I have an ISA 2k4 at work and a Multitech Routefinder 660 at a branch office. I want to set up an IPsec VPN tunnel between them.
I create the remote network in both the machines and on the Routefinder I can see the VPN tunnel is established.
I create a packet filter on the routefinder to allow all traffic from the internal LAN to the remote LAN. On the ISA-box I tried several network and firewall rules allowing all traffic, but I can't send a ping to the other side.
Is there anyone who has this kind of configuration working, or can anyone tell me what rules I have to configure?
On the ISA 2004 firewall, create a rule that allows everything from the remote network to the Internal network.
HTH, Tom
Hmmmm, done that. Still no ping...
Is there anything I need to enable first? Right now, I only have a network rule with a routing relationship between the Internal Network and the remote network and a firewall rule allowing all outbound protocols from the remote network to the internal network.
Hmmm. Good point On the ISA box, the configuration would be "outbound" from Remote network to Internal network. Don't know what you would configure on the router, though.
I have set up a second ISA 2k4 server at my branch office, configured the remote networks on both machines, routing rules and full access rules and it works. I can browse for shares on the remote network. Only when I ping from any ISA server to any IP on the remote network, I get the reply "Negotiating IP Security". Ping from an internal host to the remote network works fine. Does anyone know how to solve this?
Now I only have to know why this damned routefinder won't work...
You are most likely receiving this because of a Filter mismatch on the Route Finder.
When you create the Remote Network object and use IPsec Tunnel Mode, 4 filters are created (If Win2003, use the command line "netsh ipsec dynamic show qmfilters all" to see these filters)
ISA External IP -> Remote Subnet ISA Private net -> Remote Subnet ISA External IP <- Remote Subnet ISA Private net <- Remote Subnet
When you PING from the network behind ISA, the filter "ISA Private Net -> Remote Subnet" gets invoked and works because you have a corresponding filter on the Route Finder. When you PING from ISA, you invoke the "ISA External IP -> Remote Subnet" filter which most likely is not on the Route Finder.
I'm not sure how Route Finder refers to filters (Cisco uses Access Lists, different vendors use other terminology), but you'll need to see what the "relationship" is between the RouteFinder and ISAs external IP addresr.
I ran into this problem while testing interoperability with my PIX and CheckPoint installs and after adding the corresponding filter/access list on the remote site, everything worked.
Thanks for your reply, I now understand what can go wrong, but I still didn't manage to get trafic going on the VPN-tunnel between the ISA and the routefinder. I installed a second ISA-server on the remote site and built a VPN between the two ISA servers. When I ping from one ISA server to the remote network I get this message, while pinging from behind the ISA server works fine.
Does your filter-story still apply to this scenario and if so, do you know how to resolve this issue?
It helps, but this ends up coming down to a filter mismatch.
What OS is ISA 2004 installed on?
If Win2003, go to a command prompt and run...
netsh ipsec dynamic show qmfilters all
Compare the filters that are shown here to make sure they match on both sides. Again, we're looking for
ISA1 -> Remote Subnet Local Subnet -> Remote Subnet ISA1 <- Remote Subnet Local Subnet ,- Remote Subnet
If Win2000, it's a little more difficult - let me know if this is the case and I'll try to find the IPSECPOL command line syntax to dump out the filters created.
I didn't quite follow your article, Tom. I forgot to add the public IP addresse of the remote networks to the network definitions. When I added these addresses, I could ping from the ISA server. Do you have an explanation for this?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> IPSec tunnel ISA2k4 - Routefinder 
IPSec tunnel ISA2k4 - Routefinder - 
![[Smile]](/image/smiles/smile.gif)
On the ISA box, the configuration would be "outbound" from Remote network to Internal network. Don't know what you would configure on the router, though.
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread