I am trying to connect my ISA 2006 server to a remote site which has a cisco 851 vpn router with endpoint capabilities. I've spent a few days on it and I can't seem to get the two connected.
Each device is connected to their own verizon DSL modem.
From inner to outer to inner:
Headquarters Lan subnet: 159.112.50.X ISA internal: 159.112.50.28 ISA External: 160.113.51.57 DSL modem internal: 160.113.51.1 DSL modem External: 71.98.252.*** INTERNET DSL Modem External: 71.98.255.*** DSL modem internal: 57.57.57.1 Cisco 851 Router Ext: 57.57.57.2 Cisco Internal: 10.10.10.1 Remote Site Subnet: 10.10.10.X
On the cisco side I have it set with all the same algorithms and all of those settings EXACTLY how the ISA has theirs set up. No problems there.
Now I have to connect to a remote peer. that'd be the isa: 71.98.252.*** My internal IPSec endpoint is 57.57.57.2 correct? I'd be connecting to the remote lan (HQ) which should be 160.113.51.57 right? or is it 159.112.50.28? I generally go with the prior.
On the ISA side I put in these addesses in my "IP address ranges included in this network:" Start Add. End Add. 10.10.10.1 -- 10.10.10.100 57.57.57.1 -- 57.57.57.5 71.98.255.*** -- 71.98.255.***
And in the connection tab I have in the remote tunnel endpoint: 71.98.255.*** (remote site)
Local vpn gateway Ip address tunnel endpoint: 160.113.51.57
As far as I can tell I have it set up fine... But for some reason they won't connect. I can't seem to figure out from the ISA side how to tell if it's connected but on the cisco side I can see the tunnel is just "down".
I can ping both sides fine, no issues there and getting out to the net is a piece of cake. I tried to make sure as much as possible that the modems arent blocking any ports needed by IPSec.... As far as I can tell I only need port 500 open both ways correct? I also have them set port forwarding to the appropriate recieving IP addresses.
The only other thing I can think of besides the modems STILL blocking the protocols/ports is that ISA is for some reason blocking the ipsec protocols. I know I've been having problems with getting outlook express to get out to recieve or send even after doing everything in my power to open up pop3 and smtp.... I'm wondering if its doing the same thing.
I've just posted a new thread about a similar problem and would really like to hear how you got your setup working.
Thanks
Yes! I actually have it working 100% at the current moment. I've sent a response to the email you've sent. I need to modify the document I've written up and then add the changes I made two days ago to get this working. I'll post it up as a PDF file.
*Edit* for clarification: I did have it somewhat working before, though it had some sort of strange problem where it would seem to go down periodically (depending on the killtimes I set, it would go down ranging from every 8 minutes to every forty minutes. This was deemed unacceptable and I've been spending all this time attempting to figure out how to keep it from doing that down to at LEAST 2-3 times a day. As of today, the VPN connection has been solid for one full day without a single drop of the connection, and I believe that it is now 100% functional and I am finished. (I will also make note in my writeup why this problem occurred and how I got around it.) I am debating whether or not to make a shorter writeup so you can just get the general information rather than all of the extended, extremely detailed walkthrough for the specific setup I have made so far... I'll probably end up attaching it to the end of the document.
< Message edited by p057080n -- 7.Sep.2007 11:25:45 AM >
Excuse my rather lousy writing style, any errors I might have made in the document and/or false statements, I tried to write to the best of my knowledge and abilities.
If you have any questions regarding the document or the setup, please PM me on these boards, I will make an attempt to respond promptly with assitance.
If you enjoyed the document/helped you in any way, please let me know and give me feedback. The document is always being added on to and changed, I like constructive criticism.
EDIT: Nevermind, I hosted it on a server, just going to hide the address to prevent spamming.
I do not know how long TinyURL will leave the link up but here it goes!
Hi Dan, Who teached you to modify the IKE parameters? They are all wrong or actually they really fit your security needs ? Keep in mind that with 3DES and DH 1024 you have 80 bits of security. By setting the Main Mode “authenticate and generate new key every” to 86400 seconds (24 hours) and then change for Quick Mode to 5 minutes you consume the entropy of the Diffie-Hellman shared secret. And you also disabled the PFS for session keys meaning that the keys for IPsec ESP will be derived from the keying material obtain in Main Mode. Bad, bad, bad, bad, bad... But once again if you are a cryptographer(or consulted one) then it might be OK for you. I recommend you to read the RFC's and check the NIST site for guidelines. You might like to read bellow Stefaan's article(if you have Windows 2003 SP1): http://blogs.isaserver.org/pouseele/2006/09/08/a-new-ipsec-quick-mode-security-association-is-negotiated-every-5-minutes-when-you-use-an-ipsec-tunnel-mode-connection-on-a-windows-2003-sp1-based-server/ And the support page from Microsoft's site: http://support.microsoft.com/default.aspx?scid=kb;en-us;917025 Best regards!
Hi Dan, Who teached you to modify the IKE parameters? They are all wrong or actually they really fit your security needs ?
No one taught me how to "modify" IKE parameters, this is what I used for the reasons I needed. The only knowledge I have is the very limited understanding of IPsec, IKE, and the whole VPN aspect of networking gathered from sites strewn across the internet...
quote:
ORIGINAL: justmee Keep in mind that with 3DES and DH 1024 you have 80 bits of security. By setting the Main Mode "authenticate and generate new key every” to 86400 seconds (24 hours) and then change for Quick Mode to 5 minutes you consume the entropy of the Diffie-Hellman shared secret.
I had to set the QM to 5 minutes due to the strange bug with SP1 that screwed everything up, I explained it in the article. If I had the possibility of upgrading to SP2, I would have.
quote:
ORIGINAL: justmee And you also disabled the PFS for session keys meaning that the keys for IPsec ESP will be derived from the keying material obtain in Main Mode. Bad, bad, bad, bad, bad... But once again if you are a cryptographer(or consulted one) then it might be OK for you.
Trust me, the data we have going back and forth isn't company trade secrets or sensitive account information, I didn't need to complicate my life further. In reality, I forgot to set up PFS, and I decided to just not use it.
I've actually read as many documents on this site, microsoft's site, and googled to heck just to find information that could have helped with this rather painful project. I read spuseele's document, and I give all credit to him for finding that out (or at least finally publishing it somewhere). I just could not upgrade to SP2 and the registry edit didn't do the fix for me, so instead I worked with it rather than against it.
In our next setup, I might consider implementing those changes though. For now, the system is still in it's first baby steps as being a fully functional network, I might give it those enhancements once I'm sure it'll stay up properly, which might be somewhat soon.
Thanks for the comments.
< Message edited by p057080n -- 14.Sep.2007 3:57:56 PM >
It's your decision after all. If it is good for you. But if someone finds the doc you have published it is good to be informed about the low security of your setup. Just in case he/she will follow your doc.
It's your decision after all. If it is good for you. But if someone finds the doc you have published it is good to be informed about the low security of your setup. Just in case he/she will follow your doc.
Yep, you're right. I'll edit it when I get back to work on Monday, or hopefully people read this thread before downloading. Security wasn't the biggest thing on the plate. I was mainly looking for quick functionality. Like I said, sometime soon I'll consider adding PFS, changing the time rate on the Phase1 key, upgrade the shared key to something much more complicated, and maybe just change a few other things.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> IPSec Site-to-Site ISA 06 to Cisco 851 
IPSec Site-to-Site ISA 06 to Cisco 851 - 
RE: IPSec Site-to-Site ISA 06 to Cisco 851 - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread