Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion of IPSec Tunnel Mode Site to Site VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: Discussion of IPSec Tunnel Mode Site to Site VPN Page: <<   < prev  1 [2] 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 30.Jul.2004 3:08:00 AM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		If you would follow the procedure I mentioned in the original thread you created for this problem, we could solve this really quick.

To be blunt, anything you post is just going to be guess work on our side until we can get some sort of log to troubleshoot.

The ISA Server Remote Size wizard defaults to the following settings...

IKE / Main Mode / Phase I
Encryption Algorithm - 3DES
Integrity Algortihm - SHA1
Diffie-Hellman Group 2
Main Mode Perfect Forward Secrecy - Disabled
Main Mode Lifetime - 28800 seconds
Authentication - Admin Specified - are you using a Pre-Shared Key?

IPSec / Quick Mode / Phase II
Encryption Algorithm - 3DES
Integrity Algorithm - SHA1
Quick Mode SA Lifetime - 3600 seconds / 0 kbytes
Perfect Forward Secrecy - Enabled with Diffie Hellman Group 2

If you don't feel comfortable posting the log up here, send it to me at work - <MyISAServerlogin>@microsoft.com and I'll figure it out.

Is ISA Server installed on Windows 2000 or Windows 2003?

[ July 30, 2004, 03:01 PM: Message edited by: ClintD ]

(in reply to tshinder)
Post #: 21
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 10.Aug.2004 7:17:00 PM   
myrmidon

 

Posts: 27
Joined: 27.Nov.2003
From: Singapore
Status: offline 		Hi Tom,

Thanks for this great article. I have followed it, and managed to get our 2 networks connected, however I am still unable to get traffic to flow.

Here is my config summary:
Main Office IP Range: 10.8.0.0 - 10.8.255.255
Main Office ISA IP: 10.8.0.1
Main Office Client PC: 10.8.0.3

Remote Branch IP Range: 10.1.0.0 - 10.1.255.255
10.2.0.0 - 10.2.255.255
Remote Office ISA IP: 10.1.0.52
Remote Office Client PC: 10.1.0.69

I am able to get the 2 networks to connect smoothly via L2TP (with a pre-shared key), and there is no trouble with the connection. I have also configured the network route rule, and the firewall policy rule to allow all traffic.

When I attempt to ping '10.1.0.69' from the '10.8.0.3' machine (in other words, from a client PC at the main office, across the VPN to a client PC at the remote branch), then on the main branch ISA server logging, I see a 'Initiated Connection' log (which is correct as per my outgoing rule), however, on the remote side, I see a log entry that says 'Denied Connection' (with the appropriate IP's), however, the 'Rule' column is blank??? I can therefore see that the remote ISA server is denying this packet, but I can't understand why. There is no rule associated with this.

Do you perhaps have any pointers as to what I am missing.

Thanks
Olaf

(in reply to tshinder)
Post #: 22
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 10.Aug.2004 9:06:00 PM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		You say the firewall policy allows all traffic, but on which server is this specified?

Does the "Main" ISA Server have an access policy rule that states "Main to Remote" Allow ICMP and also does Main have an access policy ruile that states "Remote to Main" allowing ICMP?

Likewise, does Remote have an access poliucy that allows ICMP from Main to Remote and also a rule allowing ICMP from Remote to Main?

Some people incorporate these requirements into a single rule (the From tab has Main and Remote listed and the To tab has Main and Remote).

(in reply to tshinder)
Post #: 23
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 10.Aug.2004 9:59:00 PM   
myrmidon

 

Posts: 27
Joined: 27.Nov.2003
From: Singapore
Status: offline 		Hi Clint,

I have 2 firewall policy rules on either side setup like this:

Main Office:
Allow, All Protocols, From Internal, To RemoteBranch, AllUsers
Allow, All Protocols, From RemoteBranch, To Internal, AllUsers

Remote Branch:
Allow, All Protocols, From Internal, To MainOffice, AllUsers
Allow, All Protocols, From MainOffice, To Internal, AllUsers

So I have followed the '2-explicit-rule' approach rather than the 2 in one. This config is obviously a little too generous for the production environment, but I did this to attempt to get it running.

For the network route rule, I only have a single rule on either side:

Main Office:
BranchRule, Route, Internal, RemoteBranch

Remote Branch:
MainRule, Route, Internal, MainOffice

Am i correct in assuming that the Route is bi-directional (indicated in the captions), and I don't have to specify similar rules in the other direction?

Unfortunately, even though my VPN connection is working and stable, I still get no traffic across. Are there any 'Firewall Policy Rules' that I need to tweak?

[ August 10, 2004, 10:04 PM: Message edited by: Olaf Wagner ]

(in reply to tshinder)
Post #: 24
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 11.Aug.2004 2:42:00 AM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		On the remote site, go into the Logging tab and right click the main row header (at the bottom of the pane, right above where the results from the logs are shown) and right-click on it and select "Add/Remote Columns.

Add every column in there - once you've done that, scroll to the right until you can find some more info on the reason for the failure.

Your rules are fine.

(in reply to tshinder)
Post #: 25
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 11.Aug.2004 7:45:00 PM   
myrmidon

 

Posts: 27
Joined: 27.Nov.2003
From: Singapore
Status: offline 		Hi Clint,

I have done some more testing and this is the current status (which is weird, but might indicate what the problem is).

I am attempting to connect from a client machine at our main office, to a client machine at the remote branch via the office-to-office vpn.
(as described in my earlier posts, the main office client pc IP is 10.8.0.3 and the remote office client PC ip is 10.1.0.69). I did 3 tests and got these results:

ICMP
Result: Unable to ping the remote pc.
Logging: I get a log entry on the remote side indicating 'Denied Connection,
Source IP: 10.8.0.3
Dest IP: 10.1.0.69
Protocol: Ping
Rule: blank

HTTP
Result: I am able to browse to a test page.
Logging: For some strange reason, the http request logs with the VPN Client IP from the main office, so I get
Source IP: 10.1.0.75 (the VPN Client IP address that the ISA server got at the main office when it initiated the VPN connection to the remote site)
Dest IP: 10.1.0.69
Procotol: HTTP
Action: Initiated Connection

FTP
Result: Unable to open FTP Connection to the remote pc.
Logging: I get a log entry on the remote side indicating 'Denied Connection,
Source IP: 10.8.0.3
Dest IP: 10.1.0.69
Protocol: FTP
Rule: blank

Why is it that even though I am doing 3 different tests from the same source PC to the same Dest PC, that the HTTP scenario is somehow making use of the VPN Client IP (and it renders the correct HTM page in my browser), when the ICMP and FTP are using the actual IP, and are being denied a connection?

It's a mystery... :-)

Cheers
Olaf

(in reply to tshinder)
Post #: 26
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 12.Aug.2004 6:49:00 PM   
myrmidon

 

Posts: 27
Joined: 27.Nov.2003
From: Singapore
Status: offline 		Hi Guys,

I have narrowed this down to another strange phenomenon. I am not sure whether this has been happening from the beginning, but at this stage I am experiencing this:

I can make a RAS connection from the Main Office to the Remote Branch.
Then I attempt to make a RAS connection from the Remote Branch to the Main Office.
This gives 1 or 2 errors 'The modem (or connecting device) has reported an error.'
After 1 or 2 more attempts the Remote Branch does indeed connect, but 2 seconds later the Main Branch RAS connection to the Remote Branch drops.
Then I try to connect from Main to Branch, and it gives the same errors.
After some retries it connects, and the Branch-Main connection drops 2 seconds after that.

What could be causing this? Am I missing something?

Cheers
Olaf

[ August 12, 2004, 06:50 PM: Message edited by: Olaf Wagner ]

(in reply to tshinder)
Post #: 27
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 18.Aug.2004 7:53:00 AM   
Guest
 I'm glad you wrote this article.
But doesn't work
must i configure RRAS for work it?

(in reply to tshinder)
  Post #: 28
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 19.Aug.2004 7:07:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

I tried it out again tonight with the RTM and it still works as written.

Make sure you configure the rules correctly and that you do not enable both pre-shared key and certificates.

HTH,
Tom

(in reply to tshinder)
Post #: 29
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.Sep.2004 5:28:00 AM   
rule14e3

 

Posts: 7
Joined: 28.Aug.2004
From: Virginia
Status: offline 		What if any additional configuration do I need to undertake if I am connecting two branch offices to the main office and need to route traffic between all locations?

Thanks.

David

(in reply to tshinder)
Post #: 30
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.Sep.2004 1:29:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Rule,

Are there ISA firewalls on both sides?

Thanks!
Tom

(in reply to tshinder)
Post #: 31
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.Sep.2004 9:52:00 PM   
rule14e3

 

Posts: 7
Joined: 28.Aug.2004
From: Virginia
Status: offline 		Sorry about that. Currently I have 3Com superstack firewalls in all three locations. However, I also have ISA2004 deployed at the main office handling some additional IP's for our newly deployed Exchange 2003. I would like to replace the main office 3Com with ISA and have ISA handle the site-to-site with the branch 3Com's.

Thanks.

David

(in reply to tshinder)
Post #: 32
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 6.Sep.2004 4:45:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi David,

OK, in that case, you will probably need to use IPSec tunnel mode for the site to site VPN connections to the ISA firewall.

HTH,
Tom

(in reply to tshinder)
Post #: 33
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 16.Sep.2004 10:19:00 PM   
Guest
 Hi all.

And Thanks for this good article.

One dude, i've tried to connect to sites with IPSec tunnel mode. Both routers ADSL with static IP use NAT to the ISA 2004 of all the ports. In this situation the VPN dosn't work.

Any idea?

Thanks again.

(in reply to tshinder)
  Post #: 34
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 17.Sep.2004 2:06:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi J,

Does your ISP allow IPSec tunnel mode connections? Also, is there a device in front of the ISA firewall that is blocking the VPN connection?

Thanks!
Tom

(in reply to tshinder)
Post #: 35
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 22.Oct.2004 2:15:00 PM   
cerebrate

 

Posts: 24
Joined: 19.Mar.2004
Status: offline 		I've just tried to get this set up between two ISA 2004 servers (one ISA 2004 on W2K3; the other ISA 2004 on SBS 2003), following the article.

I'm having trouble with the IPsec negotiation. When I try to ping back and forth between the two, it hangs in "Negotiating IP Security" seemingly indefinitely; when I check the event logs, I find that one machine has an event 547 in its security log:

-----

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 22/10/2004
Time: 11:46:49
User: NT AUTHORITY\NETWORK SERVICE
Computer: RUMPOLE
Description:
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address 82.151.255.58
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.217.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 82.151.255.58
IKE Peer Addr 83.148.130.226
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Preshared key ID.
Peer IP Address: 83.148.130.226

Failure Point:
Peer

Failure Reason:
No policy configured

Extra Status:
Processed third (ID) payload
Initiator. Delta Time 0
0x0 0x0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-----

and the other machine has a corresponding event 547 with "Failure Point: Me" and "Failure Reason: No policy defined".

Looking at the IP Security Monitor, there certainly *seems* to be a policy defined...

Any thoughts, anyone?

Alistair

(in reply to tshinder)
Post #: 36
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 22.Oct.2004 2:32:00 PM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		If you're PINGing from the endpoints, then you'll need to add the endpoint address into the Remote Site connection.

For example, SiteA has a Remote Site connection for SiteB.

SiteA-ISA will have SubnetB listed on the addresses tab, as well as SiteB-ISAs external IP address. The opposite is also true for SiteB's Remote Site connection to SiteA.

The error "No policy defined" is telling you that there isn't a matching IPSec filter for the traffic you have specified.

[ October 22, 2004, 02:33 PM: Message edited by: ClintD ]

(in reply to tshinder)
Post #: 37
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 26.Oct.2004 12:40:00 PM   
cerebrate

 

Posts: 24
Joined: 19.Mar.2004
Status: offline 		Thank you very much. Can't believe I missed that!

Works perfectly now.

Alistair

(in reply to tshinder)
Post #: 38
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 26.Oct.2004 1:28:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by cerebrate:
I've just tried to get this set up between two ISA 2004 servers (one ISA 2004 on W2K3; the other ISA 2004 on SBS 2003), following the article.

I'm having trouble with the IPsec negotiation. When I try to ping back and forth between the two, it hangs in "Negotiating IP Security" seemingly indefinitely; when I check the event logs, I find that one machine has an event 547 in its security log:

-----

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 22/10/2004
Time: 11:46:49
User: NT AUTHORITY\NETWORK SERVICE
Computer: RUMPOLE
Description:
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address 82.151.255.58
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.217.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 82.151.255.58
IKE Peer Addr 83.148.130.226
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Preshared key ID.
Peer IP Address: 83.148.130.226

Failure Point:
Peer

Failure Reason:
No policy configured

Extra Status:
Processed third (ID) payload
Initiator. Delta Time 0
0x0 0x0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-----

and the other machine has a corresponding event 547 with "Failure Point: Me" and "Failure Reason: No policy defined".

Looking at the IP Security Monitor, there certainly *seems* to be a policy defined...

Any thoughts, anyone?

Alistair
Hi Aliastair,

Quick reminder -- do NOT use IPSec tunnel mode between two ISA firewalls. IPSec tunnel mode is used for site to site VPN connections to downlevel VPN gateways. For ISA firewall to ISA firewall connections, use L2TP/IPSec.

HTH,
Tom

(in reply to tshinder)
Post #: 39
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 26.Oct.2004 1:39:00 PM   
cerebrate

 

Posts: 24
Joined: 19.Mar.2004
Status: offline
quote:
Quick reminder -- do NOT use IPSec tunnel mode between two ISA firewalls. IPSec tunnel mode is used for site to site VPN connections to downlevel VPN gateways. For ISA firewall to ISA firewall connections, use L2TP/IPSec.
Long story, I'm afraid...

The short version is that that's what we tried first. Unfortunately, we've got a wireless link in the path between the two sites that's proving less than reliable, and we were having the issue that every time the wireless link flickered, Routing and Remote Access on one of the two ISAs would fall over, and it would take manual intervention to get it back up and running again.

And this happened a lot.

We spent quite a lot of time on the 'phone to Microsoft Business Critical support trying to get a solution to this, but they and we ended up coming to the conclusion that it didn't work, and couldn't reasonably be made to work.

Given the choice, I'd rather not use it, but - well, if it's either that or nothing, it's better than nothing...

(in reply to tshinder)
Post #: 40

Page:   <<   < prev  1 [2] 3 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: Discussion of IPSec Tunnel Mode Site to Site VPN Page: <<   < prev  1 [2] 3 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts