Welcome to ISAserver.org

Site-to-site vpn using ipsec psk

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> VPN >> Site-to-site vpn using ipsec psk

Page: [1]

Message

<< Older Topic Newer Topic >>

Site-to-site vpn using ipsec psk - 4.Sep.2009 9:51:16 AM

MIA

Posts: 17
Joined: 19.Oct.2007
Status: offline

Site-to-Site VPN using IPSEC PSK
I�m having some difficulty with creating a site-to-site vpn using ipsec psk and I�m hoping someone can spare me the time to see what I�m missing. Apologies for the long post but there is a lot of detail! The scenario is:
We have a requirement to setup a site-to-site vpn with a 3rd party. The purpose of this is that we need to transmit data to them and their preferred method is to use an app they have developed for the data transmission. Unfortunately this is not encrypted so we have been asked to setup a vpn to connect the networks and to use ipsec psk. Authentication should be MD5 with encryption of 3DES
For segregation as I do not want the vpn to get to our internal network, my plan to install an RRAS in a DMZ served by external and internal win2003/ isa2000 servers.   The RRAS box will also run the data transmission app. So, the network should look like:
Ext Win2k3/ ISA2k �-----�RRAS�----� Int Win2k3/ ISA2k�----� Internal network

The 3rd party have a cisco pix I believe (don�t know yet what version). Unfortunately I don�t have one available so I have setup a win2003/ isa2000 dual homed server as my test box
I have been using the VPN deployment kit by Tom and also Stefaan�s article on allowing ipsec passthrough. I have configured the servers as:
External ISA:
�         Ran VPN client wizard to create x4 packet filters
�         Created protocol definitions for UDP 500 and 4500 as receive/ send (inbound)
�         Published the internal IP of the RRAS against the external IP of the ISA and mapped the two protocols above
�         Created protocol definitions for UDP 500 and 4500 as send/ receive (outbound)
�         Created a protocol rule to allow the outbound UDP 500/ 4500
�         Created a client address set for the RRAS and created a site & content rule to always allow any destination
�         Filtering of IP packet fragments is disabled
�         The LAT includes the IP of the RRAS and I have stopped the RRAS and ipsec services.
Internal RRAS:
�         RRAS enabled as router (LAN and demand-dial)/ RAS
�         Windows Auth set as EAP (MD5 & PEAP) & MS-CHAPv2
�         Windows Accouting used
�         Allow custom ipsec psk selected
�         Enable IP routing
�         Allow IP based RAS
�         Static address to be assigned at the upper end of the LAT range
�         Do not allow broadcast name res selected
�         Policy is NAS port type = virtual vpn/ group matches VPN users and users added to group. User dial-in controlled by policy
�         Profile security = EAP (MD5 & PEAP) & MS-CHAPv2/ strongest encryption
�         New demand dial network interface has been created to connect using VPN/ L2TP. Host was left blank as this is the receiving end. No user added but route IP selected. Set as demand-dial never. This added a static route to the internal ip of the test box.
�         Security is max strength using EAP (MD5) and ipsec psk selected
Test box
This is configured as a dual-homed win2003/ isa2000/ rras box and is configured much the same as the two above:
�         Ran VPN client wizard to create x4 packet filters
�         Created protocol definitions for UDP 500 and 4500 as receive/ send (inbound)
�         Created protocol definitions for UDP 500 and 4500 as send/ receive (outbound)
�         Created a protocol rule to allow the outbound & inbound UDP 500/ 4500
�         Created a site & content rule to always allow any destination
�         Filtering of IP packet fragments is disabled
�         RRAS enabled as router (LAN and demand-dial)/ RAS
�         Windows Auth set as EAP (MD5 & PEAP) & MS-CHAPv2
�         Windows Accouting used
�         Allow custom ipsec psk selected
�         Enable IP routing
�         Allow IP based RAS
�         Static address to be assigned at the upper end of the LAT range
�         Do not allow broadcast name res selected
�         No policy created as this is dialling out
�         New demand dial network interface has been created to connect using VPN/ L2TP. Host was external address of ext ISA. Route IP selected & user account on RRAS credentials added. Set as demand-dial persistent
�         Static route added to the internal address of the RRAS using the above interface
�         Security is max strength using EAP (MD5) and ipsec psk selected
IPSEC policy
On both the RRAS and Testbox I have created an ipsec policy using http://support.microsoft.com/kb/816514 as a guide.
Both Testbox and RRAS have a new policy assigned. On both, under the general tab > methods I have moved 3des/md5 to the top

On Testbox, 2 rules were created. One filtered the source testbox external address to destination ISA external address and had the tunnel endpoint as the ISA external address whilst the other rule had a vice versa filter applied
A filter action was applied to both rules: negotiate security using custom md5/ 3des & authenticate using psk.
On the RRAS, similar rules were created however they filtered using the local IP of the RRAS as source and the external Testbox address as destination with an endpoint of the external Testbox. As above, a vice versa rule was created.
The connection is not being established as the RRAS is failing on the ipsec quick mode with event id 547, failing node �me� because �no policy configured�.
Having been testing further and reading more whilst writing this, I suspect I�m not going to be able to get this going and even if I did, the actual live connection will be to a 3rd party vpn and it looks like isa2000 doesn�t support this ipsec tunnelling. Am I missing something or do I need to upgrade to isa2006 or something else?
Thanks for reading.