• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Client VPN using IPSec not working

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> RE: Client VPN using IPSec not working Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: Client VPN using IPSec not working - 12.Jan.2007 8:29:48 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Sunny,

according to the posted log excerpt at least some IKE traffic is reaching the ISA server.

Again test first from a client directly connected to the ISA external subnet and use a preshared key. Also, take a Wireshark/Ethereal/Netmon trace on the ISA external interface or on the client and post the download link here. I wonder how far the IKE negotiation goes.

HTH,
Stefaan


(in reply to Guest)
Post #: 21
RE: Client VPN using IPSec not working - 14.Jan.2007 8:44:49 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Ok guys,

I have direct connected a laptop to ISA external nic via crossover cable and still i get no success.
PPTP works fine but when i change it over to use L2TP it fails.

(in reply to spouseele)
Post #: 22
RE: Client VPN using IPSec not working - 15.Jan.2007 3:03:56 AM   
Guest
All right,
what are saying the logs?
what about trying with a second laptop?

(in reply to Sunny.C)
  Post #: 23
RE: Client VPN using IPSec not working - 15.Jan.2007 4:44:55 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Ok i take that i would need to install Wireshark on the ISA server to see the logs. correct?

Yes i have tried a second notebook.

(in reply to Guest)
Post #: 24
RE: Client VPN using IPSec not working - 15.Jan.2007 5:01:24 AM   
Guest
for the beggining it would be nice if we would see a screenshot of ISA logs, when packets are reaching its external interface and what actually it hapenning there.
a more detailed look with wireshark it would be good but maybe we can get it only from that logs.
yes you have to install wireshark on ISA and monitor its external interface.

(in reply to Sunny.C)
  Post #: 25
RE: Client VPN using IPSec not working - 15.Jan.2007 1:54:34 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Sunny,

any trace yet?

Thanks,
Stefaan

(in reply to Guest)
Post #: 26
RE: Client VPN using IPSec not working - 15.Jan.2007 6:14:42 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Sorry for delay.
http://www.users.on.net/~soner/external nic.pcap
http://www.users.on.net/~soner/external nic.txt

This is logged when client(192.168.10.22) is connected directly to the external nic(192.168.10.20).

Thanks for helping out guys, this is driving me mad.

< Message edited by Sunny.C -- 15.Jan.2007 6:19:02 PM >

(in reply to spouseele)
Post #: 27
RE: Client VPN using IPSec not working - 16.Jan.2007 3:17:54 AM   
Guest
Hi Sunny,
the links are not working for me.
quote:

Not Found The requested URL /~soner/external was not found on this server.

Apache Server at www.users.on.net Port 80

maybe like this:
http://www.users.on.net/~soner/external nic.pcap
http://www.users.on.net/~soner/external%20nic.txt

< Message edited by adrian_dimcev -- 16.Jan.2007 4:19:36 AM >

(in reply to Sunny.C)
  Post #: 28
RE: Client VPN using IPSec not working - 16.Jan.2007 5:02:06 AM   
Guest
Interesting.
What rules do you have in place?
It should not do UDP encapsulation of the IPSec packets but it does.
It has no NAT device to travers but it seems it is trying to do so.
The hash values contains in NAT-D payloads are not matching so it assumes that there is a NAT device along the way.
quote:


From 192.168.10.22 -> 192.168.10.20
Hash of address and port:DE20CF222A5058661845E0091889C40FD93EDD35
Hash of address and port:471B75285A816145C6DDE3F2BA265209F94C7085
From 192.168.10.20 -> 192.168.10.22
Hash of address and port:471B75285A816145C6DDE3F2BA265209F94C7085
Hash of address and port:8D3F1EC237A4D588FD2338127C7DF553FD63917B

And then it switches to NAT-T.
put here too the screenshot from ISA logs.

< Message edited by adrian_dimcev -- 16.Jan.2007 5:39:05 AM >

(in reply to Guest)
  Post #: 29
RE: Client VPN using IPSec not working - 16.Jan.2007 5:39:19 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
OK so what would be the fix solution for this or what can i try next?
What do you think spouseele?

(in reply to Guest)
Post #: 30
RE: Client VPN using IPSec not working - 16.Jan.2007 6:33:50 AM   
Guest
I want to see your logs from ISA in order to check what policy rule is used by ISA.
As I said it should not use UDP encapsulation.
If it is doing so I suspect ISA is trying to pass the traffic based on your rules.

(in reply to Sunny.C)
  Post #: 31
RE: Client VPN using IPSec not working - 16.Jan.2007 6:45:17 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
You mean actually ISA logs right?
I already posted the logs on page 1.

Thanks.

< Message edited by Sunny.C -- 16.Jan.2007 6:46:56 AM >

(in reply to Guest)
Post #: 32
RE: Client VPN using IPSec not working - 16.Jan.2007 7:16:52 AM   
Guest
Mate you are killing me.
what logs?
those ones?
http://forums.isaserver.org/m_2002035746/mpage_1/tm.htm#2002036073
those ones are with a remote client and with the wrong rules in place !
do you still have those rules?
delete them all!!!
you don't have to have any rules in place except ISA's System Policy rule #13 enabled.
and a rule to allow access from vpn clients to internal network.
it is important to see the logs from ISA from the session with that client 192.168.10.22 in order to see the rules used by ISA are from that System Policy rule #13 and only the IKE client(not Server or IKE NAT-T client...) should be used as protocol. You don't need NAT-T as it happens when you are connecting.
The idea is to have a complete picture of your setup before jumping into conclusions.
A someone has said arround here before you got to help us help you.

< Message edited by adrian_dimcev -- 16.Jan.2007 7:26:33 AM >

(in reply to Sunny.C)
  Post #: 33
RE: Client VPN using IPSec not working - 16.Jan.2007 7:21:11 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Ok will repost logs tomorrow.

(in reply to Guest)
Post #: 34
RE: Client VPN using IPSec not working - 16.Jan.2007 7:26:16 AM   
Guest
you see: from those logs the destination IP address should be 192.168.10.20 not your ISA's internal ip address(10...). but this is happening because of your rules:
ISA is trying to pass the traffic to the internal ip address like in a VPN passthrough connection.
The connection should end to ISA's external ip address.
you've actually published an internal VPN server with the IP address of 10....

< Message edited by adrian_dimcev -- 16.Jan.2007 8:16:37 AM >

(in reply to Sunny.C)
  Post #: 35
RE: Client VPN using IPSec not working - 16.Jan.2007 3:24:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Sunny,

it looks that you have published a VPN server instead of using ISA as a VPN server. In other words, I have to agree with Adrian!

BTW --- if the VPN server sits behind a NAT device, check out http://support.microsoft.com/kb/885407/.

HTH,
Stefaan

(in reply to Guest)
Post #: 36
RE: Client VPN using IPSec not working - 16.Jan.2007 5:07:48 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Ah ha!
I thought to use IPSec it needs to be published?
As soon as i deleted all vpn rules besides open all for VPN clients BINGO it worked, so you guys were correct on my foolish publishing mistake.
After reading a few VPN docs it lead me to think that i would need VPN publishing rules but i guess this would apply if the ISA is not apart of a domain??
When do the rules need to be used? (not in my case)

(in reply to spouseele)
Post #: 37
RE: Client VPN using IPSec not working - 17.Jan.2007 3:01:12 AM   
Guest
Hi Sunny,
Nice!
No you don't need VPN publishing rule if ISA is not part of domain. The only difference it will be that you will use a Radius Server for authenticating users instead of windows users group.
The need of publishing rules is when your VPN server is behind your firewall.
As Stefaan said in your case ISA is the VPN server so you don't need to publish it.
For example I'm writing this post connected through VPN L2TP/IPSec with certificates to a back-end ISA 2004 Firewall which is a domain member. In front of it I have an ISA 2006 which is not a domain member, a pfsense firewall with two wans with outgoing load balancing and failover from which one wan goes though another firewall, a m0n0wall.
Through this m0n0wall I am connected all away to the back-end ISA 2004 which server as my VPN server and implicit as my VPN end-point.
All off this firewalls are performing NAT.
The publishing rules were used on ISA 2006 to publish ISA 2004 as a VPN Server:
Publish VPN Over L2TP/IPSec with NAT-T(two rules: IKE Server and IPSec NAT-T Server).
Publish VPN Over PPTP(one rule: PPTP Server).
The only problem was that I cannot add GRE IP Protocol 47 to m0n0wall's NAT rules so PPTP will go through pfsense.
This is were you are using the publishing rules: to do a VPN passthrough on ISA to a VPN server located behind it.
Good to hear it is working now for you!

(in reply to Sunny.C)
  Post #: 38
RE: Client VPN using IPSec not working - 17.Jan.2007 7:19:02 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
ahhh understood.
Thanks for all your help on my problem guys.

(in reply to Guest)
Post #: 39
RE: Client VPN using IPSec not working - 17.Jan.2007 2:21:12 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Sunnhy,

good to hear you have it working and thanks for the follow up!

Stefaan

(in reply to Sunny.C)
Post #: 40

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> RE: Client VPN using IPSec not working Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts