• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Joining Networks over the Internet with a Gateway to Gateway VPN:ISA to RRAS

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Joining Networks over the Internet with a Gateway to Gateway VPN:ISA to RRAS Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Joining Networks over the Internet with a Gateway to Ga... - 20.Mar.2003 3:59:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article oining Networks over the Internet with a Gateway to Gateway VPN:
ISA Server to Windows 2000 RRAS - Part 1
at http://www.isaserver.org/pages/article.asp?id=1067

Thanks!
Tom

[ March 20, 2003, 06:50 PM: Message edited by: tshinder ]
Post #: 1
RE: Joining Networks over the Internet with a Gateway t... - 21.Mar.2003 3:55:00 PM   
jjm108

 

Posts: 2
Joined: 19.Mar.2003
From: Chicago,IL
Status: offline
I used your article to setup a gateway to a remote network. When I am connected to the remote network I can ping to internal addresses on the remote network from the local ISA server but not from any clients. Do you know what could be wrong.

Thanks for the article, it was very informative.

(in reply to tshinder)
Post #: 2
RE: Joining Networks over the Internet with a Gateway t... - 21.Mar.2003 6:11:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi JJ,

The second part of the article will be out on Monday. But make sure you have configured the clients as SecureNAT clients and that you have put all the internal networks into the LAT. Rembmer the remote network is an internal network.

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Joining Networks over the Internet with a Gateway t... - 24.Mar.2003 9:10:00 PM   
Groenbech

 

Posts: 29
Joined: 1.Feb.2002
Status: offline
I have tried with both Secure NAT clients and Firewall clients. None of them seem to work.
I've read 2nd part of the setup.
The strange thing is that I followed the 1st part in a test environment and it worked just fine... I just can't figure out, why it doesn't in 'reallife'.

(in reply to tshinder)
Post #: 4
RE: Joining Networks over the Internet with a Gateway t... - 25.Mar.2003 3:50:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Groenbech,

Could be a simple configuration error or your ISP might not allow VPN connections.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Joining Networks over the Internet with a Gateway t... - 25.Mar.2003 4:47:00 PM   
AlexS

 

Posts: 155
Joined: 4.Feb.2002
Status: offline
Just finished reading the second part. Good articles!

But some things in this article are not explained very clear.

1. User name "bogus" for the interface on the REMOTEVPN server. I can't believe it is working. I was under the impression that this user name is always used to authenticate against calling router (both VPN routers authenticate against each other!).

2. Second, I don't understand why we need two interfaces (one for each site). I am doing the other way: I create DoD interface on remote server only, set "persistent" option and configure static route to central office network in RRAS. On the local server the procedure is different: I create a user with the same name used when configuring the calling interface, and configure static route to remote office network in _user properties_ (Dial-in properties).

3. It is not necessary to create statis address pool on RRAS servers. If you have DHCP, you can easily use it; however, I always configure VPN interfaces with static addresses - it is little better since you can easily predict which interface in the central office network "represents" remote network.

4. Your articles does not cover some important questions: encryption, using L2TP in LAN-to-LAN VPN, intrAnet name resolution. Note I already succeeded in these things, except L2TP: making certificate-based authentication and encrypted IPSec tunnel between LANs is rather complex scenario, and I decided to stay with PPTP as it much simpler but still secure enough.

I have 15 VPN LAN-to-LAN connections coming from remote offices; they all configured as I explained and work without problems.

Alex

(in reply to tshinder)
Post #: 6
RE: Joining Networks over the Internet with a Gateway t... - 25.Mar.2003 5:49:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alex,

Answers:

1. The reason you can use the username bogus is that the REMOTE site NEVER dials up! Since the remote site never dials up, it doesn't need credentials, so you can use the bogus user name. It does work! It always works.

2. Never tried it that way! Sounds like it might work. The key is to configure a single side to dial up. HOWEVER, without the demand dial interfaces on each side, how to the passive router know which interface to use to route back?

3. I prefer configuring a static address pool, but as the article states, you can use DHCP if you like. I don't like [Smile] However, check the front page of the site to see how I describe how to use DHCP servers with your VPN servers. The VPN Server interfaces should have static addresses, but its not required on the external interface, since you can use a FQDN

4. You're welcome to write an article on your way of doing it [Smile] I've done other articles on configuring VPN gateways using L2TP/IPSec. Check them out over at www.isaserver.org/shinder Its actually a two part article.

