffic - in other words, it sends it out the NIC instead of the VPN adapter. You'll need to change one of the subnets to use a different subnet ID - preferably ISA's subnet as you'll run into this problem a lot since a lot of home office routers use the same 192.168.1 subnet ID.

[ July 12, 2005, 04:05 PM: Message edited by: ClintD ]

(in reply to JFBV2000)

Post #: 5

RE: VPN problem - 14.Jul.2005 9:20:00 AM

Rulezz

Posts: 1
Joined: 14.Jul.2005
Status: offline

I'm having the same issue with my network. But we have a lot of subnets ids that are considered as the internal network of the isa server. I really don't understand the last post. About the subnets... if the vpn client is getting the ip from the local network why it is not possible to ping those hosts?? what changes do i have to make in the isa server? i'm really confused of how this works. I have been following the steps of different tutorials and it seems that is an easy process, but is not.

Example:
i have a lot of branch offices that connects to internet through one main office. The main office has the isa server configured with an internal interface of 10.0.0.0/8 to cover all the subnets networks of my branch offices. Now if i have an external vpn client it connects succesfully and receives the ip address from the local dhcp server (the dhcp server is in the same subnet of the internal isa server adapter). Now if i try to ping one host even if it is in the local network then it is imposible. It seems that the vpn client does not have knowledge of the local network due by a isa server issue. How can i resolve this?

(in reply to JFBV2000)

Post #: 6

RE: VPN problem - 22.Jul.2005 10:56:00 AM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Well I'm still dealing with this problem.
I don't think the subnets are the problem because now I made a connection from home with the same subnet. I think the problem is the domain name, I explain why, in my office I join my laptop as part of my domain, at the end of the day I take my laptop home and try the connection an it works and can ping and connect to any pc or server of the office but I can't use internet or outlook express ( I think this is a separate issue). But if I try to connect my pc from home that is not part of the domain only is a workgroup wont work.
In ISA -- VPN properties under user mapping is enable and I put the domain name so any VPN client can use it but no luck.
How can I fix this error?
How can I open internet for VPN clients?
Tks in advance
Johnny

(in reply to JFBV2000)

Post #: 7

RE: VPN problem - 22.Jul.2005 11:00:00 AM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Sorry in my last post I say that I can't connect pc from home using "workgroup" that is not true I can connect but I can't see or ping any box.
Tks
Johnny

(in reply to JFBV2000)

Post #: 8

RE: VPN problem - 26.Jul.2005 4:34:00 PM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Rulezz...! do you fix the problem?
Looks like nobody can help us [Smile]

Rgds
Johnny

(in reply to JFBV2000)

Post #: 9

RE: VPN problem - 26.Jul.2005 4:51:00 PM

ClintD

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

What I meant in my post above is if the client is behind a NAT device that uses 192.168.1.x for the private side, and ISA uses 192.168.1.x for it's Internal network, then you should expect problems.

This is because the client, prior to connecting has a subnet specific route for 192.168.1.x through it's network adapter. Now, once the client connects with a PPTP/L2TP VPN, it still thinks 192.168.1.x is accessible through the NIC. If the client tries to initiate traffic to the Internal network of ISA, since it has a more specific route for 192.16.1.x through it's NIC,the traffic will not go through the VPN adapter - it will go through the NIC. You can override this behavior by removing the checkbox for "Use Default Gateway on remote network", but this is a security risk.

Before testing the following, ensure ISA Server has been configured with the following.

1. Network Rule - VPN Clients Routes to Internal (this is the default)
2. Firewall Policy Access Rule - Allows PING from VPN Clients to Internal network for All Users. Don't use "Authenticated Users" just yet.

Now once the client connects the VPN, retrieve the IP address the client received for the VPN connection. Once you have it, go into the ISA console and under Monitoring\Logging, add an entry for "Client IP" "Equals" "%VPNClientIPAddress%" and start the query.

Then, go to the client and try to PING a DC/File Server/etc... and see what the ISA log shows for the request.

Does it hit the Default Rule?
Does it show a Rule at all for the traffic?
If it doesn't, go into the View menu and select Add/Remove Columns. Find the entry for "Result Code" and add it to the right. once it is added in, what is the result code the PING request?

Assuming that you have an access rule in place to allow PING, the Workgroup name has no bearing on connectivity to the Internal network - yes, it affects the view shown in My Network Places, but doesn't affect PING, Remote Desktop, FTP, etc...

I'm not trying to be a jerk, but you guys are posting "symptom" based descriptions of the problem - once you get the hang of the Logging, you can provide specific technical reasons for the failures and we can help a lot more with the failure. The more detials the better - "client receives IP address XXXX for it's VPN connection. This traffic is seen by the ISA Server and is being denied by rule yyy even though I have a Access Policy rule in place named zzz which allows the traffic". Something along those lines...

[ July 26, 2005, 04:56 PM: Message edited by: ClintD ]

(in reply to JFBV2000)

Post #: 10

RE: VPN problem - 26.Jul.2005 11:01:00 PM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Tks for you reply, I'm new in ISA and I really need help... sorry if we don't post the right info.
I just try what you say from home. Now I change my private IP from home to 10.0.0.1 and still with the same problem. My laptop that is part of the domain connects and can ping any box inside the internal network but not internet. The box from my home "workgroup" can connect but can't ping any box. When I check the logs in ISA I got this:
Original Client IP Client Agent Authenticated Client Service Referring Server Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type Destination Host Name Filter Information
192.168.1.5 - UDP - - Yes 7/27/2005 3:04:30 AM 3008 0 0 0 0x0 0x0 7/26/2005 11:04:30 PM 192.168.1.5 192.168.1.65 53 DNS Initiated Connection VPN Client to internal 0x0 VPN Clients Internal - MYISA Firewall -
192.168.1.5 - UDP - - Yes 7/27/2005 3:05:32 AM 3008 62000 60 116 0x0 0x0 7/26/2005 11:05:32 PM 192.168.1.5 192.168.1.65 53 DNS Closed Connection VPN Client to internal 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN VPN Clients Internal - MYISA Firewall -
As you see I can see the rule...
What is the problem?
Tks for you help
Johnny

(in reply to JFBV2000)

Post #: 11

RE: VPN problem - 26.Jul.2005 11:12:00 PM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Also I just find out that I can ping the box by internal ip number but not for box name:
192.168.1.5 - ICMP - - No 7/27/2005 3:21:17 AM 8 16 0 0 0x0 0x0 7/26/2005 11:21:17 PM 192.168.1.5 192.168.1.117 0 Ping Initiated Connection VPN Client to internal 0x0 administrator VPN Clients Internal - MYISA Firewall -

(in reply to JFBV2000)

Post #: 12

RE: VPN problem - 27.Jul.2005 8:35:00 AM

ClintD

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

OK cool - so name resolution is the only thing hanging us up. What DNS Server do you get configured for the VPN? Did you configure the DHCP Relay Agent as per Tom's article so you get the DNS suffix for the domain?

Enabling DHCP Relay for ISA Firewall VPN Clients

(in reply to JFBV2000)

Post #: 13

RE: VPN problem - 28.Jul.2005 3:35:00 PM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Ok I setup the rules and the dhcp like the article.
The second part of the article "Install and configure the DHCP Relay Agent routing protocol in the RRAS console" is done on the ISA box or on the DHCP box?
I did it on ISA and Still the same problem.
My DNS is configure on the DHCP box also. I have a domain controller with integrated DNS, and I use this number on ISA configuration.
Tks
Johnny

(in reply to JFBV2000)

Post #: 14

RE: VPN problem - 28.Jul.2005 3:52:00 PM

ClintD

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

You're good to go - you configure the DHCP Relay on ISA.

OK - so what happens if you ping the server name by simple host name? How about fully qualified name? Does it report unknown host for both?

If you run IPCONFIG /ALL on the client, do you get a DNS Suffix for the VPN connection? It should be a "Connection Specific Suffix"

Is DNS Allowed from VPN Clients? (or are you "shotgunning" the rule and allowing everything until you get some headway? [Razz]

)

[ July 28, 2005, 03:53 PM: Message edited by: ClintD ]

(in reply to JFBV2000)

Post #: 15

RE: VPN problem - 28.Jul.2005 10:20:00 PM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Tks for you reply,
I'm not getting DNS suffix and only i can ping a box with ip numbers like 192.168.1.100.
I have two rules in ISA allowing VPN clients from all outbound traffic to internal and allowing DNS, HTTP, HTTPS and FTP to external after that are the two DHCP rules that I created yesterday as tom article.
Do I need to setup anything else?
Tks again
Johnny

(in reply to JFBV2000)

Post #: 16

RE: VPN problem - 28.Jul.2005 10:25:00 PM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Another thing that I just saw, after I reboot the server I found to alerts on ISA.
1.VPN Connection Failure:The VPN connection attempt by user myDomain\administrator from VPN client IP address XX.X.XX.245 could not be established.
The failure is due to error: 0xc0040021
2.Configuration Error:ISA Server detected routes through adapter Internal Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an array-level network element should match the address ranges routable through its network adapters as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network or configure Network Load Balancing. You may safely ignore this message if it does not reoccur.)
The following ranges are in the network's IP address range but are missing from the routing table: 192.168.1.5-192.168.1.5;.

The routing table for network adapter Internal includes IP address ranges that are not defined in the array network VPN Clients to which it is bound. As a result, when packets go in/out via this network adapter and they are from/sent to the IP address ranges listed below they will be considered spoofed and will be dropped. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
Internal:192.168.1.5-192.168.1.5;

Any Comments about this?
I really appreciate all you help
Rgds
Johnny

(in reply to JFBV2000)

Post #: 17

RE: VPN problem - 28.Jul.2005 10:29:00 PM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Now another alert shows
IP Spoofing:ISA Server detected a spoof attack from Internet Protocol (IP) address 10.0.0.100. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the firewall log.

(in reply to JFBV2000)

Post #: 18

RE: VPN problem - 28.Jul.2005 10:37:00 PM

ClintD

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

Clear something(s) up for me, OK?

Is the client behind a NAT device? If so, what IP address does it have assigned?

What address range are you assigning to the VPN Clients?

What is the address range listed in the properties of the Internal network object?

(in reply to JFBV2000)

Post #: 19

RE: VPN problem - 29.Jul.2005 9:24:00 AM

JFBV2000

Posts: 40
Joined: 7.Jul.2005
From: Virginia -USA
Status: offline

Ok,
Yes the client is behind a NAT with an IP range of 10.0.0.100/255
VPN clients IP range on ISA are getting from DHCP server 192.168.1.0/100
Internal Network address 192.168.1.0/255
Tks

(in reply to JFBV2000)

Post #: 20