Welcome to ISAserver.org

RE: VPN over intranet

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: VPN over intranet

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: VPN over intranet - 11.Feb.2004 1:14:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Turan,

No problem! It should be some time this afternoon, as I'll be writing an article with the procedures too.

HTH,
Tom

(in reply to Turan)

Post #: 21

Featured Links*

RE: VPN over intranet - 12.Feb.2004 5:13:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

quote:
Originally posted by Turan:
Hi Tom,

Thanks for your answer. I'm looking forward to get links of backup files,

Thanks in advance

Hi Turan,

Here you go! I did a rough draft of an article I'll post later and also posted the Firewall Policies for the Local and Remote Sites. In addition, I included the complete system BU files if you want to see an exact copy of my config (note that my IP address scheme might be different than your's, but you change yours or at least see what works).

The doc is at: http://www.msfirewall.org/isa2004/ipsecsitetosite/sitetositeipsec.htm

The configs are at: http://www.msfirewall.org/isa2004/ipsecsitetosite/site2siteconfig.zip

Let me know how this works for you!

HTH,
Tom

(in reply to Turan)

Post #: 22

RE: VPN over intranet - 12.Feb.2004 7:06:00 AM

Turan

Posts: 13
Joined: 25.Mar.2002
Status: offline

Thanks Tom, I'm checking it right now. I will let you know what's happening in my site.

Best regards. [Smile]

(in reply to Turan)

Post #: 23

RE: VPN over intranet - 12.Feb.2004 9:29:00 AM

Turan

Posts: 13
Joined: 25.Mar.2002
Status: offline

Hi Tom,

What is the password of backup file? I couldn't find it.

(in reply to Turan)

Post #: 24

RE: VPN over intranet - 12.Feb.2004 11:37:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Turan,

What else could it be?

password

[Smile]

HTH,
Tom

(in reply to Turan)

Post #: 25

RE: VPN over intranet - 12.Feb.2004 1:22:00 PM

Turan

Posts: 13
Joined: 25.Mar.2002
Status: offline

Hi Tom,

Excellent password you have given [Big Grin]

I didn't load your backup, but i followed your guide and it seems same as i did before, nothing less or more. It didn't work. Now i will load your configuration to chech if it is the same as i've done before.

I'd like to ask if you have enabled windows routing&remote access or have done any static routing in your test environment.

(in reply to Turan)

Post #: 26

RE: VPN over intranet - 12.Feb.2004 1:55:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Turan,

I've always been a fan of strong passwords [Wink]

I did not enable RRAS and there are no static routes and no dynamic routing protocols enabled.

HTH,
Tom

(in reply to Turan)

Post #: 27

RE: VPN over intranet - 14.Feb.2004 4:27:00 AM

tdeerinck

Posts: 9
Joined: 6.Mar.2003
Status: offline

Tom,

You Rock!

I was looking thru the boards and this is exactly what I was looking for! Of course I am running on production boxes.......LIFE ON THE EDGE.....WHAT A RUSH!

Thanks again....

~T.J.

(in reply to Turan)

Post #: 28

RE: VPN over intranet - 15.Feb.2004 6:09:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi TJ,

Thanks!
Tom

(in reply to Turan)

Post #: 29

RE: VPN over intranet - 16.Feb.2004 9:59:00 AM

Turan

Posts: 13
Joined: 25.Mar.2002
Status: offline

Hi Tom,

It still didn't work. I'm loosing my patience by time [Confused]

. I will try to debug from event logs, isa logs, and so on to check whats going on on my system.

I'd like to ask if my ip configuration is wrong or not. Below, i wrote down configuration of two machines configuration. There's two local networks, and a wan network on vm, also main site internet ethernet is connected to my company LAN. WAN connectors of two sites is connected to WAN virtual network? Could anybody say if anything is wrong in my configuration?

Best regards,

Main Site:

code:

C:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration

Ethernet adapter Local Network:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 172.16.1.5
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter WAN:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 192.168.100.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Internet:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 10.1.1.39
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.1.1.22

C:\Documents and Settings\Administrator>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 c7 8e b2 ...... VMware PCI Ethernet Adapter
0x10004 ...00 0c 29 c7 8e c6 ...... VMware PCI Ethernet Adapter #3
0x10005 ...00 0c 29 c7 8e bc ...... VMware PCI Ethernet Adapter #2
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.1.1.22        10.1.1.39     10
         10.1.0.0    255.255.254.0        10.1.1.39        10.1.1.39     10
        10.1.1.39  255.255.255.255        127.0.0.1        127.0.0.1     10
   10.255.255.255  255.255.255.255        10.1.1.39        10.1.1.39     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
       172.16.1.0    255.255.255.0       172.16.1.5       172.16.1.5     10
       172.16.1.5  255.255.255.255        127.0.0.1        127.0.0.1     10
   172.16.255.255  255.255.255.255       172.16.1.5       172.16.1.5     10
    192.168.100.0    255.255.255.0    192.168.100.1    192.168.100.1     10
    192.168.100.1  255.255.255.255        127.0.0.1        127.0.0.1     10
  192.168.100.255  255.255.255.255    192.168.100.1    192.168.100.1     10
        224.0.0.0        240.0.0.0        10.1.1.39        10.1.1.39     10
        224.0.0.0        240.0.0.0       172.16.1.5       172.16.1.5     10
        224.0.0.0        240.0.0.0    192.168.100.1    192.168.100.1     10
  255.255.255.255  255.255.255.255        10.1.1.39        10.1.1.39      1
  255.255.255.255  255.255.255.255       172.16.1.5       172.16.1.5      1
  255.255.255.255  255.255.255.255    192.168.100.1    192.168.100.1      1
Default Gateway:         10.1.1.22
===========================================================================
Persistent Routes:
  None

Branch Office:

code:

C:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Network:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 172.16.2.5
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter WAN:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 192.168.100.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

C:\Documents and Settings\Administrator>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 1d 02 df ...... VMware PCI Ethernet Adapter
0x10004 ...00 0c 29 1d 02 e9 ...... VMware PCI Ethernet Adapter #2
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
       172.16.2.0    255.255.255.0       172.16.2.5       172.16.2.5     10
       172.16.2.5  255.255.255.255        127.0.0.1        127.0.0.1     10
   172.16.255.255  255.255.255.255       172.16.2.5       172.16.2.5     10
    192.168.100.0    255.255.255.0    192.168.100.2    192.168.100.2     10
    192.168.100.2  255.255.255.255        127.0.0.1        127.0.0.1     10
  192.168.100.255  255.255.255.255    192.168.100.2    192.168.100.2     10
        224.0.0.0        240.0.0.0       172.16.2.5       172.16.2.5     10
        224.0.0.0        240.0.0.0    192.168.100.2    192.168.100.2     10
  255.255.255.255  255.255.255.255       172.16.2.5       172.16.2.5      1
  255.255.255.255  255.255.255.255    192.168.100.2    192.168.100.2      1
===========================================================================
Persistent Routes:
  None

[ February 16, 2004, 10:03 AM: Message edited by: Turan ]

(in reply to Turan)

Post #: 30

RE: VPN over intranet - 16.Feb.2004 12:23:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Turan,

Do you see any IKE entries in the real time log monitor?

Also, are the WAN interfaces on the same VMnet? I put the external interfaces of each of the VMs on VMNet3 instead of bridging them to the production network. This made it easier to see the traffic in the real time log monitor since I didn't have to sift through the production network traffic when reading the logs.

Thanks!
Tom

(in reply to Turan)

Post #: 31

RE: VPN over intranet - 16.Feb.2004 2:56:00 PM

Turan

Posts: 13
Joined: 25.Mar.2002
Status: offline

Hi Tom,

There's none IKE entries, but in my first installation as i remember, there was a few with connection failures. There's also some connection messages in security logs of isa servers. I'm trying to catch which messages are related directly to isa server now. I can say that, when i stop start machine or firewall service, there's no IKE entries by now.

Branch and Main site wan interfaces are in the same virtual network connected to vmnet1 and are in the same subnet, can see each other directly. There's three virtual networks as vmnet1 (wan), vmnet2 (main site lan), vmnet3 (branch site lan), vmnic1 (internet connection on main site). There's only one interface connected to main site named "internet" which intendet to simulate internet connection. Consequently i can say that i try to make vpn connection exactly on vmnet1 network, also i did try to disable vmnic1 interface connected to our company lan, because of the same reason, to filter realtime messages. It did work, but no results yet.

I will install isa servers from the beginning, i think this will be fourth [Smile]

and try some more. I have something in my mind, i will also try those things.

I'd like to learn if you see any errors in my ip configuration?

Best regards,

Turan

(in reply to Turan)

Post #: 32

RE: VPN over intranet - 17.Feb.2004 11:59:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Turan,

Looking at your diagram again, I think there is a routing problem. You have an "Internet connection" and a second connection you're using for the IPSec tunnel mode link. Get rid of the extra interface on that machine. The IPSec tunnel mode link should be the Internet connection. I'm not sure about the routing behavior of IPSec tunnel mode, but its not nearly as intelligent as a true VPN protocol, such as PPTP or L2TP. So it it that way and see what happens.

HTH,
Tom

(in reply to Turan)

Post #: 33

RE: VPN over intranet - 17.Feb.2004 2:53:00 PM

Turan

Posts: 13
Joined: 25.Mar.2002
Status: offline

Hi Tom,

I did so, but in my test platform. I was installing just as you say while reading your message, but to detect what's going on my system not to implement the same in real life. I downgraded main site to two interfaces only wan (you can think wan as internet) and lan interfaces for two isa servers, i will try such a configuration. If i can be successful i will try to extend my system.

We put these isa servers to sites on the wan for some security reasons between sites, also we do not trust wan so much, so we want to make vpn over wan also. It's why i put a second interface and try to make vpn connection between sites.

You say to connect wan links to internet connection, on one interface. We have many sites connected by satellite connections, wireless, rf, leased line and frame relay mixed protocols, many multiplexers, and so on. How should i maintain all these routers, bridger from being vulnerable if i connect them to internet, maybe give them real ip addresses. We have a network designed such as i try to do with Astaro Linux firewall. I can't understand why isa2004 shouldn't do such a work.

I will inform you what's going on my system. It has been a long conversation for weeks, thanks a lot for your help. [Smile]

I didn't want to give up, because it seemed it should work. I will try some more.. maybe one or two days more [Smile]

Best regards,

Turan

(in reply to Turan)

Post #: 34

RE: VPN over intranet - 17.Feb.2004 3:08:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Turan,

Your goals are important ones, as it would be good to be able to use the IPSec tunnel mode connection on a WAN interface that is not the default Internet interface. It might be something as simple as configuring a routing table entry that directs packets to the remote network to the IPSec tunnel endpoint to the remote network, in the same way that you have to configure the Web Proxy and NAT to use the VPN tunnel endpoint to work properly.

I check this out and see if I can get it to work.

thanks!
Tom

(in reply to Turan)

Post #: 35