They are essentially the same. I added a few more details to the online version on this site, but the procedures are the same as the pre-release article you saw before.
This is one of the limitation of IPSec tunnel mode. It needs to know the IP address of the tunnel endpoint. If you want to use dynamic addresses, you can use PPTP or L2TP/IPSec.
Posts: 107
Joined: 26.Feb.2004
From: UK
Status: offline
Hi Tom
Good article, although one hopefully constructive critisism. Any article i can find on how to do this always seems to duck out of using Certificates and uses pre-shred keys. I understand this makes it simpler but ideally is not how a production enviroment should be. For simplicity you may want to go as far as assuming the user already has an internal certificate authority or has bought a certificate from Versisign etc but it would be nice to see what type of certificate should be used (and ideally how to request them). Anyway keep up the good work and hopefully we will all buy your book when available.
Not taken as critism at all. I had considered showing how to do the certificate deployment, but choose not to because I was getting tired
However, you make a good point. I'll do another article using this one as a based, but I'll append and update the sections that apply with the certificate info.
Posts: 107
Joined: 26.Feb.2004
From: UK
Status: offline
Sounds good.
PS I think figured out how to do it. Just need to add the router certificate as one of the ones that can be requested from the CA and then do the advanced web based request,and it is now an option then the usual export import etc.
Nope, just ISA 2004. That is one of the big advantages, is that you can use IPSec tunnel mode for third party integration. In general, you want to steer clear of IPSec tunnel mode unless you have to use it with third party VPN devices.
I'm glad you wrote this article. Years ago I investigated doing this with ISA 2000 and could not. I put the product down and have waited until now. And so comes the questions.
I want to configure a site-to-site IPSec VPN tunnel between ISA 2004 and a Cisco. While I know that the configuration of the Cisco is beyond the scope of this site, I have that part covered, and you can help.
IPSec has many configuration parameters that can be changed. Your example shows two machines configured without delving into anything beyond the pre-shared key. What are the default settings for the other critical parameters (AH integrity, ESP integrity, ESP encryption, key lifetime [in sec.], etc.)? Is it using a specific policy? I need to know what ISA is using so I can setup the Cisco properly.
Like Clint said, you can find the IPSec parameters in the UI after you configure the remote site network on the ISA firewall machine.
There should be a very good paper on how to configure the site to site network with ISA 2004 and pix by the time the product is in general release. Do you think that will happen, Clint?
You betcha - it's already gone through Tech Review and we're just waiting on the product to release.
It has procedures for using a Pre-Shared key and also how to use the Cisco Simple Certificate Enrollment Protocol add-on for Microsoft Cert Services (MSCEP Download) to get a cert onto the PIX and ISA to use it as the auth method for Main Mode.
I have a Netgear FVM318 that I am trying to setup an IPSEC tunnel to with ISA 2004. Phase 1 will connect but phase 2 will not. What am I doing wrong. I followed your instructions on how to setup the tunnel in ISA 2004. I can get the router to establish both connections on a Windows 2000 RRAS server but not with ISA 2004 isntalled.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion of IPSec Tunnel Mode Site to Site VPN 
Discussion of IPSec Tunnel Mode Site to Site VPN - 
![[Smile]](/image/smiles/smile.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread