• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Remote VPN Site

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Remote VPN Site Page: [1]
Login
Message << Older Topic   Newer Topic >>
Remote VPN Site - 29.May2007 10:52:38 PM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
Dear All,

  i'm using windows 2003 SP1 with ISA Server SP3. our head office is Swiss. swiss and sri lanka have a VPN Site. they using the Fort iGATE Hardware Firewall. We create a Remote VPN Site and  we want to connect there One license Server.

Swiss base is our main site; they send us to manual how to create a VPN site. According to that i configured. We are connecting to one port it's 5353 port.

After configure the VPN Site i try to ping or Telnet to the port 5353. But itís not connected.
i enter Remote site Address rage is (192.168.112.0-192.168.112.255).then after i change the ip range is (192.168.112.10-192.168.112.10) like this then i can connect to 5353 port.

Weíre using IPSec Preshard key. And after i run the MICROSOFT ISA SERVER BEST PRACTICES ANALYZER TOOL it's showing the error message. Herewith attached the error message.

 
i'm waiting your help.
Regards,
Chanaka



  .
 
 
 
Post #: 1
RE: Remote VPN Site - 30.May2007 3:33:03 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Chanaka,
the error you see there is because you did not enter when you have defined the addresses included at the remote site network the IP address of the remote tunnel endpoint(the remote VPN gateway IP address from the wizard).
Please read the following article:
http://www.isaserver.org/tutorials/2004ipsectunnelmode.html
Also make sure you check on Microsofts's site the IPsec Tunnel Mode section:
http://www.microsoft.com/technet/isa/2004/technologies/vpn.mspx
especially this one:
http://www.microsoft.com/technet/isa/2004/plan/sitetositeipsec.mspx
Best regards!

(in reply to auchanaka1980)
Post #: 2
RE: Remote VPN Site - 30.May2007 6:43:24 AM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
thanks for ur reply. still i'm not clear.

possible to come u online via skype or msn. u can help to me.

My skype id = auchanaka.
msn  = namal_077@hotmail.com

pls help to me.

regards,
chanaka.

(in reply to justmee)
Post #: 3
RE: Remote VPN Site - 30.May2007 9:57:51 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Chanaka,
let's keep it on the forums because other people might come in and add their suggestions too.
what's the problem?
did you check that word doc from Microsoft's site ?
it's a step by step guide.
typically such connections use the following settings:
IKE Phase I(using Main mode)
3DES
SHA-1
MODP Group 2 (1024 bits) for DH
SA lifetime of 28,800 seconds
Preshared Secret Authentication
IKE Phase II(Quick Mode)
3DES
SHA-1
PFS & MODP Group 2 (1024 bits) for DH  
SA lifetime of 3600 seconds
ESP tunnel mode
But you are saying that people on the other end of the tunnel gave you some settings.
Make sure you follow them and that they are compatible with ISA.
About the Remote Site address range, it also should be the network they give you(the network behind their gateway). If it is 192.168.112.0/24 then put it there(also you could add the IP address of the external interface of that Gateway).
What you might access or not depends on what they have configured on their Gateway.
Don't test from ISA itself. Do it from a client behind ISA.
Did you created the appropiate access rules and network rule(with a route relationship) on ISA?
You want to ping, but do they allow you to ping?
If you ping from a client behind ISA, say with ping 192.168.112.10 -t does the tunnel come up or not?
What does IPsecMonitor shows?
Is the tunnel established?
This address 192.168.112.10 is the only one that you need to access or in other words are they allowing you to access other resources?
aditionally you might want to install Windows 2003 SP2 on ISA but first check this
http://blogs.technet.com/isablog/archive/2007/03/27/isa-server-and-windows-server-2003-service-pack-2.aspx
Also do you allow them to access resources on your network? If so, can they access them?

< Message edited by justmee -- 30.May2007 10:04:21 AM >

(in reply to auchanaka1980)
Post #: 4
RE: Remote VPN Site - 31.May2007 1:02:14 AM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
Thanks for ur help. i followed the Microsoft document. according to that i enter the IP address range is 192.168.112.0 to 255 and i enter to  their remote site gateway ip also. it's like this 172.4.62.4 to 172.4.62.4, i enter to there both address range. after i not show that error message. which i showed to you,

after i try to ping, i can ping but when i tracert to that it's not working.

ping result is like this
C:\Documents and Settings\abc>ping 192.168.112.10 -t
Pinging 192.168.112.10 with 32 bytes of data:
Request timed out.
Reply from 192.168.112.10: bytes=32 time=297ms TTL=127
Reply from 192.168.112.10: bytes=32 time=292ms TTL=127
Reply from 192.168.112.10: bytes=32 time=292ms TTL=127
Reply from 192.168.112.10: bytes=32 time=297ms TTL=127

Ping statistics for 192.168.112.10:
   Packets: Sent = 5, Received = 4, Lost = 1 (20% loss),
Approximate round trip times in milli-seconds:
   Minimum = 292ms, Maximum = 297ms, Average = 294ms

Tracert Result
 
C:\Documents and Settings\abc>tracert 192.168.112.10
Tracing route to 192.168.112.10 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  isa_server.abc.com [192.168.187.200]
2     *        *        *     Request timed out.
3     *        *        *     Request timed out.
4     *        *        *     Request timed out.
5     *        *        *     Request timed out.
6     *        *        *     Request timed out.
7     *        *        *     Request timed out.
8     *        *        *     Request timed out.
9     *        *        *     Request timed out.
10     *        *        *     Request timed out.
11     *        *        *     Request timed out.
12     *        *        *     Request timed out.
13     *        *        *     Request timed out.
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *        *     Request timed out.
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.
21     *        *        *     Request timed out.
22   311 ms   317 ms   313 ms  192.168.112.10

Trace complete.

i'll give to you my configuration.


IPSEC Settings.
 
Phase I
3DES
SHA1
Group 2 (1024 Bit)
28800 Second

 
Phase II
3DES
SHA1
Generate a New Key Every: 3600 Second Select the tick mark
select the tick Use Prefect forward Secrecy (PFS) (GROUP 2 1024 BIT)

ELK is my Site FTC is our remote site.
that's all know. after i create a network Rule like this.
Rule name         Source Network          Destination Network         N.Relationship
ELK to FTC         Internal                         FTC                               Route
 
after i create a 2 firewall rule like this

Name                Action            Protocol           From                  TO       Condition
ELk to FTC      Allow       All outbound     Internal/L.host   FTC      All users
FTC to ELK      Allow       All outbound       FTC             In/L.host     All U.
 

i hope i's correct. can you tell me if there have any mistake.pls let me know.actually

pls tell me What does IPsecMonitor shows?how to do that.

our remote site is having on the Swiss is using the  Fort iGATE Hardware firewall.

i'm waiting your answer.

Regards,
chanaka.

(in reply to justmee)
Post #: 5
RE: Remote VPN Site - 31.May2007 4:42:45 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Chanaka,
All I wanted to see is that if the tunnel goes up which it does.
You can monitor it using ISA's Monitoring panel: look at the Sessions tab. You should see there the "tunnel" which was established.
You can ping and tracert then traffic can pass between the two sites, so things are looking good.
About rules:
quote:

Name                Action            Protocol           From                  TO       Condition
ELk to FTC      Allow       All outbound     Internal/L.host   FTC      All users
FTC to ELK      Allow       All outbound       FTC             In/L.host     All U.

I would not allow all the protocols to ISA(LocalHost). That's a big security issue.
Also I would not add LocalHost to any of those 2 rules. If you want to access or do some testing from ISA itself make sure you limit the protocols range and create separate rules for these. To get this(testing or whatever) working you must add the remote gateway's IP address in the network range of the remote site(which you did). This must be done also on the other end of the tunnel where ISA's external interface IP address must be specified. after all these you should be able to ping from ISA for example.
quote:

after i try to ping, i can ping but when i tracert to that it's not working.

As I can see it works and the remote address it's a couple of hops away. Why are you saying it's not working?
You would expect the number of hops to be lower?
For IPSecMonitor run mmc on ISA and add there the snap-in with the same name.
IPsecMonitor shows you established Main Mode and Quick Mode phases, filters used, statistics.
If everything goes fine you should see there the Security Associations established.
Best regards!

< Message edited by justmee -- 31.May2007 4:45:37 AM >

(in reply to auchanaka1980)
Post #: 6
RE: Remote VPN Site - 31.May2007 4:50:13 AM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
thanks ur reply, possible to come to my pc via remote. if u like i can give to you third part software, that u have to install your pc.

can u help to solve this problem

pls reply to me.

thanks
chanaka.

(in reply to justmee)
Post #: 7
RE: Remote VPN Site - 31.May2007 5:43:09 AM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
pls check the attached link.

when i run the my software the result looks like.

we want to connect to the port 5353 it's our license server.
http://www.geocities.com/cnamal2008/result.JPG





http://www.geocities.com/cnamal2008/result2.JPG



< Message edited by auchanaka1980 -- 31.May2007 7:01:28 AM >

(in reply to auchanaka1980)
Post #: 8
RE: Remote VPN Site - 31.May2007 7:05:42 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
check this:
http://support.microsoft.com/kb/917025

(in reply to auchanaka1980)
Post #: 9
RE: Remote VPN Site - 31.May2007 7:33:05 AM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
i modify the registry and restart the computer.

pls check that. after i run my program still have the same error.

pls check the result.

http://www.geocities.com/cnamal2008/regedit.JPG


after result.
http://www.geocities.com/cnamal2008/result3.JPG


i need your help to solve this problem.

thanks
chanaka.

(in reply to justmee)
Post #: 10
RE: Remote VPN Site - 31.May2007 8:35:16 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
ouch!
I was going to propose another option but I have noticed that since you have posted the regedit settings you add it that value using a hexadecimal value and not a decimal value so you end up with 13824 and not with 3600.
fix this and test it again.
if it is still not working you can try and disable IP Spoofing on ISA:
http://support.microsoft.com/kb/838114
you said that:
quote:

Rule name         Source Network          Destination Network         N.Relationship
ELK to FTC         Internal                         FTC                               Route

why are the logs showing: destination FTC_NAT?
I hope is no NAT relationship there and also the remotes site has the correct name.

< Message edited by justmee -- 31.May2007 10:08:09 AM >

(in reply to auchanaka1980)
Post #: 11
RE: Remote VPN Site - 31.May2007 11:34:59 PM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
thanks for your mail. acording to your instructions i modify the registry 13824.after i restart the pc. and disable IP Spoofing on ISA then after pc is 100% busy.

after i disable the disable IP Spoofing on ISA . i removed the curent vpn tunel and recreate the remote connection.

FTC_ELK VPn is Remove vpn name.

pls check the results.
http://www.geocities.com/cnamal2008/result4.JPG



http://www.geocities.com/cnamal2008/vpn.JPG


http://www.geocities.com/cnamal2008/Nrule.JPG



http://www.geocities.com/cnamal2008/Networks.JPG



http://www.geocities.com/cnamal2008/rules.JPG


can you pls reply to me. if you can pls come to via remote to my pc.

i'm waiting your answer.

thanks
chanaka.


(in reply to justmee)
Post #: 12
RE: Remote VPN Site - 1.Jun.2007 4:20:31 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Chanaka,
quote:

if you can pls come to via remote to my pc.

first: never, never invite some forum's members to do so! Even if they are admins. If you do so for some persons make sure they have written permission to do so.
the SAIdleTime is for your Quick Mode negotiations which apparently are renegotiated every five minutes even if there is traffic. so some packets might be declared as spoofed by ISA. If you increase this value to match the Quick mode SA
lifetime you will postpone this negotiation for an hour.
Let's clear some things:
remote site: 192.168.112.0/24  server holding application 192.168.112.10
What are these: 62.2.152.4 and 172.4.62.4?
From your screens I see that the remote tunnel IP address is 62.2.152.4(this means remote gateway, the VPN end-point are considered gateways and site to site VPN is also called gateway to gateway).
If so, the network holding the remote site should look like this: 192.168.112.0/24 and 62.2.152.4.
Internal net: 192.168.187.0/24 ? isa: 192.168.187.200 client:  192.168.187.220(make this client only Secure Nat client for this testing)
from your previous post the ping went fine and also tracert.
Are you seeing in ISA's Monitoring/Sessions the Vpn Remote site?
You should according to your posts(ping works).
After all what's the exact problem?
You cannot connect with your application?
The spoofed packets are UDP segments from Netbios destined to Internal network from Internal network. Normally this packets addresses to a broadcast address should be shown in logs as destined to localhost and denied by firewall policies.
Do you have some rules allowing netbios(or all protocols) from Internal to Internal?
Looks like your looping through ISA traffic destined to the Internal network.
Please check your rules.
After you have removed IP Spoofing did you rebooted ISA?
Apparently that 100% is obtain because of that looping.
Is the browser service stopped on ISA(as it should be)?
Do you get some errors in ISA's Alert log or in the Event Viewer?
The traffic for your application is allowed by ISA(only one time was blocked as spoofed) and the connection is closed using a normal(with a FIn handshake).
Do you have multiple default gateways on ISA?
You should have only one and that on the external interface. The DNS server must be configured on the Internal interface of ISA and point to the internal DNS server.
Have you defined the correct protocol(tcp ports needed) for that application(camcad)?
Please check your rules.

(in reply to auchanaka1980)
Post #: 13
RE: Remote VPN Site - 1.Jun.2007 4:41:53 AM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
 
This is our remote site gateway IP. 62.2.152.4
This I donít know 172.4.62.4?
Remote site should look like this: 192.168.112.0/24 and 62.2.152.4.  YES. Itís correct
This is Sri Lanka Net : 192.168.187.0/24  itís our internal range
Our ISA Server one card is 192.168.187.200 other card is IP is 203.143.16.***
My client is 192.168.187.220 client is Secure Nat client
ping is working tracer Is not working.
Are you seeing in ISA's Monitoring/Sessions the Vpn Remote site? How to check?
You cannot connect with your application? Yes, itís say license server is not available
Do you have some rules allowing netbios(or all protocols) from Internal to Internal?  NO
After you have removed IP Spoofing did you rebooted ISA? YES
Do you get some errors in ISA's Alert log or in the Event Viewer? NO
BUT when I boot the pc  itís automatically Restart 2 times.
Do you have multiple default gateways on ISA? NO
You should have only one and that on the external interface. The DNS server must be configured on the Internal interface of ISA and point to the internal DNS server. Yes.
Have you defined the correct protocol (tcp ports needed) for that application(camcad)?  No , I open the all the outbound ports thatís all.
 
Can you pals help to me? Can I have your personal; mail address.
 
 thanks
chanaka

(in reply to justmee)
Post #: 14
RE: Remote VPN Site - 1.Jun.2007 5:35:11 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
quote:

This I don't know 172.4.62.4? 

didn't you write this:
quote:

and i enter to their remote site gateway ip also. it's like this 172.4.62.4 to 172.4.62.4, i enter to there both address range.

quote:

BUT when I boot the pc  it's automatically Restart 2 times.

Wow!
Some problems there, hardware or software?
quote:

Are you seeing in ISA's Monitoring/Sessions the Vpn Remote site? How to check?

Just go to Monitoring on ISA. There you have the Sessions tab(there are many tabs there: alerts, logging, services...).
You should see the session there.
Also when you are on the VPN/Remote Sites panel click on the remote site and then on the right panel you should see "monitor site sessions". click on it.
Try and disable Surfcontrol. My guess here is that is a loop somewhere. Surfcontrol might have his part in these problems.
if you are desperate you can contact any time Microsoft for support.
Just pick up the phone.
It looks like you are having some serious problems especially when the server is's rebooting itself a couple of times. try to identify the cause of this problem too.
I still don't see why you are saying that tracert is not working:
quote:

C:\Documents and Settings\abc>tracert 192.168.112.10
Tracing route to 192.168.112.10 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  isa_server.abc.com [192.168.187.200]
2     *        *        *     Request timed out.
3     *        *        *     Request timed out.
4     *        *        *     Request timed out.
5     *        *        *     Request timed out.
6     *        *        *     Request timed out.
7     *        *        *     Request timed out.
8     *        *        *     Request timed out.
9     *        *        *     Request timed out.
10     *        *        *     Request timed out.
11     *        *        *     Request timed out.
12     *        *        *     Request timed out.
13     *        *        *     Request timed out.
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *        *     Request timed out.
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.
21     *        *        *     Request timed out.
22   311 ms   317 ms   313 ms  192.168.112.10

Trace complete.

The remote server 192.168.112.10 is reached. It's 21 hops away.

< Message edited by justmee -- 1.Jun.2007 5:36:51 AM >

(in reply to auchanaka1980)
Post #: 15
RE: Remote VPN Site - 1.Jun.2007 7:09:21 AM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
Thanks for your support.

This is my mistake 172.4.62.4. before i didn't show the correct gateway.our remote gateway is 62.2.152.4.

Pc reboot only 2 times after changed the regedit. But now it's ok, I didn't install the any new software.

Now I know how to see the vpn session. It's nothing on showing.

I stop the surf control still have the same problem. Does u have any more solutions? Do you have experience creating vpn site with fortigate hardware firewall.
Can I have Microsoft support center phone number. Can u help to solve this problem.

Thanks
Chanaka.



< Message edited by auchanaka1980 -- 1.Jun.2007 7:11:23 AM >

(in reply to justmee)
Post #: 16
RE: Remote VPN Site - 1.Jun.2007 9:08:04 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
quote:

Now I know how to see the vpn session. It's nothing on showing.

So how do you exactly receive ping replies if there is no connection?
what is showing IPSec Monitor on ISA when you look at Main Mode and Quick Mode Security Associations after you issue that ping command and and you get the replies?
can you take a Wireshark trace on ISA external interface so we can see the IKE negotiations or at least provide the oakley.log from ISA(is located on WINDOWS\Debug)?
we must know if the tunnel actually is established but you give some confusing information.
Do you have installed ISA on a DC or are there other services/products running on your ISA?
An interesting thing to see is an Wireshark trace from the client with which you connect to the remote server in order to check the packets sent by it(make sure if you post this trace that if the server requires authentication this is not sent in clear text or protected with a weak algorithm, if so do not post it).
quote:

Can I have Microsoft support center phone number?

You got to help yourself a little bit mate!
The place from where you bought ISA should have given to you phone numbers and e-mail addresses from where you should get technical support.(PSS)
You can check also the Microsoft section of your country to find out e-mail addresses or phone numbers:
http://www.microsoft.com/worldwide/default.aspx
(search for regions for finding your country if you don't see it in the main list )
I do not have experience with fortigate but may I ask you what settings did you receive from the guys from the other end(IKE phase I and II settings) ?
As long as these settings are compatible with ISA it should not be any major problem with the tunnel mode.
I still need a reason for those logs: Internal to Internal(a loop maybe). Something looks like misconfigured there, maybe some access rules.
In my opinion, since you can ping and run tracert the tunnel is up and seems fine(unless if it drops for some reasons). The spoofing errors are not coming from traffic destined to the remote network, actually they are from traffic destined for the Internal network(for a broadcast address). This suggests me a configuration error on ISA unrelated to the site to site connection, some bad access rules...
To test the tunnel you can issue a ping -t for about a couple of minutes and see what's happening. Also maybe you can run a remote desktop connection to a computer located on the remote site.
Now since you have modified the idle time on ISA you should make sure that it matches the one set on the fortigate.

< Message edited by justmee -- 1.Jun.2007 12:41:44 PM >

(in reply to auchanaka1980)
Post #: 17
RE: Remote VPN Site - 1.Jun.2007 11:55:39 PM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
I can give to you IPSEc Monitor Result. can I have your private email address. There we have our informationís.
ISA server is member of domain machine only. Not the DC.

Can you please tell how can help me to configure my tunnel. If you can do that I can give the approve. Actually our other branch there are using the Citrix Server, there are all the servers having with there ISP.

If you can check my server I can arrange to you third part software and I can open the ports to my machine.

Yesterday I installed the ISA server 2006 with windows 2003 SP1. Not install the windows Patches. Still the result is same. I think may be my configuration problem. Can u give me support.

Iím waiting your answer. I you can give me your phone number I can call to you.

Best Regards,
Chanaka.

(in reply to justmee)
Post #: 18
RE: Remote VPN Site - 4.Jun.2007 12:38:58 AM   
auchanaka1980

 

Posts: 108
Joined: 16.Jan.2007
Status: offline
Hi,

i run the Wireshark tool,, how can i send the resault to check for you.

pls reply.


regards,
chanaka.

(in reply to auchanaka1980)
Post #: 19
RE: Remote VPN Site - 4.Jun.2007 4:49:47 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Chanaka,
strange ways of dealing problems you've got there.
About my contact information, currently according to my country's laws I can't provide you any support. For that I have to take care of some legal aspects. I do not have time to deal with those right now and also make sure that I have my back covered too. Just in case!
So on this forums as you can see I'm only a simple person. Please note about the security issues related to all these. If you still want to send me in private the wireshark traces it's up to you to do so. I did not request you to do so.
Any problems which may arise from these actions are not my problem and I cannot be held responsible for them.
If you do understand all the above you can send them to justmenonone@hotmail.com
By the way, I don't want to sound paranoic but sometimes never knows.

(in reply to auchanaka1980)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Remote VPN Site Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts