Welcome to ISAserver.org

site to site VPN issue

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> site to site VPN issue

Page: [1]

Message

<< Older Topic Newer Topic >>

site to site VPN issue - 8.Nov.2007 5:56:45 AM

isa2006_virgin

Posts: 1
Joined: 8.Nov.2007
Status: offline

Hi all,

Just established a new site to site VPN using L2TP over IPSec, using ISA Server 2006 Standard. Currently I have a main site and a remote site.

The main site has an AD domain

The remote site ISA is a standalone sever (but is a domain member). There is nothing else on this network apart from a single client in the same local IP range as defined on the ISA's internal network range - e.g. 192.168.0.1 - 192.168.0.254.

The internal range on the main network is 10.x.x.x - 10.x.x.x

The two site's ISA servers can see each other. I can even run an RDC session to the remote site ISA box on the main network. However, I cannot access the client PC on the remote network and the client PC cannot see the main network either.

Interestingly I can ping the client PC on the remote network from the main network ISA box using it's IP address.

I've noticed the remote ISA box has an IP address within the main network's DNS, which is why i can access it. But the remote client does not.

Now I am probably missing something obvious here and wonder if anyone could shed any light on the problem?

Thanks all

< Message edited by isa2006_virgin -- 8.Nov.2007 6:00:50 AM >

Post #: 1

Featured Links*

RE: site to site VPN issue - 26.Nov.2007 9:35:43 AM

LitiaM

Posts: 10
Joined: 12.Jan.2007
Status: offline

Hi,

What DNS server is the client configured to use? is it the one at the local site or one at the main office? Please check that and try again.

Bye for now

(in reply to isa2006_virgin)

Post #: 2

RE: site to site VPN issue - 14.Jan.2008 7:42:18 PM

GeoTech

Posts: 26
Joined: 23.May2001
From: Richmond, VA USA
Status: offline

Hi.

I am having a similar, if not the same problem. Either ISA server can see the other ISA server and devices behind the remote ISA server, but clients behind the ISA server on either side cannot see the other side server or devices behind them.

I have a split DNS and resolution works in all directions from all servers and clinets. I am using DHCP to assign VPN IP addresses and have read and followed Tom's two articles on Branch Office VPN's as well as the articles on carbonwind.net (not sure who the author is but nice stuff).

When I used the logging query filter and monitored a session from one side to the other I can see that the packet is allowed thru the local ISA server and forwarded to the remote ISA server where the query filter would show it as denied but not list a rule that denied it.

So I turned on Diagnostic Logging and see that the following errors when I attempt to ping

Source does not match the packet
Destination does not match the packet

I have double checked network rules and access rules on both sides deleted rebuilt etc with no success.

In this example my �main� ISA server is my production ISA 2006 SE firewall (configured as 3-leg with DMZ) and the �Branch� server is a test server directly connected to the LAN side of my internet connection with a public IP address to simulate the remote office, also running ISA 2006 SE.

My question, did you find a resolution to your problem and if so what?

And/Or

Does anyone have an idea or a way to better troubleshoot this problem?

Thanks for the help, Ken

(in reply to LitiaM)

Post #: 3

RE: site to site VPN issue - 15.Jan.2008 3:52:46 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi Ken,
Can you post the site-to-site summary from both ISAs ?(of course we are not interested in seeing your public IP addresses)
Regards!

(in reply to GeoTech)

Post #: 4

RE: site to site VPN issue - 15.Jan.2008 9:48:28 AM

GeoTech

Posts: 26
Joined: 23.May2001
From: Richmond, VA USA
Status: offline

Hi Justmee,

Here is the Main site and the Brnach site settings. You will see I have several internel network segments on the Main side 172.28 is for data, 172.29 is for IP Phones, 172.31 is for network gear (routers switches). The local subnet for the main site is 172.28.12.0/23 The local subnet for the remote site is 172.28.40.0/23.

Thanks, Ken

Main Site-to-Site Settings Summary

Remote Gateway Address: 66.xxx.xxx.7
VPN Network Authentication Protocols (outgoing):
   MS-CHAP v2
General VPN Settings Authentication Protocols (incoming):
   MS-CHAP v2
Outgoing Authentication Method: Pre-shared secret (#####)
Incoming Authentication Method: Certificate and pre-shared secret (#####)
Local User: BranchVPN
Remote Site User: FnR\BranchVPN
Site-to-Site Network IP Addresses: 172.28.40.0-172.28.41.255, 172.29.40.0-172.29.40.255, 172.31.254.240-172.31.254.255
Routable Local IP Addresses: 172.28.12.0-172.28.39.255, 172.28.255.255, 172.29.12.0-172.29.12.255, 172.29.14.0-172.29.14.255, 172.29.16.0-172.29.16.255, 172.29.18.0-172.29.18.255, 172.29.20.0-172.29.20.255, 172.29.22.0-172.29.22.255, 172.29.24.0-172.29.24.255, 172.29.26.0-172.29.26.255, 172.29.28.0-172.29.28.255, 172.29.30.0-172.29.30.255, 172.29.32.0-172.29.32.255, 172.29.34.0-172.29.34.255, 172.29.36.0-172.29.36.255, 172.29.38.0-172.29.38.255, 172.31.254.0-172.31.254.239

Required site-to-site settingsfor the other end of this tunnel:

General VPN Settings Authentication Protocols (one or more of the following):
   MS-CHAP v2
VPN Network Authentication Protocols (one or more of the following):
   MS-CHAP v2
Outgoing Authentication Method: Pre-shared secret (#####)
Incoming Authentication Method: Certificate and pre-shared secret (#####)
Remote Gateway Address:
   An IP address or a DNS resolvable name.
   If NLB is enabled, the VIP of the remote array should be used.
Local User: FnR\BucharestVPN
Remote Site User: BucharestVPN
Site-to-Site Network IP Addresses: 172.28.12.0-172.28.39.255, 172.28.255.255, 172.29.12.0-172.29.12.255, 172.29.14.0-172.29.14.255, 172.29.16.0-172.29.16.255, 172.29.18.0-172.29.18.255, 172.29.20.0-172.29.20.255, 172.29.22.0-172.29.22.255, 172.29.24.0-172.29.24.255, 172.29.26.0-172.29.26.255, 172.29.28.0-172.29.28.255, 172.29.30.0-172.29.30.255, 172.29.32.0-172.29.32.255, 172.29.34.0-172.29.34.255, 172.29.36.0-172.29.36.255, 172.29.38.0-172.29.38.255
Routable Local IP Addresses: 172.28.40.0-172.28.41.255, 172.29.40.0-172.29.40.255, 172.31.254.240-172.31.254.255

Branch Site-to-Site Settings Summary

Remote Gateway Address: 66.xxx.xxx.2
VPN Network Authentication Protocols (outgoing):
   MS-CHAP v2
General VPN Settings Authentication Protocols (incoming):
   MS-CHAP v2
Outgoing Authentication Method: Pre-shared secret (#####)
Incoming Authentication Method: Certificate and pre-shared secret (#####)
Local User: MainVPN
Remote Site User: FnR\MainVPN
Site-to-Site Network IP Addresses: 172.28.12.0-172.28.39.255, 172.29.12.0-172.29.39.255, 172.31.254.0-172.31.254.239
Routable Local IP Addresses: 172.28.40.0-172.28.41.255, 172.28.255.255, 172.29.40.0-172.29.40.255, 172.31.254.240-172.31.254.255

Required site-to-site settingsfor the other end of this tunnel:

General VPN Settings Authentication Protocols (one or more of the following):
   MS-CHAP v2
VPN Network Authentication Protocols (one or more of the following):
   MS-CHAP v2
Outgoing Authentication Method: Pre-shared secret (#####)
Incoming Authentication Method: Certificate and pre-shared secret (#####)
Remote Gateway Address:
   An IP address or a DNS resolvable name.
   If NLB is enabled, the VIP of the remote array should be used.
Local User: FnR\MainVPN
Remote Site User: MainVPN
Site-to-Site Network IP Addresses: 172.28.40.0-172.28.41.255, 172.28.255.255, 172.29.40.0-172.29.40.255, 172.31.254.240-172.31.254.255
Routable Local IP Addresses: 172.28.12.0-172.28.39.255, 172.29.12.0-172.29.39.255, 172.31.254.0-172.31.254.239

(in reply to justmee)

Post #: 5

RE: site to site VPN issue - 15.Jan.2008 10:03:22 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi Ken,
A first glance look(I'm on the run right now, I'll come back later if I spot something else) and we can see that some settings do not match:
Main
Local User: BranchVPN
Remote Site User: FnR\BranchVPN
Required:
Local User: FnR\BucharestVPN
Remote Site User: BucharestVPN

And you have at the Branch:
Local User: MainVPN
Remote Site User: FnR\MainVPN

When the remote site name on the main ISA is say BranchVPN then a local user called BranchVPN must exist on Main ISA which will be used by the Branch ISA to connect to the Main ISA.
When the remote site name on the branch ISA is say MainVPN then a local user called MainVPN must exist on Branch ISA which will be used by the Main ISA to connect to the Branch ISA.
Please correct that.
J

(in reply to GeoTech)

Post #: 6

RE: site to site VPN issue - 15.Jan.2008 10:12:38 AM

GeoTech

Posts: 26
Joined: 23.May2001
From: Richmond, VA USA
Status: offline

Opps.. my mistake. I was trying to remove any "idenity" from the username and remote site names. They do actually match. Ken

(in reply to justmee)

Post #: 7

RE: site to site VPN issue - 15.Jan.2008 3:29:26 PM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

So you are saying that the remote site names and local user account names are fine.
I was looking a little bit on those IP addresses and try to understand your current scenario.(many IP addresses)
If I understand correctly you have network behind a network scenarios at both sides.
Did you created a network rule for the DMZ at the Main ISA or all those IP addresses belong to ISA's Internal Network ?
It's not very clear to me how your net diagram looks.
The local subnet at Main ISA is 172.28.12.0/23, this meaning that ISA's IP address of the internal NIC belongs to this subnet while the rest of subnets are accessible through a router ?
The local subnet for the Branch ISA is 172.28.40.0/23, again this meaning that ISA's IP address of the internal NIC belongs to this subnet while the rest of subnets are accessible through a router?
Also at the Branch ISA you've "summarized" the networks from the Main Office as 172.29.12.0-172.29.39.255 which is not correct since many of them do not exist at the Main Office.
Try to carefully enter the ranges because already your IP addressing scheme is complicated(addresses almost overlap at the two offices).
I see that 172.28.255.255 is define on both ISA's Internal Network. Are you sure is needed this broadcast IP address ?
I suppose you did create only routing relationships between local networks and remote sites on both ISA's.
Actually how have you created these network rules and access rules ?
It might be an access rule problem or your "summarization"(not sure though).
Typically this is the basic stuff to be checked: network rules, network ranges, access rules, remote site names and local user, make sure that the Register this connection's addresses in DNS is unchecked at both sides...
Something does not match according to the Diagnostic Logging(whatever that means since Microsoft does not documented those errors), that's why I was pointing to the access rules or network rules.
J

< Message edited by justmee -- 15.Jan.2008 4:14:45 PM >

(in reply to GeoTech)

Post #: 8

RE: site to site VPN issue - 15.Jan.2008 5:48:49 PM

GeoTech

Posts: 26
Joined: 23.May2001
From: Richmond, VA USA
Status: offline

Below you will see a more detailed network diagram. We do have13 networks behind the MAIN ISA server via an MPLS provider. If it does not show up in the post you can access it here http://www.imageno.com/8r84td4clgjqpic.html

Below are answers to the questions you pose...

The Branch and Main names and user accounts all match all of the addresses belong to the ISA servers internal NIC.
Main local ISA internal NIC belongs to 172.28.12.0 and all other subnets are accessiable via Router
Branch local ISA internal NIC belongs to 172.28.40.0 and all other subnets are accessiable via Router
I did summarize the networks on the branch side, I have reconfigured and entered as separate subnets. No change in behavior
172.28.255.255 is added because ISA issues a Configuration error in the event log if it is not in the Network description. I can remove it and test later tonight when I can take it down.
I allowed the Site-to-Site Wizard to create the network rules (following Tom's tutorial) and they are Route relationships.
I also created an Allow All access rule (for testing) between branch and internal and vice-versa on both sides (again per Tom's and Microsoft's tutorial)
I have unchecked the DNS registration for the connection on both sides
I will try removing the 172.28.255.255 broadcast on both sides later and post my test results.

My thought is because the VPN adapted assigned address (via DHCP) is considered local to the internal network and the VPN adapted is considered a separate network, would that not create a routing issue? I tried manually assigning address to the VPN on both sides and had the same results....

Thanks for your help and your time. Ken

(in reply to justmee)

Post #: 9

RE: site to site VPN issue - 16.Jan.2008 7:39:01 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi Ken,
I see.
Regarding the IP addresses from the RRAS this is normal behaviour. Actually it is an indication that things went fine.
For example the branch interface from RRAS on Main ISA should have an IP address from the remote Branch office, if you use DHCP on the Branch office it should have an IP address from the 172.28.40.0 subnet.
And vice-versa: the main interface from RRAS on Branch ISA should have an IP address from the remote Main office, if you use DHCP on the Main office it should have an IP address from the 172.28.12.0 subnet.
If you see this sort of things that would indicate that that IKE MM and IKE QM (the Oakley.log for L2TP/IPsec site-to-site is different from IPsec tunnel mode site-to-site since L2TP/IPsec uses transport mode) negotiations went fine and also the LTP tunnel is up and running.
In fact you should stay away from the RRAS console(exceptions like the DNS registration) because all of the config is done from ISA GUI. Otherwise unexpected results might appear.
If ISA complains about 172.28.255.255 then you should leave it there.
I assume that ISA does not show alert for network misconfigurations(has routes to the internal subnets).
After you have reconfigured the Brach ISA did you restarted the RRAS service ?
Actually how are you trying to bring up the tunnel ?
You should always try(say ping) from a computer behind ISA to a computer behind the remote ISA and not from ISA itself.
You cannot ping from a Client PC (from 172.28.12.0/23) to a Client PC (from 172.28.40.0/23) ?
What confuses me a little bit is the fact that on both Offices you have a switch connecting:
- Main: 172.28.12.0/23 and 172.28.12.0/24
- Branch: 172.28.40.0/23 and 172.28.40.0/24
That does not sound correct to me.
What exact IP addresses have both ISA's: from /23 o from /24 ?
If everything is configured correctle I'm afraid that I'm not aware of any bugs or so that might prevent communications(I have a long list with successes with these types of connections with ISA).
Have you tried running ISA BPA ?
It can be useful.
Actually you can use Visio to get some sort of net diag:
http://www.isaserver.org/tutorials/ISA-Best-Practices-Analyzer-Visio.html
J

< Message edited by justmee -- 16.Jan.2008 7:40:47 AM >

(in reply to GeoTech)

Post #: 10

RE: site to site VPN issue - 19.Jan.2008 2:38:45 PM

GeoTech

Posts: 26
Joined: 23.May2001
From: Richmond, VA USA
Status: offline

Hi Justmee,

You are correct that I have no configuration errors on the Alert panel from either ISA server and as I said I can talk (PING RDP TELNET) from either ISA Server to the other side's network clients. I just can't talk from a client on one side to a client on the other side. I have restarted the server and RRAS on both sides several times in testing and when I change settings. The tunnels come up automatically (due to regular network traffic) on both sides if I reboot either server.

I have ran ISABPA and it shows no warnings aside for the normal stuff. I did run the BPAVisio tool and it came up with two warnings in the drawing.

BPA2Visio did not find direct network from this interface:RAS Server (Dial In) Interface

BPA2Visio did not find direct network from this interface:BranchVPN

Do I understand that as there is no IP route on that end of the tunnel? Could this problem be because I have added Persistent routes to my routing table??

I have included a link to the BPAVisio drawing.
http://www.imageno.com/ybbbmb9304fopic.html

Thanks again, Ken

< Message edited by GeoTech -- 19.Jan.2008 3:01:47 PM >

(in reply to justmee)

Post #: 11

RE: site to site VPN issue - 19.Jan.2008 3:59:56 PM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi Ken,
I have run BPAVisio on my ISA which has two L2TP/IPsec site-to-site connections(on of them is down right now since the remote ISA is offline).
It came up with the same warnings for the online site-to-site connection.
However in my case I do not have any connectivity problems.
I would say that we can safely ignore those warnings (I think it complains about the fact that these interfaces have /32 netmasks and are not "directly" connected to any network, just a guess though, stupid or not).
Just check the routing table with route print(or from RRAS) on both ISAs and see what routes do you have for the remote site.
They are dynamics routes since the IP address obtained for the BranchVPN interface may vary.
On Main ISA, this route is through the BranchVPN interface, this interface has an IP address from the remote site(as said in my previous post). And the gateway is the IP address of the remote Main interface(on the other side, the Main interface has obtain an IP address from the Main Office, this IP address will be used as gateway). Also the IP address of the Main remote interface is reachable through the BranchVPN interface(this time the gateway is IP address of the BranchVPN interface).
On Branch ISA, vice-versa.
Not sure how clear was this explanation, because I have problems reading it myself....
But with the routing table in front of you may become more clear....
Did you manually entered some routes to the remote site ?
If so delete them.
J

(in reply to GeoTech)

Post #: 12