Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Where is the local secure group in ISA VPNs?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Where is the local secure group in ISA VPNs? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Where is the local secure group in ISA VPNs? - 27.Aug.2008 10:15:12 AM   
aswatogor

 

Posts: 14
Joined: 22.Nov.2002
From: toronto
Status: offline 		This is kind of an open question (rant?).  Sorry if it has been previously dealt with in these forums, but I couldn't find it. 
 
ISA does many things well, but one glaring omission I find is that its VPN definitions do not include a definition of the local secure group. Every other VPN device I have used includes the addresses on each side of the tunnel to protect. ISA includes only the remote side.
 
I know I can control access through firewall access rules, but I end up with thousands (maybe 10's of thousands) of unwanted IPSec filters matching on every network my ISA knows about to every other one.  I am noticing now that any changes in my VPN rules can take 15-20 minutes to push through (I am on fairly new hardware that well exceeds the minimum recommended). 
 
Does anyone know if there is some benefit to this that I can't see and it was designed this way on purpose?  Or if there is a plan to address this in the next release or service pack?
 
This issue is one of the biggest headaches for this ISA proponent.
 
Thanks

< Message edited by aswatogor -- 27.Aug.2008 11:10:13 AM >
Post #: 1
RE: Where is the local secure group in ISA VPNs? - 27.Aug.2008 4:38:15 PM   
paulo.oliveira

 

Posts: 799
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi,

from what I understand the problem for you is because you have too many networks and have to create same access rules for these different networks.
If so, you can use/create the Network Sets option, grouping all the networks who have same/similar access rules.

Regards,
Paulo Oliveira.

(in reply to aswatogor)
Post #: 2
RE: Where is the local secure group in ISA VPNs? - 27.Aug.2008 8:36:42 PM   
aswatogor

 

Posts: 14
Joined: 22.Nov.2002
From: toronto
Status: offline 		Thanks for the response Paul,

It's not really a problem with the access rules or anything I see in ISA itself.  The problem is with all of the unecessary Quick Mode filters ISA shells off to Netsh. 

When I look in IPSec monitor there are thousands of Ipsec filters for networks I never want to create tunnels for.  What's worse, I can now see that any time I make a VPN change, netsh grinds for 20 minutes while the filters disappear and then reappear, essentially bringing down the tunnels.  I have tunnels to only 20 or so remote sites.  What happens when that number approaches 50 or 100?




(in reply to paulo.oliveira)
Post #: 3
RE: Where is the local secure group in ISA VPNs? - 28.Aug.2008 9:50:25 AM   
pwindell

 

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		Where do you see this happen? How are you monitoring it?

_____________________________

Phillip Windell
www.wandtv.com

(in reply to aswatogor)
Post #: 4
RE: Where is the local secure group in ISA VPNs? - 28.Aug.2008 10:40:18 AM   
aswatogor

 

Posts: 14
Joined: 22.Nov.2002
From: toronto
Status: offline 		 
Using the IPSecurity Monitor MMC Snap-in I can see the various Main Mode IKE Policies disappearing and reappearing over a course of 20 minutes or so.

In the list of Quick Mode Specific filters I see thousands of extraneous filters.  If I have 20 Remotes sites (call them Site A, B, C, Etc).  I see IPSec filters matching each of those sites to each other.  Site A to Site B, Site A to Site C, Site B to Site C and so on and so on.  I suspect this is the cause of the problem.  I just checked, and I have 19,878 Quick Mode Specific filters!  Again, all I really need to do is connect 1 local network to 20 or so remote sites. 

I really didn't start the thread to harp or bash.  I do generally like working with ISA.  But, most VPN solutions have an entry for local secure group and remote secure group.  ISA only has an entry for remote secure group and seems instead to build filters for every other known network to the new remote group.  This seems like an awful lot of overhead.

My concern is how this is going scale out.  I find myself having to be more and more apologetic using ISA with partners as I ask them to wait for the policies to push through.

So, I guess my original question is still: is there an advantage to this that I don’t see?  If not, does anyone know if Microsoft will address this in a new release?  I guess I can add, am I the only one that this happens to due to a misconfiguration of sorts?


(in reply to pwindell)
Post #: 5
RE: Where is the local secure group in ISA VPNs? - 28.Aug.2008 12:42:11 PM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Aaron,
Yes, you are correct about that IPsec QM filters and you are correct about that you do not have an option to specify the local subnet.
This is a known issue.
It has been discussed around here, and you can find info about it on the web.

I suppose it's just the way it goes right now.
ISA will add automatically "for you" the QM filters, which represent the proxy-ids for IPsec tunnel mode, even between the subnets belonging to the remote sites.
It can be worst than that. For example if I have one external adapter, and I specify for the local endpoint address, one address from that adapter, I will endup with filters for every IP address I have on that adapter.
If the internal network contains multiple subnets, and you summarize or ISA might summarize for you, you'll have some filters for the big internal net, filters that will be adjusted on the fly, depending for each proxy-ids traffic is negotiated.

Not sure when this will be fixed, TMG beta 1 includes the same "stuff".
Maybe Microsoft is not interested a lot in the VPN site-to-site area.

You are a brave man, I did not configure more than three IPsec tunnel mode site-to-site connections with ISA.
Usually it will work for small to medium companies with no special requirements in that area.

I do not know about that time issue due to the fact I didn't created so many IPsec tunnel mode site-to-site connections with ISA.

Personal I do not recommend my customers to use ISA for IPsec tunnel mode site-to-site connections unless there is a simple scenario. What ISA has to offer in this area is too basic.
Microsoft spent more time on L2TP/IPsec site-to-site connections for some ambiguous reasons. Anyway few people use them.

I usually recommend my customers to use Juniper or Cisco gear VPN site-to-site connections.
They have advanced features for site-to-site VPN connections, which currently are not found even on the dream list of Microsoft(some may hate me for saying that, guess who cares).

Regards,
J

(in reply to aswatogor)
Post #: 6
RE: Where is the local secure group in ISA VPNs? - 28.Aug.2008 2:24:46 PM   
aswatogor

 

Posts: 14
Joined: 22.Nov.2002
From: toronto
Status: offline 		Thanks for the response justmee.

I didn't start noticing the time delay and the filter rebuilds until I passed a certain number of sites--somewhere around 10 or so.  I had liked the convenience of having the ISA create my tunnels, but it does not appear that it will be able to handle the number of tunnels I need.

I guess you are right, maybe MS never intended it to be a ASA replacement.  Maybe just more of a branch office connector. 

Hopefully they will address this in a future version.

Thanks
 

(in reply to aswatogor)
Post #: 7
RE: Where is the local secure group in ISA VPNs? - 28.Aug.2008 2:48:57 PM   
pwindell

 

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:


Justme
Microsoft spent more time on L2TP/IPsec site-to-site connections for some ambiguous reasons.


It is not ambiguous.
They spend more time with L2TP because that is the protocol to use when the Tunnel has ISA on both ends.  In "MS' World" everyone who uses ISA for a Site-to-Site VPN will be buying an ISA for each location and will run ISA at both ends of the tunnel.

They do state that IPsec is only there to cover ISA working with "other brands" of VPN Devices and that it is a less-efficient protocol with a higher overhead. It is not the "protocol of choice" for VPN when you want performance.  To get performance you would have an ISA at both ends and use L2TP.

So their interest is to see everyone use and ISA at every location rather than have ISA run with other brands of products.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to aswatogor)
Post #: 8
RE: Where is the local secure group in ISA VPNs? - 28.Aug.2008 4:27:14 PM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		No kidding me...
Why don't you do the math and tell us what you find....

If you are lazy, I'll do it, very simplistic:
IPsec tunnel mode: packet encapsulated in ESP + new IP header(source and destination addresses VPN gateways' addresses)

L2TP/IPsec: packet inside PPP(PPP header), packet inside UDP(since we use IPsec, L2TP is implemented as an UDP-based IP protocol) thus L2TP header + UDP header + new IP header, after that ESP transport mode is used to protect the L2TP tunnel.

L2TP/IPsec - IPsec tunnel mode =
PPP Header
L2TP Header
UDP Header

Compute these three numbers and you'll get the packet overhead...
Count the number of encapsulations and you'll get the system overhead...

That's why the others implement IPsec as a virtual interface, in order to not need tunnels over to run for example dynamic routing protocols 'cause the "standard" IPsec tunnel mode cannot handle multicast traffic.
The closest you get in terms of overhead to IPsec tunnel mode when using tunnels is with IPIP tunnels + IPsec ESP in transport mode.
Security problems ?
Not if you implement the IKE authentication with certificates the way it should be done.

You indeed do get compression only with L2TP/IPsec(proprietary compression) and not with IPsec tunnel mode, but that's true only for Microsoft's implementation of IPsec tunnel mode.

L2TP/IPsec is only zee choice when you use Microsoft gear at both ends due to some reasons, I assume that just and only the Microsoft document you cited says.
If those reasons are solely due to the implementation design, I suppose is nothing wrong in calling them ambiguous.

Yep, L2TP/IPsec can do something special for site-to-site VPN connections, but Microsoft does not do anything special with their implementation.

Sure they do, 1+1 makes two, and two means, guess what ?

(in reply to pwindell)
Post #: 9
RE: Where is the local secure group in ISA VPNs? - 29.Aug.2008 9:19:32 AM   
pwindell

 

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:


No kidding me...

No kidding you
quote:


Why don't you do the math and tell us what you find....

Why don't I do the math?  Well I don't do the math because I couldn't care less about it.  Plus us uneducated guys have a hard time just putting 2 and 2 together. I have to have my girlfriend use the calculator on here cell phone for me.
quote:


If you are lazy, I'll do it, very simplistic:

I'm just downright lazy. I wouldn't tie my shoes if I didn't need to to keep them on.  So you'll have to do it all,..and don't use any big words.

I don't care if you agree with it or not.  The ISA documentation says the same thing and so does Tom Shinder's books.  Go take t up with them.



_____________________________

Phillip Windell
www.wandtv.com

(in reply to justmee)
Post #: 10
RE: Where is the local secure group in ISA VPNs? - 29.Aug.2008 5:34:58 PM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Oh my, here we go again...

If you don't do the math and argument, the words have no value.

The VPN site-to-site connections, basic IPsec tunnel mode, versus the use of tunnels protected by IPsec is an old discussion.
Also the discussion of protecting those tunnels with ESP in transport or tunnel mode.
Fine engineers have been debated various solutions over the time, take a look here for an example if you want. It made it even in a nobody's RFC.
*Everybody* knows that is hard to beat L2TP/IPsec when it comes to the overhead introduced. This is a reason why some people don't use it even with remote access VPN.
People were unhappy for example using GRE over IPsec, which adds only 4 bytes of overhead, much less than L2TP/IPsec.

I'm pretty sure that it says nowhere in the Microsoft documents simply that IPsec tunnel mode "is a less-efficient protocol with a higher overhead".
In those documents very likely, it is only mentioned Microsoft's implementation of IPsec tunnel mode vs Microsoft's L2TP/IPsec implementation.
And any features comparation, advantages/disadvantages are only in that area.
If you just take out of context and quote things, then you just say so.

"Microsoft's VPN site-to-site world" is just a small world, so very likely people need to interoperate with other vendors in that area.
With Microsoft's implementation of IPsec tunnel mode it can be easily entered in some two cents limitations that a karate kid vendor can handle.
I do not see growing this world, while these limitations are still there. I do not see growing this world by telling people that now they are in MS world, so they need to use L2TP/IPsec, 'cause IPsec tunnel mode is no good anyway, so just replace their boxes.
If a forward thinking discussion, open debate is not used, to acknowledge the limitations of the current implementations, and people just gather and wonder how beautiful is L2TP/IPsec, there will be no pressure on Microsoft to up their game in the VPN site-to-site area.
Personally I would like to see that world expanding, day after day, and I would like to recommend people to use ISA for site-to-site connections without the need to debate the match theory.

I've used and implemented traditional IPsec tunnel mode connections, L2TP/IPsec connections, GRE over IPsec, IPIP over IPsec, Cisco's DMVPN and SVTIs, Juniper's Dynamic VPNs or Check Point's DVPNs.
So I don't need to take or quote anybody. I can argument myself every bit from what I'm saying, including with packet captures(not just draws) for every mentioned above technology, if I have to. I do care how they work, how they were engineered, what they do and what they don't do.

< Message edited by justmee -- 30.Aug.2008 4:23:52 PM >

(in reply to pwindell)
Post #: 11
RE: Where is the local secure group in ISA VPNs? - 30.Aug.2008 4:40:32 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Aaron,
I found this on Microsoft's web site, although is not directly related to your situation, is interesting:
quote:

When you create a remote site network that uses the IPsec tunneling protocol, the Microsoft Firewall service modifies the IPsec filters on the computer, when restarting the Firewall service. This process can take up to several minutes, depending on the number of subnets included in the address ranges for the network. To minimize the effect, we recommend that you define IP address ranges that are aligned in subnet boundaries.

http://technet.microsoft.com/en-us/library/bb794723.aspx
Take care,
J

(in reply to justmee)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Where is the local secure group in ISA VPNs? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts