• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

L2TP / IPSEC site-site debugging

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> L2TP / IPSEC site-site debugging Page: [1]
Login
Message << Older Topic   Newer Topic >>
L2TP / IPSEC site-site debugging - 2.Apr.2007 10:42:04 AM   
pdgnews

 

Posts: 1
Joined: 2.Apr.2007
Status: offline
Hi,

I'm trying to configure a site to site L2TP/IPSEC VPN between two ISA servers, each of which is on a private LAN behind an edge firewall (Cisco PIX). The edge firewall at each site has a static NAT configured which allows traffic on the following ports through to the ISA servers:

500, 4500 and 1701 (all UDP)

I've followed the tutorial here:

http://www.isaserver.org/tutorials/Creating-VPN-ISA-Server-2006-Firewalls-Main-Branch-Office-Part1html.html

I'm using a pre-shared key.

What happens is that I see traffic on the above ports between the two ISA servers (Ethereal info shown below)

ISAKMP   Identity Protection (Main Mode)
ISAKMP   Quick Mode
ISAKMP   Informational

I see lots of this going back and forth until eventually I see:

UDPENC (which contains a NAT keepalive packet)

i.e.

2235 46.889558   80.xxx.yyy.zzz        172.16.2.56           ISAKMP   Informational
  2236 46.891994   80.xxx.yyy.zzz        172.16.2.56           ISAKMP   Informational
  2237 46.895450   80.xxx.yyy.zzz        172.16.2.56           ISAKMP   Informational
  2244 51.380088   80.xxx.yyy.zzz        172.16.2.56           UDPENC
  2245 51.485696   172.16.2.56           80.xxx.yyy.zzz        UDPENC

Where 80.xxx.yyy.zzz is the remote ISA server and 172.16.2.56 is the local ISA server.

In the security event log, I see:

IKE security association established.
Mode:
Data Protection Mode (Quick Mode)

Peer Identity:
Preshared key ID.
Peer IP Address: 80.xxx.yyy.zzz

Filter:
Source IP Address 172.16.2.56
Source IP Address Mask 255.255.255.255
Destination IP Address 80.xxx.yyy.zzz
Destination IP Address Mask 255.255.255.255
Protocol 17
Source Port 1701
Destination Port 1701
IKE Local Addr 172.16.2.56
IKE Peer Addr 80.xxx.yyy.zzz
IKE Source Port 4500
IKE Destination Port 4500
Peer Private Addr 10.0.0.225

Parameters:
ESP Algorithm Triple DES CBC
HMAC Algorithm MD5
AH Algorithm None
Encapsulation Transport Mode with UDP encapsulation

InboundSpi 1023349694 (0x3cff13be)
OutBoundSpi 745487645 (0x2c6f3d1d)
Lifetime (sec) 3600
Lifetime (kb) 250000
QM delta time (sec) 0
Total delta time (sec) 0

But in the system event log, I get an EventID 20111:

Event ID 20111:
A Demand Dial connection to the remote interface pdhome on port VPN3-101 was successfully initiated but failed to complete successfully because of the  following error: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for this error number.

So the question is, how should I go about debugging an L2TP/IPSEC VPN further? (currently, I'm using ethereal to monitor packets), but why didn't the remote computer respond? Do I need extra access rules (currently I've allowed all outgoing on each side).  Are there any tools which will give me further info into what's happening (e.g. a detailed log)? What should I see with successful connection in the ISA logs?

Any suggestions / tips would be much appreciated.

Regards,
              Paul
Post #: 1
RE: L2TP / IPSEC site-site debugging - 5.Apr.2007 8:44:09 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Paul,

This brings up an interesting question that I've wondered about for some time. I've never had a chance to check this configuration, because I always put my ISA Firewalls on the edge, and put the old hardware boxes on eBay

However, I wonder if NAT-T is broken in this scenario. As you might know, the WinXP SP2 and Vista teams broke NAT-T on their clients so that you need to go into the Registry to get NAT-T working when both sides are behind a NAT device.

What I wonder is if in the site to site VPN model, did the Windows Server team create the same SNAFU and break NAT-T when both sides are behind a NAT.

I can neither confirm nor deny, since I've never tested this scenario and never had to put it in production.

You might try putting the ISA Firewall on the edge -- they were designed for that configuration.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to pdgnews)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> L2TP / IPSEC site-site debugging Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts