|
itmanager -> IPSec VPN and IP Spoofing / routing problem (26.May2008 5:36:53 PM)
|
Hi all,
I am implementing an IPSec tunnel with partners who run a Cisco at their end.
We can establish both phases of the tunnel and my counterpart can trace a path back to a target host at my end.
But something is preventing me from tracing a path to the partner end. When I attempt a ping or Tracert I can see (in IPSec Mon) the Phase II connection become established. But nothing gets returned.
Clearly a routing problem but where/how?
Can anyone point out where the problem should lie?
Cheers
Kevin
Some details:
In ISA Monitoring (logging) I can see that the ping packet is being dropped;
Log type: Firewall service
Status: A packet was dropped because ISA Server determined that the source IP address is spoofed.
Rule: -
Source: Internal (10.201.1.42:8)
Destination: B2B VPN (172.17.97.1:0)
Protocol: Ping
User: -
Additional information
· Number of bytes sent: 0 Number of bytes received: 0
· Processing time: 0ms Original Client IP: 10.201.1.42
· Client agent: -
I have actually turned IP Spoofing detection off (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fweng\Parameters\DisableSpoofDetection=1).
Configuration (actual addresses changed but still relative to each other);
ISA 2004 SP2
4 interfaces;
External 110.155.245.146 but also with multiple IPs on the external interface
DMZ1 172.16.1.0 /24
DMZ2 210.100.100.240 /28
DMZ3 10.201.1.0 /24
The VPN encryption network
172.17.96.0 /20
ISA Networks
There is a network object creating the VPN IPsec tunnel which is working
ISA Network Rules
There is a network rule that Routes between the VPN network and the DMZ3 network
ISA Firewall Policy
There are 2 rules (In and Out) allowing traffic between VPN network and DMZ 3 network (currently All Outbound traffic until issue is resolved).
The local Tunnel Endpoint is 110.155.249.187
Active Routes:
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 110.155.245.145 110.155.245.146 20
10.201.1.0 255.255.255.0 10.201.1.1 10.201.1.1 10
10.201.1.1 255.255.255.255 127.0.0.1 127.0.0.1 10
10.201.1.111 255.255.255.255 127.0.0.1 127.0.0.1 50
10.201.20.0 255.255.255.0 10.201.1.100 10.201.1.1 1
10.201.30.0 255.255.255.0 10.201.1.100 10.201.1.1 1
10.201.40.0 255.255.255.0 10.201.1.100 10.201.1.1 1
10.255.255.255 255.255.255.255 10.201.1.1 10.201.1.1 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.1.0 255.255.255.0 172.16.1.1 172.16.1.1 10
172.16.1.1 255.255.255.255 127.0.0.1 127.0.0.1 10
172.16.255.255 255.255.255.255 172.16.1.1 172.16.1.1 10
110.155.245.0 255.255.255.0 110.155.245.146 110.155.245.146 20
110.155.245.146 255.255.255.255 127.0.0.1 127.0.0.1 20
110.155.245.255 255.255.255.255 110.155.245.146 110.155.245.146 20
110.155.249.176 255.255.255.240 110.155.249.189 110.155.245.146 20
110.155.249.187 255.255.255.255 127.0.0.1 127.0.0.1 20
110.155.249.188 255.255.255.255 127.0.0.1 127.0.0.1 20
110.155.249.189 255.255.255.255 127.0.0.1 127.0.0.1 20
110.155.249.190 255.255.255.255 127.0.0.1 127.0.0.1 20
110.155.249.255 255.255.255.255 110.155.245.146 110.155.245.146 20
110.155.251.240 255.255.255.240 110.155.251.241 110.155.251.241 30
110.155.251.241 255.255.255.255 127.0.0.1 127.0.0.1 30
110.155.251.255 255.255.255.255 110.155.251.241 110.155.251.241 30
224.0.0.0 240.0.0.0 10.201.1.1 10.201.1.1 10
224.0.0.0 240.0.0.0 172.16.1.1 172.16.1.1 10
224.0.0.0 240.0.0.0 110.155.245.146 110.155.245.146 20
224.0.0.0 240.0.0.0 110.155.251.241 110.155.251.241 30
255.255.255.255 255.255.255.255 10.201.1.1 10.201.1.1 1
255.255.255.255 255.255.255.255 172.16.1.1 172.16.1.1 1
255.255.255.255 255.255.255.255 110.155.245.146 110.155.245.146 1
255.255.255.255 255.255.255.255 110.155.251.241 110.155.251.241 1
Default Gateway: 110.155.245.145
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
10.201.40.0 255.255.255.0 10.201.1.100 1
10.201.20.0 255.255.255.0 10.201.1.100 1
10.201.30.0 255.255.255.0 10.201.1.100 1
|
|
|
|