• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

IPSec tunnel ISA2k4 - Routefinder

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> IPSec tunnel ISA2k4 - Routefinder Page: [1]
Login
Message << Older Topic   Newer Topic >>
IPSec tunnel ISA2k4 - Routefinder - 11.Feb.2004 11:32:00 AM   
Linke Loe

 

Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
Hi all.

I have an ISA 2k4 at work and a Multitech Routefinder 660 at a branch office. I want to set up an IPsec VPN tunnel between them.

I create the remote network in both the machines and on the Routefinder I can see the VPN tunnel is established.

I create a packet filter on the routefinder to allow all traffic from the internal LAN to the remote LAN. On the ISA-box I tried several network and firewall rules allowing all traffic, but I can't send a ping to the other side.

Is there anyone who has this kind of configuration working, or can anyone tell me what rules I have to configure?
Post #: 1
RE: IPSec tunnel ISA2k4 - Routefinder - 11.Feb.2004 1:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Linke,

On the ISA 2004 firewall, create a rule that allows everything from the remote network to the Internal network.

HTH,
Tom

(in reply to Linke Loe)
Post #: 2
RE: IPSec tunnel ISA2k4 - Routefinder - 11.Feb.2004 2:18:00 PM   
Linke Loe

 

Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
quote:
Originally posted by tshinder:
Hi Linke,

On the ISA 2004 firewall, create a rule that allows everything from the remote network to the Internal network.

HTH,
Tom

Hmmmm, done that. Still no ping...

Is there anything I need to enable first? Right now, I only have a network rule with a routing relationship between the Internal Network and the remote network and a firewall rule allowing all outbound protocols from the remote network to the internal network.

(in reply to Linke Loe)
Post #: 3
RE: IPSec tunnel ISA2k4 - Routefinder - 11.Feb.2004 6:31:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Linke,

They should be inbound connections from the remote network to the internal network.

That's all you should need on the ISA side. Haven't seen your type of router, though.

HTH,
Tom

(in reply to Linke Loe)
Post #: 4
RE: IPSec tunnel ISA2k4 - Routefinder - 11.Feb.2004 10:33:00 PM   
Linke Loe

 

Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
quote:
Originally posted by tshinder:
Hi Linke,

They should be inbound connections from the remote network to the internal network.

That's all you should need on the ISA side. Haven't seen your type of router, though.

HTH,
Tom

And how do I enable all inbound protocols? There is a standard definition "All Outbound Protocols" but nothing like "All Inbound Protocols"...

I don't know if the Routefinder is a much-seen router in the US, but I've seen it several times here in Europe. If you want more info: http://www.multitech.com/PRODUCTS/Families/RouteFinderVPN/

(in reply to Linke Loe)
Post #: 5
RE: IPSec tunnel ISA2k4 - Routefinder - 15.Feb.2004 6:13:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Linke,

Hmmm. Good point [Smile] On the ISA box, the configuration would be "outbound" from Remote network to Internal network. Don't know what you would configure on the router, though.

Tom

(in reply to Linke Loe)
Post #: 6
RE: IPSec tunnel ISA2k4 - Routefinder - 15.Feb.2004 11:23:00 PM   
Linke Loe

 

Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
On the routefinder I configure a packet filter allowing all access through all ports, so it should work on the remote side.

But I think I'm going to test things out on a second ISA 2k4 machine this week. Let's see is that will work...

(in reply to Linke Loe)
Post #: 7
RE: IPSec tunnel ISA2k4 - Routefinder - 16.Feb.2004 12:23:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Linke,

Let us know how it works out for you.

Thanks!
Tom

(in reply to Linke Loe)
Post #: 8
RE: IPSec tunnel ISA2k4 - Routefinder - 17.Feb.2004 4:41:00 PM   
Linke Loe

 

Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
I sure will.

I'm setting up the second server as I speak and going to test things out later tonight.

(in reply to Linke Loe)
Post #: 9
RE: IPSec tunnel ISA2k4 - Routefinder - 17.Feb.2004 9:33:00 PM   
Linke Loe

 

Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
It works!

I have set up a second ISA 2k4 server at my branch office, configured the remote networks on both machines, routing rules and full access rules and it works. I can browse for shares on the remote network. Only when I ping from any ISA server to any IP on the remote network, I get the reply "Negotiating IP Security". Ping from an internal host to the remote network works fine. Does anyone know how to solve this?

Now I only have to know why this damned routefinder won't work...

[ February 17, 2004, 10:28 PM: Message edited by: Linke Loe ]

(in reply to Linke Loe)
Post #: 10
RE: IPSec tunnel ISA2k4 - Routefinder - 17.Feb.2004 11:13:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
You are most likely receiving this because of a Filter mismatch on the Route Finder.

When you create the Remote Network object and use IPsec Tunnel Mode, 4 filters are created (If Win2003, use the command line "netsh ipsec dynamic show qmfilters all" to see these filters)

ISA External IP -> Remote Subnet
ISA Private net -> Remote Subnet
ISA External IP <- Remote Subnet
ISA Private net <- Remote Subnet

When you PING from the network behind ISA, the filter "ISA Private Net -> Remote Subnet" gets invoked and works because you have a corresponding filter on the Route Finder. When you PING from ISA, you invoke the "ISA External IP -> Remote Subnet" filter which most likely is not on the Route Finder.

I'm not sure how Route Finder refers to filters (Cisco uses Access Lists, different vendors use other terminology), but you'll need to see what the "relationship" is between the RouteFinder and ISAs external IP addresr.

I ran into this problem while testing interoperability with my PIX and CheckPoint installs and after adding the corresponding filter/access list on the remote site, everything worked.

[ February 17, 2004, 11:18 PM: Message edited by: ClintD ]

(in reply to Linke Loe)
Post #: 11
RE: IPSec tunnel ISA2k4 - Routefinder - 18.Feb.2004 4:40:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Clint,

Thanks! Great info.

Tom

(in reply to Linke Loe)
Post #: 12
RE: IPSec tunnel ISA2k4 - Routefinder - 18.Feb.2004 10:13:00 PM   
Linke Loe

 

Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
Clint,

Thanks for your reply, I now understand what can go wrong, but I still didn't manage to get trafic going on the VPN-tunnel between the ISA and the routefinder. I installed a second ISA-server on the remote site and built a VPN between the two ISA servers. When I ping from one ISA server to the remote network I get this message, while pinging from behind the ISA server works fine.

Does your filter-story still apply to this scenario and if so, do you know how to resolve this issue?

(in reply to Linke Loe)
Post #: 13
RE: IPSec tunnel ISA2k4 - Routefinder - 19.Feb.2004 1:09:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Linke,

Did you use my guide for creating a site to site VPN with IPSec tunnel mode between two ISA 2004 firewalls?

Thanks!
Tom

(in reply to Linke Loe)
Post #: 14
RE: IPSec tunnel ISA2k4 - Routefinder - 19.Feb.2004 1:49:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
It helps, but this ends up coming down to a filter mismatch.

What OS is ISA 2004 installed on?

If Win2003, go to a command prompt and run...

netsh ipsec dynamic show qmfilters all

Compare the filters that are shown here to make sure they match on both sides. Again, we're looking for

ISA1 -> Remote Subnet
Local Subnet -> Remote Subnet
ISA1 <- Remote Subnet
Local Subnet ,- Remote Subnet

If Win2000, it's a little more difficult - let me know if this is the case and I'll try to find the IPSECPOL command line syntax to dump out the filters created.

(in reply to Linke Loe)
Post #: 15
RE: IPSec tunnel ISA2k4 - Routefinder - 19.Feb.2004 9:49:00 PM   
Linke Loe

 

Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline
The problem is solved.

I didn't quite follow your article, Tom. I forgot to add the public IP addresse of the remote networks to the network definitions. When I added these addresses, I could ping from the ISA server. Do you have an explanation for this?

(in reply to Linke Loe)
Post #: 16
RE: IPSec tunnel ISA2k4 - Routefinder - 20.Feb.2004 12:10:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Linke,

You need to do that when using a NAT relationship, and when you enable Web Proxy connections.

HTH,
Tom

(in reply to Linke Loe)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> IPSec tunnel ISA2k4 - Routefinder Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts