Thanks for your answer. I'm looking forward to get links of backup files,
Thanks in advance
Hi Turan,
Here you go! I did a rough draft of an article I'll post later and also posted the Firewall Policies for the Local and Remote Sites. In addition, I included the complete system BU files if you want to see an exact copy of my config (note that my IP address scheme might be different than your's, but you change yours or at least see what works).
I didn't load your backup, but i followed your guide and it seems same as i did before, nothing less or more. It didn't work. Now i will load your configuration to chech if it is the same as i've done before.
I'd like to ask if you have enabled windows routing&remote access or have done any static routing in your test environment.
I was looking thru the boards and this is exactly what I was looking for! Of course I am running on production boxes.......LIFE ON THE EDGE.....WHAT A RUSH!
It still didn't work. I'm loosing my patience by time . I will try to debug from event logs, isa logs, and so on to check whats going on on my system.
I'd like to ask if my ip configuration is wrong or not. Below, i wrote down configuration of two machines configuration. There's two local networks, and a wan network on vm, also main site internet ethernet is connected to my company LAN. WAN connectors of two sites is connected to WAN virtual network? Could anybody say if anything is wrong in my configuration?
Do you see any IKE entries in the real time log monitor?
Also, are the WAN interfaces on the same VMnet? I put the external interfaces of each of the VMs on VMNet3 instead of bridging them to the production network. This made it easier to see the traffic in the real time log monitor since I didn't have to sift through the production network traffic when reading the logs.
There's none IKE entries, but in my first installation as i remember, there was a few with connection failures. There's also some connection messages in security logs of isa servers. I'm trying to catch which messages are related directly to isa server now. I can say that, when i stop start machine or firewall service, there's no IKE entries by now.
Branch and Main site wan interfaces are in the same virtual network connected to vmnet1 and are in the same subnet, can see each other directly. There's three virtual networks as vmnet1 (wan), vmnet2 (main site lan), vmnet3 (branch site lan), vmnic1 (internet connection on main site). There's only one interface connected to main site named "internet" which intendet to simulate internet connection. Consequently i can say that i try to make vpn connection exactly on vmnet1 network, also i did try to disable vmnic1 interface connected to our company lan, because of the same reason, to filter realtime messages. It did work, but no results yet.
I will install isa servers from the beginning, i think this will be fourth and try some more. I have something in my mind, i will also try those things.
I'd like to learn if you see any errors in my ip configuration?
Looking at your diagram again, I think there is a routing problem. You have an "Internet connection" and a second connection you're using for the IPSec tunnel mode link. Get rid of the extra interface on that machine. The IPSec tunnel mode link should be the Internet connection. I'm not sure about the routing behavior of IPSec tunnel mode, but its not nearly as intelligent as a true VPN protocol, such as PPTP or L2TP. So it it that way and see what happens.
I did so, but in my test platform. I was installing just as you say while reading your message, but to detect what's going on my system not to implement the same in real life. I downgraded main site to two interfaces only wan (you can think wan as internet) and lan interfaces for two isa servers, i will try such a configuration. If i can be successful i will try to extend my system.
We put these isa servers to sites on the wan for some security reasons between sites, also we do not trust wan so much, so we want to make vpn over wan also. It's why i put a second interface and try to make vpn connection between sites.
You say to connect wan links to internet connection, on one interface. We have many sites connected by satellite connections, wireless, rf, leased line and frame relay mixed protocols, many multiplexers, and so on. How should i maintain all these routers, bridger from being vulnerable if i connect them to internet, maybe give them real ip addresses. We have a network designed such as i try to do with Astaro Linux firewall. I can't understand why isa2004 shouldn't do such a work.
I will inform you what's going on my system. It has been a long conversation for weeks, thanks a lot for your help. I didn't want to give up, because it seemed it should work. I will try some more.. maybe one or two days more
Your goals are important ones, as it would be good to be able to use the IPSec tunnel mode connection on a WAN interface that is not the default Internet interface. It might be something as simple as configuring a routing table entry that directs packets to the remote network to the IPSec tunnel endpoint to the remote network, in the same way that you have to configure the Web Proxy and NAT to use the VPN tunnel endpoint to work properly.