I have deployed a site-to-site IPSEC VPN using ISA Server 2004 and a D-Link DIR-330.
All appears to be working well. I can ping devices on either side, from either side. I can also print to remote printers and log into machines using RDP. However, I've noticed a few strange things:
1. In the ISA Server Dashboard, there is no mention that a site-to-site VPN exists. ON the DIR-330 it shows that there is an active tunnel on the VPN Status page. This leads me to believe that there is still something not quite right???
2. I cannot ping any device on the remote network from the ISA console itself. I get the 'Negotiating IP Security' message. Tom's article on troubleshooting IPSEC VPNs didn't really explain what to do if it is an ISA to 3rd Party solution like mine.
3. I also cannot access the remote router's web admin page from any machine on my local network?? Nor can I access a remote printer's web admin page??
4. Last and most important, we use Subversion for source code management and the remote users need to be able to access the repository (which is behind the ISA Server) from the remote site. However, they cannot. The weird thing is, I see a connection request when I have logging turned on, but no denial and they just timeout?????
1) You'll have to use the IPSec Security Monitor MMC snap-in to see the "pure" IPsec tunnels. Admittedly, it's not very clear about this - I wish it was integrated into the ISA console.
2) The article (I authored it) just basically means if you try to PING from ISA itself, the remote endpoint (the D-Link DIR-330) has to have ISA's external address in the IPSec tunnel parameters. ISA automatically builds a filter stating ISA External IP to Remote Subnet but most likely the D-Link doesn't have a matching filter.
3) Does the router have any filters on what subnet is allowed to access it?
4) You might take a netstat from the Subversion box and see if you see the incoming connection (maybe take a network sniff). Does the Subversion box point to ISA for it's default gateway?
Found the problem wth the Subversion box. Had it pointed at a different gateway. Everything seems to be working now. Next step deploy some sort of DNS solution at the remote site -- wish there was some easy solution to use alternate DNS servers when resolving hosts that fall within the VPN.