Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion of IPSec Tunnel Mode Site to Site VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: Discussion of IPSec Tunnel Mode Site to Site VPN Page: <<   < prev  1 2 3 [4]
Login
Message << Older Topic   Newer Topic >>
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 15.Nov.2006 9:31:12 PM   
Espitia

 

Posts: 2
Joined: 13.Nov.2006
Status: offline 		Hello Mr Shinder,

I am working on establish an IPSec tunnel mode VPN between our ISA Server 2004 and a Nortel Contivity VPN Gateway.

It appears the basic configuration it's OK, because the Oakley logs shows IKE PhaseI and Phase II accepted. But there is not communication between  VPN secured hots, and the Oakley.log shows the message: INVALID-ID-INFORMATION

The network architecture is as follow:

Site A                                                                                     
Internal PC                                              10.0.0.28
Internal IP of ISA Server 2004                10.0.0.1
External IP of ISA Server 2004               X.X.X.45

Site B                                                                                   
IP Contivity VPN Gateway                     Y.Y.Y.125
Web Server                                            Y.Y.Y.119

Basic IPSec site-to-site config parameters on Site A (ISA Server 2004)
Remote addresses                                    Y.Y.Y.119
Remote Gateway                                      Y.Y.Y.125
Local Gateway                                         X.X.X.45
Local addresses                                       10.0.0.0/24
 
Basic IPSec site-to-site config parameters on Site B (Contivity)
Remote addresses                                    X.X.X.45
Remote Gateway                                      X.X.X.45
Local Gateway                                         Y.Y.Y.125
Local addresses                                       Y.Y.Y.119

As you can see, the VPN gateway on Site B has the IP Address X.X.X.45 as both as the remote gateway and the remote client. This is because the administration at Site B doesn't accept to configure VPNs with privates IP addresses.

To address this requirement, I did configure the Network Relationship for this VPN as NAT, and the IP routing disabled.

The internal PC has not web proxy configured, and I care the HTTPS was not passing to web proxy at the ISA Server.

The error appears with and without  Firewall Client at the internal PC.

I have found googling that the INVALID-ID-INFORMATION error is present when there is a subnet mismatch at both sites, but I don't know how to fix this in the ISA Server.

I apreciate very much your help.

TIA,

Gustavo Espitia
Network Consultor

(in reply to wbplomp)
Post #: 61
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 28.Mar.2007 1:00:14 PM   
zwap

 

Posts: 8
Joined: 28.Mar.2007
Status: offline 		Hello,

I Tried to configure everithing like you said. my Network situation is not the same:

Site A                                                                                     
Internal PC                                              172.21.0.0
Internal IP of ISA Server 2004                172.21.10.31
Internet Apdapter                                    192.168.21.31
Internal IP of the ADSL Router                192.168.21.1 (gateway)
External IP of the ADSL Router               X.X.X.87



Site B                                                                                   
Internal PC                                              172.22.0.0
Internal IP of ISA Server 2004                172.22.10.31
Internet Apdapter                                    192.168.22.31
Internal IP of the ADSL Router                192.168.22.1 (gateway)
External IP of the ADSL Router               X.X.X.242

I have configured portforwarding on the adsl routers (port 1723)

But it do not work!

CAN YOU HELP?

Thanks!!!!

(in reply to tshinder)
Post #: 62
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 28.Mar.2007 6:18:38 PM   
Espitia

 

Posts: 2
Joined: 13.Nov.2006
Status: offline 		Zwap,

I think your ADSL routers are traslating the IP address of the ISA Servers (with NAT) from 192.168.21.31  to X.X.X.87 on site A, and 192.168.22.31 to X.X.X.242
on site B.

This type of Network Address Translate is not permited by IPSec protocol, because it affects the header encryption of the protocol.

You may to establish the ISA Servers VPN with another type of encapsulation protocol, such as PPTP, but not with IPSec.

Regards,

Gustavo Espitia





(in reply to zwap)
Post #: 63
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 29.Mar.2007 1:08:17 AM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
quote:

This type of Network Address Translate is not permited by IPSec protocol, because it affects the header encryption of the protocol.

You may to establish the ISA Servers VPN with another type of encapsulation protocol, such as PPTP, but not with IPSec.


This is true if the IPSec Tunnel uses AH, Authentication Header, but is not true if ESP us used as the NAT-T addition resolves the problem with NAT. Most IPSec Tunnel Mode configurations use ESP.

(in reply to Espitia)
Post #: 64
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 29.Mar.2007 2:46:17 AM   
zwap

 

Posts: 8
Joined: 28.Mar.2007
Status: offline 		How can i Fix this?

Our ADSL routers supports:
IPSec PassThrough
PPPoE PassThrough
PPTP PassThrough
L2TP PassThrough

What port uses IPsec?

I get this configuration error:Description: ISA Server cannot locate a route to the Site Enschede remote site.
As a result, a connection cannot be established. To establish the IPSec site-to-site connection, you must update the routing table.


thanks!

< Message edited by zwap -- 29.Mar.2007 3:30:01 AM >

(in reply to ClintD)
Post #: 65
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 2.Apr.2007 11:20:26 AM   
zwap

 

Posts: 8
Joined: 28.Mar.2007
Status: offline 		How can I test the connection?


(in reply to zwap)
Post #: 66
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 17.Apr.2007 4:52:50 AM   
zwap

 

Posts: 8
Joined: 28.Mar.2007
Status: offline 		I have configured a site to site pptp connection.

I have configured the accesrules between this sites.
Have configured routes on a computer running Windows XP on site 1 and on a server running Windows 2003 on site 2

I can ping from the computer on site 1 to the server on server 2.


I can acces the network shares of the pc at site 1 from the server at site 2 
but I cannot acces the network shares of Server at site 2 from the pc at site 1!!
 

Can you help?

(in reply to zwap)
Post #: 67
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.Oct.2007 9:58:45 AM   
ickram

 

Posts: 2
Joined: 2.Oct.2007
Status: offline 		Hi,

I want to setup IPSEC tunnel Mode Site to Site using an ADSL router. I have read through the forum I am still abit confused exactly what I am doing wrong.

I have server with 2 NICs, one card is called internal and has been configured with Internal IP address.
IP address X.X.X.181
Subnet Mask 255.255.252
DNS Server X.X.X.181
No Default Gateway

The ADSL router is configured to Use NAT. It has Private range
192.168.220.1- 192.168.220.4
Subnet Mask 255.255.255.0
These Ip address are natted to the Real Internet IP address. This is a static IP address.

The other NIC is called External.
I have configured this NIC with IP address of
IP Address 192.168.220.5
Subnet Mask 255.255.255.0
Default Gateway 192.168.220.1

I can browse to the System Policy allowed websites through Internet Explorer.

When I goto create a VPN remote site, I get to the Connection Settings, I put in the Remote VPN gateway IP address. But when I try to put the Local VPN gateway IP address, there is no IP address associated with the External network.

Does ISA server regard both the NICs as internals? When I select Internal I can see IP address 192.168.220.5?

(in reply to zwap)
Post #: 68
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 4.Oct.2007 10:03:55 AM   
ickram

 

Posts: 2
Joined: 2.Oct.2007
Status: offline 		Hi,

I have resolved the problem.
This is how I reslved the problem.

I uninstalled the ISA server 2004 installation and went through the custom installation when it came to choosing the Internal Network. I unticked the option for Add the following private ranges 10.x.x.x, 192.168.x.x 172.16.x.x, 172.31.x.x and 169.254.x.x.
I selected my Internal NIC and left Add address ranges based on the Windows Routing Table.

Also I made sure all the NIC were configured before the ISA 2004 server, this includes the External NIC!

(in reply to ickram)
Post #: 69
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.Apr.2008 10:36:46 AM   
jsanint

 

Posts: 2
Joined: 3.Apr.2008
Status: offline 		Mr. Shinder -

Following your instructions, I setup a site to site VPN,  Branch <> Main.  All machines can ping each other.  In general, some traffic goes through.   I need to have machines at the main network able to run diagnostic utilites on the Branch office servers and desktops, and to poll whether or not specific services are running.  The main office would also use RPC, find branch office PC’s via DNS and access Computer Management Console, among others. 

I’ve tried to figure this out on my own but haven’t been able to do so.  I’ve done so many changes I’m afraid to create a hole in the firewall.  Any help would be greatly appreciated.


Jorge

(in reply to Espitia)
Post #: 70
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 5.Apr.2008 1:53:43 PM   
jsanint

 

Posts: 2
Joined: 3.Apr.2008
Status: offline 		Mr. Shinder -

Following your instructions, I setup a site to site VPN,  Branch <> Main.  All machines can ping each other.  In general, some traffic goes through.   I must have have machines at the Main Office be able to run diagnostic utilites on the Branch office servers and desktops, and to poll whether or not specific services are running.  The main office would also use RPC, find branch office PC’s via DNS and access Computer Management Console, among others. 

I’ve tried many procedures to allow this traffic and haven’t been able to do so.  I’ve done so many changes I’m afraid to create a hole in the firewall.  Pointers in the right direction would be greatly appreciated.
Thank you,
Jorge

(in reply to tshinder)
Post #: 71
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 30.Jun.2008 5:11:47 AM   
aselvarajah

 

Posts: 1
Joined: 30.Jun.2008
Status: offline 		Dear Mr. Shinder,
Need some help please with regards to some information and setting up a FTP/VPN site.

Our business partner requires the following information from me..

VPN Gateway IP Address:
VPN Product and Version:

Encryption Scheme: IKE/IPSec
Encryption Algorithm:
Encryption Hash Method:
DH Groups for IKE:
Client IP Addresses:

They say will provide the pre-shared secret key during the implementation stage.

They also add saying their VPN Gateway IP Address and Host IP addresses wl be given during implementation stage.

I have talked to my ISP and they say we do not have any VPN configuration on our link here. We are using cisco 830 router and ISA Server 2004.

Kindly advice as to how i am to proceed.

thanks.

(in reply to cerebrate)
Post #: 72

Page:   <<   < prev  1 2 3 [4] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: Discussion of IPSec Tunnel Mode Site to Site VPN Page: <<   < prev  1 2 3 [4]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts