i'm using windows 2003 SP1 with ISA Server SP3. our head office is Swiss. swiss and sri lanka have a VPN Site. they using the Fort iGATE Hardware Firewall. We create a Remote VPN Site and we want to connect there One license Server.
Swiss base is our main site; they send us to manual how to create a VPN site. According to that i configured. We are connecting to one port it's 5353 port.
After configure the VPN Site i try to ping or Telnet to the port 5353. But itís not connected. i enter Remote site Address rage is (192.168.112.0-192.168.112.255).then after i change the ip range is (192.168.112.10-192.168.112.10) like this then i can connect to 5353 port.
Weíre using IPSec Preshard key. And after i run the MICROSOFT ISA SERVER BEST PRACTICES ANALYZER TOOL it's showing the error message. Herewith attached the error message.
Hi Chanaka, let's keep it on the forums because other people might come in and add their suggestions too. what's the problem? did you check that word doc from Microsoft's site ? it's a step by step guide. typically such connections use the following settings: IKE Phase I(using Main mode) 3DES SHA-1 MODP Group 2 (1024 bits) for DH SA lifetime of 28,800 seconds Preshared Secret Authentication IKE Phase II(Quick Mode) 3DES SHA-1 PFS & MODP Group 2 (1024 bits) for DH SA lifetime of 3600 seconds ESP tunnel mode But you are saying that people on the other end of the tunnel gave you some settings. Make sure you follow them and that they are compatible with ISA. About the Remote Site address range, it also should be the network they give you(the network behind their gateway). If it is 192.168.112.0/24 then put it there(also you could add the IP address of the external interface of that Gateway). What you might access or not depends on what they have configured on their Gateway. Don't test from ISA itself. Do it from a client behind ISA. Did you created the appropiate access rules and network rule(with a route relationship) on ISA? You want to ping, but do they allow you to ping? If you ping from a client behind ISA, say with ping 192.168.112.10 -t does the tunnel come up or not? What does IPsecMonitor shows? Is the tunnel established? This address 192.168.112.10 is the only one that you need to access or in other words are they allowing you to access other resources? aditionally you might want to install Windows 2003 SP2 on ISA but first check this http://blogs.technet.com/isablog/archive/2007/03/27/isa-server-and-windows-server-2003-service-pack-2.aspx Also do you allow them to access resources on your network? If so, can they access them?
< Message edited by justmee -- 30.May2007 10:04:21 AM >
Thanks for ur help. i followed the Microsoft document. according to that i enter the IP address range is 192.168.112.0 to 255 and i enter to their remote site gateway ip also. it's like this 188.8.131.52 to 184.108.40.206, i enter to there both address range. after i not show that error message. which i showed to you,
after i try to ping, i can ping but when i tracert to that it's not working.
ping result is like this C:\Documents and Settings\abc>ping 192.168.112.10 -t Pinging 192.168.112.10 with 32 bytes of data: Request timed out. Reply from 192.168.112.10: bytes=32 time=297ms TTL=127 Reply from 192.168.112.10: bytes=32 time=292ms TTL=127 Reply from 192.168.112.10: bytes=32 time=292ms TTL=127 Reply from 192.168.112.10: bytes=32 time=297ms TTL=127 Ping statistics for 192.168.112.10: Packets: Sent = 5, Received = 4, Lost = 1 (20% loss), Approximate round trip times in milli-seconds: Minimum = 292ms, Maximum = 297ms, Average = 294ms
IPSEC Settings. Phase I 3DES SHA1 Group 2 (1024 Bit) 28800 Second
Phase II 3DES SHA1 Generate a New Key Every: 3600 Second Select the tick mark select the tick Use Prefect forward Secrecy (PFS) (GROUP 2 1024 BIT)
ELK is my Site FTC is our remote site. that's all know. after i create a network Rule like this. Rule nameSource NetworkDestination NetworkN.Relationship ELK to FTC Internal FTC Route after i create a 2 firewall rule like this
Name ActionProtocolFrom TOCondition ELk to FTC Allow All outbound Internal/L.host FTC All users FTC to ELK Allow All outbound FTC In/L.host All U.
i hope i's correct. can you tell me if there have any mistake.pls let me know.actually
pls tell me What does IPsecMonitor shows?how to do that.
our remote site is having on the Swiss is using the Fort iGATE Hardware firewall.
Hi Chanaka, All I wanted to see is that if the tunnel goes up which it does. You can monitor it using ISA's Monitoring panel: look at the Sessions tab. You should see there the "tunnel" which was established. You can ping and tracert then traffic can pass between the two sites, so things are looking good. About rules:
Name Action Protocol From TO Condition ELk to FTC Allow All outbound Internal/L.host FTC All users FTC to ELK Allow All outbound FTC In/L.host All U.
I would not allow all the protocols to ISA(LocalHost). That's a big security issue. Also I would not add LocalHost to any of those 2 rules. If you want to access or do some testing from ISA itself make sure you limit the protocols range and create separate rules for these. To get this(testing or whatever) working you must add the remote gateway's IP address in the network range of the remote site(which you did). This must be done also on the other end of the tunnel where ISA's external interface IP address must be specified. after all these you should be able to ping from ISA for example.
after i try to ping, i can ping but when i tracert to that it's not working.
As I can see it works and the remote address it's a couple of hops away. Why are you saying it's not working? You would expect the number of hops to be lower? For IPSecMonitor run mmc on ISA and add there the snap-in with the same name. IPsecMonitor shows you established Main Mode and Quick Mode phases, filters used, statistics. If everything goes fine you should see there the Security Associations established. Best regards!
< Message edited by justmee -- 31.May2007 4:45:37 AM >
ouch! I was going to propose another option but I have noticed that since you have posted the regedit settings you add it that value using a hexadecimal value and not a decimal value so you end up with 13824 and not with 3600. fix this and test it again. if it is still not working you can try and disable IP Spoofing on ISA: http://support.microsoft.com/kb/838114 you said that:
Rule nameSource NetworkDestination NetworkN.Relationship ELK to FTC Internal FTC Route
why are the logs showing: destination FTC_NAT? I hope is no NAT relationship there and also the remotes site has the correct name.
< Message edited by justmee -- 31.May2007 10:08:09 AM >
first: never, never invite some forum's members to do so! Even if they are admins. If you do so for some persons make sure they have written permission to do so. the SAIdleTime is for your Quick Mode negotiations which apparently are renegotiated every five minutes even if there is traffic. so some packets might be declared as spoofed by ISA. If you increase this value to match the Quick mode SA lifetime you will postpone this negotiation for an hour. Let's clear some things: remote site: 192.168.112.0/24 server holding application 192.168.112.10 What are these: 220.127.116.11 and 18.104.22.168? From your screens I see that the remote tunnel IP address is 22.214.171.124(this means remote gateway, the VPN end-point are considered gateways and site to site VPN is also called gateway to gateway). If so, the network holding the remote site should look like this: 192.168.112.0/24 and 126.96.36.199. Internal net: 192.168.187.0/24 ? isa: 192.168.187.200 client: 192.168.187.220(make this client only Secure Nat client for this testing) from your previous post the ping went fine and also tracert. Are you seeing in ISA's Monitoring/Sessions the Vpn Remote site? You should according to your posts(ping works). After all what's the exact problem? You cannot connect with your application? The spoofed packets are UDP segments from Netbios destined to Internal network from Internal network. Normally this packets addresses to a broadcast address should be shown in logs as destined to localhost and denied by firewall policies. Do you have some rules allowing netbios(or all protocols) from Internal to Internal? Looks like your looping through ISA traffic destined to the Internal network. Please check your rules. After you have removed IP Spoofing did you rebooted ISA? Apparently that 100% is obtain because of that looping. Is the browser service stopped on ISA(as it should be)? Do you get some errors in ISA's Alert log or in the Event Viewer? The traffic for your application is allowed by ISA(only one time was blocked as spoofed) and the connection is closed using a normal(with a FIn handshake). Do you have multiple default gateways on ISA? You should have only one and that on the external interface. The DNS server must be configured on the Internal interface of ISA and point to the internal DNS server. Have you defined the correct protocol(tcp ports needed) for that application(camcad)? Please check your rules.
This is our remote site gateway IP. 188.8.131.52 This I donít know 184.108.40.206? Remote site should look like this: 192.168.112.0/24 and 220.127.116.11. YES. Itís correct This is Sri Lanka Net : 192.168.187.0/24 itís our internal range Our ISA Server one card is 192.168.187.200 other card is IP is 203.143.16.*** My client is 192.168.187.220 client is Secure Nat client ping is working tracer Is not working. Are you seeing in ISA's Monitoring/Sessions the Vpn Remote site? How to check? You cannot connect with your application? Yes, itís say license server is not available Do you have some rules allowing netbios(or all protocols) from Internal to Internal? NO After you have removed IP Spoofing did you rebooted ISA? YES Do you get some errors in ISA's Alert log or in the Event Viewer? NO BUT when I boot the pc itís automatically Restart 2 times. Do you have multiple default gateways on ISA? NO You should have only one and that on the external interface. The DNS server must be configured on the Internal interface of ISA and point to the internal DNS server. Yes. Have you defined the correct protocol (tcp ports needed) for that application(camcad)? No , I open the all the outbound ports thatís all.
Can you pals help to me? Can I have your personal; mail address.
and i enter to their remote site gateway ip also. it's like this 18.104.22.168 to 22.214.171.124, i enter to there both address range.
BUT when I boot the pc it's automatically Restart 2 times.
Wow! Some problems there, hardware or software?
Are you seeing in ISA's Monitoring/Sessions the Vpn Remote site? How to check?
Just go to Monitoring on ISA. There you have the Sessions tab(there are many tabs there: alerts, logging, services...). You should see the session there. Also when you are on the VPN/Remote Sites panel click on the remote site and then on the right panel you should see "monitor site sessions". click on it. Try and disable Surfcontrol. My guess here is that is a loop somewhere. Surfcontrol might have his part in these problems. if you are desperate you can contact any time Microsoft for support. Just pick up the phone. It looks like you are having some serious problems especially when the server is's rebooting itself a couple of times. try to identify the cause of this problem too. I still don't see why you are saying that tracert is not working:
This is my mistake 126.96.36.199. before i didn't show the correct gateway.our remote gateway is 188.8.131.52.
Pc reboot only 2 times after changed the regedit. But now it's ok, I didn't install the any new software.
Now I know how to see the vpn session. It's nothing on showing.
I stop the surf control still have the same problem. Does u have any more solutions? Do you have experience creating vpn site with fortigate hardware firewall. Can I have Microsoft support center phone number. Can u help to solve this problem.
< Message edited by auchanaka1980 -- 1.Jun.2007 7:11:23 AM >
Now I know how to see the vpn session. It's nothing on showing.
So how do you exactly receive ping replies if there is no connection? what is showing IPSec Monitor on ISA when you look at Main Mode and Quick Mode Security Associations after you issue that ping command and and you get the replies? can you take a Wireshark trace on ISA external interface so we can see the IKE negotiations or at least provide the oakley.log from ISA(is located on WINDOWS\Debug)? we must know if the tunnel actually is established but you give some confusing information. Do you have installed ISA on a DC or are there other services/products running on your ISA? An interesting thing to see is an Wireshark trace from the client with which you connect to the remote server in order to check the packets sent by it(make sure if you post this trace that if the server requires authentication this is not sent in clear text or protected with a weak algorithm, if so do not post it).
Can I have Microsoft support center phone number?
You got to help yourself a little bit mate! The place from where you bought ISA should have given to you phone numbers and e-mail addresses from where you should get technical support.(PSS) You can check also the Microsoft section of your country to find out e-mail addresses or phone numbers: http://www.microsoft.com/worldwide/default.aspx (search for regions for finding your country if you don't see it in the main list ) I do not have experience with fortigate but may I ask you what settings did you receive from the guys from the other end(IKE phase I and II settings) ? As long as these settings are compatible with ISA it should not be any major problem with the tunnel mode. I still need a reason for those logs: Internal to Internal(a loop maybe). Something looks like misconfigured there, maybe some access rules. In my opinion, since you can ping and run tracert the tunnel is up and seems fine(unless if it drops for some reasons). The spoofing errors are not coming from traffic destined to the remote network, actually they are from traffic destined for the Internal network(for a broadcast address). This suggests me a configuration error on ISA unrelated to the site to site connection, some bad access rules... To test the tunnel you can issue a ping -t for about a couple of minutes and see what's happening. Also maybe you can run a remote desktop connection to a computer located on the remote site. Now since you have modified the idle time on ISA you should make sure that it matches the one set on the fortigate.
< Message edited by justmee -- 1.Jun.2007 12:41:44 PM >
I can give to you IPSEc Monitor Result. can I have your private email address. There we have our informationís. ISA server is member of domain machine only. Not the DC.
Can you please tell how can help me to configure my tunnel. If you can do that I can give the approve. Actually our other branch there are using the Citrix Server, there are all the servers having with there ISP.
If you can check my server I can arrange to you third part software and I can open the ports to my machine.
Yesterday I installed the ISA server 2006 with windows 2003 SP1. Not install the windows Patches. Still the result is same. I think may be my configuration problem. Can u give me support.
Iím waiting your answer. I you can give me your phone number I can call to you.
Hi Chanaka, strange ways of dealing problems you've got there. About my contact information, currently according to my country's laws I can't provide you any support. For that I have to take care of some legal aspects. I do not have time to deal with those right now and also make sure that I have my back covered too. Just in case! So on this forums as you can see I'm only a simple person. Please note about the security issues related to all these. If you still want to send me in private the wireshark traces it's up to you to do so. I did not request you to do so. Any problems which may arise from these actions are not my problem and I cannot be held responsible for them. If you do understand all the above you can send them to firstname.lastname@example.org By the way, I don't want to sound paranoic but sometimes never knows.