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Joining Networks over the Internet with a Gateway t... - 25.Mar.2003 5:52:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alex,

"2. Second, I don't understand why we need two interfaces (one for each site). I am doing the other way: I create DoD interface on remote server only, set "persistent" option and configure static route to central office network in RRAS. On the local server the procedure is different: I create a user with the same name used when configuring the calling interface, and configure static route to remote office network in _user properties_ (Dial-in properties)."

When you configure a static route on the passive VPN gateway, which interface does it use? That's why you need to configure the demand-dial interface on the passive VPN gateway so that it can be used for the static route.

Thanks!
Tom

(in reply to tshinder)
Post #: 8
RE: Joining Networks over the Internet with a Gateway t... - 25.Mar.2003 6:29:00 PM   
AlexS

 

Posts: 155
Joined: 4.Feb.2002
Status: offline
Hi Tom, answers:

You configure static route in the user properties. Open user properties (AD Users if it's a domain user or Computer Management if it's local user of the VPN server), go to Dial-in tab and check out Static Routes button... Here you can configure those routes back to remote network.

Which interface it uses? - It uses RRAS "logical" interface used for incoming connections, and gateway to remote network is set to DoD interface address assigned to remote interface.

I told you, 15 remote offices are connected this way, and LAN-to-LAN routing works without problems.

One more thing, about "bogus" user. Your screenshot of the REMOTEVPN server shows LOCALVPN interface status as "connected".

http://www.tacteam.net/isaserverorg/g2gisa2rrasp2/Image1266.gif

I was under the impression that it must authenticate against remote server in order to connect. I don't understand how it works in your case (bogus user); I believe you that it DOES work, but... Please tell me one thing: if you check security log on the LOCALVPN server (assuming that security audit options are turned ON, right? security is our job, that's why we are gazing on this beautiful site), does it contain "authentication failure" events about that bogus user?

Alex

PS: if your AD domain is in "compatibility" mode, Static Routes button in user properties is disabled. It's enabled only in native Win2000 AD domains, as well as in local users database on member/standalone servers.

(in reply to tshinder)
Post #: 9
RE: Joining Networks over the Internet with a Gateway t... - 25.Mar.2003 7:40:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alex,

But what interface do you indicate when you create the route? On the passive (call recipient) VPN gateway, you configure the demand dial interface and then configure the static route to the remote network using the demand dial interface. If you don't configure the demand dial interface, what interface do you configure the route to use? It very explicit in my method, but not clear what interface you use when you do not create the demand dial interface to route through.

*However*, perhaps you don't need to explicitly inform the passive gateway what interface to use? Perhaps it bases this decision on the IP address assigned to the demand dial interface on the passive machine. However, that wouldn't be a good way to go if the remote network isn't summarized well, or a stub network were in use, or any number of other reasons.

This figure:
http://www.tacteam.net/isaserverorg/g2gisa2rrasp2/Image1266.gif

Shows the RRAS console at the passive (call recipent) gateway. Remember that the passive gateway NEVER DIALS! So, it doesn't need credentials and NEVER PRESENTS CREDENTIALS. If you look in the security log, you'll see no reference to the Bogus account becuase the PASSIVE GATEWAY NEVER DIALS and therefore NEVER PRESENTS LOG ON CREDENTIALS. Make sense?

The static routes in the user account don't have an interface entry, but that's not really an important issue at this point, since that entry doesn't determine the interface used.

Thanks!
Tom

(in reply to tshinder)
Post #: 10
RE: Joining Networks over the Internet with a Gateway t... - 25.Mar.2003 8:30:00 PM   
AlexS

 

Posts: 155
Joined: 4.Feb.2002
Status: offline
Hi Tom,

you was absolutely right in your assumption: you do not need to indicate the interface when static route is configured in user properties. It's a job of W2K to determine it. And it actually uses "Internal" RRAS interface.

You may ask me, where I got my scenario? Simple, in RRAS help file... Check out branch office connection scenario: Dial-on-Demand interface is created only in the branch office, while static routes are assigned as follows:

1. Route to central office network: in the RRAS console on the branch office VPN gateway, and
2. Route back to branch office network: in the user properties on the central office VPN gateway (or domain, if branch office uses domain account to dial central office).

You are saying that DoD interface on the remote site never DIALS. OK, but please tell me:

1. what makes the interface to change it's state to "connected", without connecting it?

2. How your scenario differs from symmetric LAN-to-LAN VPN connection (like the one you can configure with ISA wizard)? I can see only two things:
a. Static Route has check box "use this route to initiate..." disabled on the remote VPN gateway.
b. you configure that bogus user.
Did I miss any other important differences? If not, then you are saying that (a) makes (b) possible...

The other thing to consider: what happens if you right click your DoD interface on the remote server and say "Connect"? It should try to authenticate against central office with "bogus" credentials, right? And what will happen then? (it will fail!)

OK, you may say "never try to connect from remote server, wait for LOCALVPN server to dial and it will connect". Hmm, this is something non-logical.

Alex [Cool]

(in reply to tshinder)
Post #: 11
RE: Joining Networks over the Internet with a Gateway t... - 25.Mar.2003 9:49:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alex,

Good questions!

1. That's a good question. I believe that once the LOCALVPN successfuly authenticates with the REMOTEVPN, both the LOCALVPN and REMOTEVPN gateway interfaces are activated. I can assure you that the REMOTEVPN does *not* ever dial and that it does *not* present credentials to the LOCALVPN (the LOCALVPN is the only gateway to dial up)

2. The difference is that only one side dials up and in this scenario, only one side has ISA Server installed. That is exactly what I was trying to explain in this article. If ISA Server were installed on both sides, then we could use the Local and Remote VPN Wizards. This prevents a race condition which causes so many of the problems we see on this board where the link fails and never comes back up.

2a. That is correct. We remove the checkmark from that checkbox because THE REMOTE GATEWAY NEVER DIALS, just only answers calls from the LOCALVPN gateway.

2b. You don't have to use a bogus user, you can use a real one, but it doesn't matter. SINCE THE REMOTE GATEWAY NEVER DIALS AND NEVER PRESENTS CREDENTIALS.

Check out:

http://www.microsoft.com/isaserver/techinfo/deployment/2000/avanadevpn.asp

and see if that makes more sense [Big Grin]

HTH,
Tom

(in reply to tshinder)
Post #: 12
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 10:26:00 AM   
AlexS

 

Posts: 155
Joined: 4.Feb.2002
Status: offline
Hi Tom,

first of all: thank you very much; your articles and this discussion helped me to throw away my false impression that answering side authenticates against calling side. This false impression comes deep in my mind long time ago, when Windows was NT4, and latest SP was 3, and I was busy with VPNning interstate offices. Microsoft was saying in their RRAS whitepaper that routers authenticate against each other; I thought they are doing it simultaneousely, but now I realised it was a mistake. When one side "dials", it authenticates against the second one, and that's all - both interfaces are connected; and vice versa: if second side initiates the connection, it authenticates against the first one, again making both interfaces connected.

OK, thanks again.

But let's go back to your scenario, part 2. When creating DoD interface on the REMOTEVPN server, you are saying:

>>I HIGHLY RECOMMEND that you use the same name for the interface as the name of the computer youĂre connecting to. In this case, the Local VPN gateway is named LOCALVPN. So weĂll use that name in this example.

That's not true.

In reality, you shoud name it with _username_ (not computer name), used in credentials for REMOTEVPN interface on the LOCALVPN server! Remember, I asked you "what makes LOCALVPN interface to change it's state to Connected"? This is black magic of W2K RRAS: it connects "answering" interface if it's name is the same as credentials sent by calling side.

Your example worked because usernames and computernames were the same!

Let me repeat that process step-by-step, to avoid misunderstanding:

1. Calling router on LOCALVPN server initiates connection, and sends credentials to REMOTEVPN server as follows:
username: LOCALVPN
domain: REMOTEVPN domain or machine name
password: password of that LOCALVPN user

2. Answering RRAS on REMOTEVPN server authenticates user and searches inteface list. If it founds that interface name (LOCALVPN) is equal to user name (received in credentials), it understands that it is DoD connection, and connects that corresponding interface - LOCALVPN. This is black magic of RRAS.

3. If user name in credintials does not correspond to any interface names, then RRAS considers connection as normal RAS connection, and does not do anything to local interfaces.

Well, I hope I explained it clear...

_____________________________________

Now let's go back to "my" scenario. I am going to show you how to adopt your scenaio (part 2) to it. Here you go:

Step 1: go to REMOTEVPN server console, open RRAS and delete static route to localvpn network.

Step 2: delete LOCALVPN interface as well.

Step 3: Start Computer Management, go to user list, open properties for LOCAVPN user. Go to Dial-in tab, check "Apply Static Routes" option and press Static Routes button. Add static route you deleted in step 1.

That's it. No changes are necessary on LOCALVPN server, all these steps should be done on REMOTEVPN server only.

After that, your VPN will work the same as before. But things seem to be more logical: for example, there are no useless "Connect" interface menu that should not be touched on the REMOTEVPN. And no strange bogus users - they are eliminated in my scenario!

I hope you'll find it interesting.

Alex [Cool]

(in reply to tshinder)
Post #: 13
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 10:47:00 AM   
AlexS

 

Posts: 155
Joined: 4.Feb.2002
Status: offline
Hi Tom,

thank for MS link (that Avanade_final.doc).

Note it says the same thing I wrote you before: interface names should correspond to user names, not computer names...

Document covers many other things, like OSPF; unfortunately, I do not have much real experience with it yet - all scenarios that I have implemented were "hub and spoke", and routing schemes were simple: default routes in remote offices, and automatically constructed complex routing table in central offices (hubs).

However, life will bring us more complex tasks, and someday I'll do that OSPF things.

Alex

(in reply to tshinder)
Post #: 14
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 4:32:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alex,

Yes, and the interface names are based on the computer names. That's what I said in the article! [Big Grin]

You can use RIP too. It generates more traffic, but its a lot easier than using OSPF in most circumstances. I'll be doing an article based on my experiences with RIP and OSPF with VPN Mesh networks in the future.

Thanks!
Tom

[ March 26, 2003, 04:33 PM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 15
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 6:00:00 PM   
palindroem

 

Posts: 40
Joined: 14.Aug.2002
From: N. Fla
Status: offline
Hey'a Tom, I tried the part 1 of your article. I rebooted my isa server, now I can't get the Firewall service to restart. I keep getting an error 14017 about my internal ip isn't in the LAT. But it is, as a range, 10.104.0.0 - 10.108.255.255. My internal interface is 10.108.0.54.
I've turned RRAS off, to no avail. Any suggestions?

Its really to bad, this is exactly what I'm needing to do (other then the suggestion that NetBois won't initiate the connection, remote BDC to local PDC)

thanks
(sorry bout the original posting, I got lost)

(in reply to tshinder)
Post #: 16
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 6:02:00 PM   
palindroem

 

Posts: 40
Joined: 14.Aug.2002
From: N. Fla
Status: offline
Oh, I am also getting a IP spoofing error about the remote server. It isn't setup as a VPN gateway yet.

(in reply to tshinder)
Post #: 17
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 7:07:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by palindroem:
Hey'a Tom, I tried the part 1 of your article. I rebooted my isa server, now I can't get the Firewall service to restart. I keep getting an error 14017 about my internal ip isn't in the LAT. But it is, as a range, 10.104.0.0 - 10.108.255.255. My internal interface is 10.108.0.54.
I've turned RRAS off, to no avail. Any suggestions?

Its really to bad, this is exactly what I'm needing to do (other then the suggestion that NetBois won't initiate the connection, remote BDC to local PDC)

thanks
(sorry bout the original posting, I got lost)

Hi Droem,

Check out www.isatools.org I believe Jim has a fix for the intra-array address problem there.

HTH,
Tom

(in reply to tshinder)
Post #: 18
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 7:09:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by palindroem:
Oh, I am also getting a IP spoofing error about the remote server. It isn't setup as a VPN gateway yet.

Hi Droem,

Might be time for you to draw up a network diagram and make sure everything is in place to support your VPN gateways. I'd be willing to look at it when you get it done.

Thanks!
Tom

(in reply to tshinder)
Post #: 19
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 7:12:00 PM   
AlexS

 

Posts: 155
Joined: 4.Feb.2002
Status: offline
quote:
Originally posted by tshinder:
Hi Alex,

Yes, and the interface names are based on the computer names. That's what I said in the article! [Big Grin]


Hi Tom,

Looks like you misunderstood me; I'll say it again: interface names _should be_ based on user names. This is what I told you, and what MS article (Avanade vpn) is saying.

Your scenario worked because your usernames are the same as computernames. However, if you change user name, your scenario will likely fail.

Alex

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Joining Networks over the Internet with a Gateway to Gateway VPN:ISA to RRAS Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts