Welcome to ISAserver.org

Windows2003+ISA2004RC1 - Linux+Freeswan

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> Windows2003+ISA2004RC1 - Linux+Freeswan

Page: [1]

Message

<< Older Topic Newer Topic >>

Windows2003+ISA2004RC1 - Linux+Freeswan - 20.Apr.2004 9:01:00 PM

mapis

Posts: 19
Joined: 10.Jun.2002
Status: offline

I have this problem. Can you help me?
My ISA 2004 have network, that will be connected over IPSec Tunnel. On the other side is Linux, with freeswan (i dont administer it). When I configure ISA, it will create new network, new Site-to-Site connection, and everything seems to be fine! I was created Route rule, Firewall rule, but no packet go through my tunnel. When I start network monitor, I see there only ESP packet to my ISA, but no packet from me, to freeswan. I dont know, where is a problem, because no problem is logged anywhere, and I totaly dont know, where can I start! :(
Any help?

Post #: 1

Featured Links*

RE: Windows2003+ISA2004RC1 - Linux+Freeswan - 21.Apr.2004 6:06:00 AM

Posts: 15
Joined: 15.Apr.2004
Status: offline

Did you add an access rule that allows outbound from your network to the VPN network?

Also, you can open up the ISA realtime monitor log and do you see anything there that's denied?

(in reply to mapis)

Post #: 2

RE: Windows2003+ISA2004RC1 - Linux+Freeswan - 21.Apr.2004 9:12:00 AM

mapis

Posts: 19
Joined: 10.Jun.2002
Status: offline

My solution:

1) I was created Remote Site
- in wizard a set IPSec Tunnel, specify remote gateway, my external IP, IP subnet remote networ, preshared key
- the wizard create also site-to-site connector to Branch Office - status enabled

2) in network rules i set route from Internal to Branch Office, and route from Branch Office to Internal

3) In Firewall Policy i set Allow all protocols from Internal to Branch Office, and from Branch Office to Internal

When I try ping from Internal to any Branch Office computer, i have no ansver.
When I start network monitor, there is only ESP packet, and only! from Nranch Office remote gateway to my ISA, but no ESP packet from ISA to Branch Office remote gateway. Maybe is anything blocking comumnication? But what?
Now i try to set advanced logging in registry, for oakley log...
No error in Event Log.
No error in ISA errors.

Thanks for any help!

[ April 21, 2004, 09:14 AM: Message edited by: mapis ]

(in reply to mapis)

Post #: 3

RE: Windows2003+ISA2004RC1 - Linux+Freeswan - 21.Apr.2004 1:31:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Mapis,

Did you mirror the IPSec policy on the branch office? Use the IPSec Monitor mmc snap in and see what it says about your IPSec policy /connection.

HTH<
Tom

(in reply to mapis)

Post #: 4

RE: Windows2003+ISA2004RC1 - Linux+Freeswan - 27.Apr.2004 10:57:00 AM

mapis

Posts: 19
Joined: 10.Jun.2002
Status: offline

I was scanning by network monitor and now i know, where is the problem. T thing, that it is a BUG [Frown]

Sometimes, it will create IPSec tunnel, but only for a moment, sometimes not [Frown]

When I scan communication, it looks like this:
1) Phase I (main mode) - OK
2) Phase II (quick mode) - freeswan/openswan send me ESP packets, but ISA still sending ISAKMP Phase II packet.

I dont know, where is a problem, because everything is encrypted. I start (by register) logging to Oakley log, but no answer.

Yesterday, MS gave me new build of ISA, I must try it. Isaautorun.exe version is 4.0.2141.50, and name is ISA 2004 Standard Edition RC1 Refresh.

Any help?

(in reply to mapis)

Post #: 5

RE: Windows2003+ISA2004RC1 - Linux+Freeswan - 27.Apr.2004 9:18:00 PM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

If you post the Oakley log, I'll figure out where the problem is. I've used FreeS/WAN in both Smoothwall 2 and Astaro Security Linux 4 and they both work fine to ISA 2004.

(in reply to mapis)

Post #: 6