Discussion of IPSec Tunnel Mode Site to Site VPN (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN



Message

tshinder -> Discussion of IPSec Tunnel Mode Site to Site VPN (8.Mar.2004 7:47:00 PM)

This thread is for the ISA 2004 site to site VPN using IPSec tunnel mode article at http://isaserver.org/tutorials/2004ipsectunnelmode.html

Thanks!
Tom

[ March 08, 2004, 07:55 PM: Message edited by: tshinder ]



Turan -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (10.Mar.2004 6:32:00 AM)

Hi Tom,

There was an another document about IPSec Tunnel VPN on isa2004, you've published before. Is there any difference in this new article?

Regards..



tshinder -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (10.Mar.2004 11:32:00 AM)

Hi Turan,

They are essentially the same. I added a few more details to the online version on this site, but the procedures are the same as the pre-release article you saw before.

HTH,
Tom



Tray -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (10.Mar.2004 3:37:00 PM)

Tom:

Is there a way to create a IPSEC tunnel that will work where one of the ISA servers will get a dhcp address?

--Tray



tshinder -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (11.Mar.2004 12:58:00 AM)

Hi Tray,

This is one of the limitation of IPSec tunnel mode. It needs to know the IP address of the tunnel endpoint. If you want to use dynamic addresses, you can use PPTP or L2TP/IPSec.

HTH,
Tom



awj -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (11.Mar.2004 5:00:00 PM)

Hi Tom

Good article, although one hopefully constructive critisism. Any article i can find on how to do this always seems to duck out of using Certificates and uses pre-shred keys. I understand this makes it simpler but ideally is not how a production enviroment should be. For simplicity you may want to go as far as assuming the user already has an internal certificate authority or has bought a certificate from Versisign etc but it would be nice to see what type of certificate should be used (and ideally how to request them).
Anyway keep up the good work and hopefully we will all buy your book when available.

Al



tshinder -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (12.Mar.2004 1:35:00 AM)

Hi Al,

Not taken as critism at all. I had considered showing how to do the certificate deployment, but choose not to because I was getting tired [Smile]

However, you make a good point. I'll do another article using this one as a based, but I'll append and update the sections that apply with the certificate info.

Thanks!
Tom



awj -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (12.Mar.2004 10:40:00 AM)

Sounds good.

PS I think figured out how to do it. Just need to add the router certificate as one of the ones that can be requested from the CA and then do the advanced web based request,and it is now an option then the usual export import etc.



tshinder -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (12.Mar.2004 12:42:00 PM)

Hi Al,

That should do it!

Thanks!
Tom



Guest -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (3.May2004 4:07:00 AM)

Hi Tom,

I am using ISA 2000 Enterprise Edition. Can it support IPSec Tunnel Mode Site to Site VPN, just as ISA Server 2004 Firewalls do?

Thanks

Joe



tshinder -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (3.May2004 5:36:00 AM)

Hi Joe,

Nope, just ISA 2004. That is one of the big advantages, is that you can use IPSec tunnel mode for third party integration. In general, you want to steer clear of IPSec tunnel mode unless you have to use it with third party VPN devices.

HTH,
Tom



Guest -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (3.May2004 7:46:00 AM)

Hi Tom,

Thanks for your kind reply.
However, I found an article at Microsoft Website,saying that we can hack the register table to use pre-shared key for IPSec connection. http://support.microsoft.com/default.aspx?scid=kb;en-us;240262

Do you think it's a way to do IPSec VPN tunnels in ISA Server 2000?

Thanks,

Joe



tshinder -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (4.May2004 12:59:00 AM)

Hi Joe,

The problem is with ISA's packet filtering mechanism, so it can't work, even though you can make it work with Win2k RRAS.

HTH,
Tom



patanne -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (3.Jul.2004 3:21:00 AM)

Tom -

I'm glad you wrote this article. Years ago I investigated doing this with ISA 2000 and could not. I put the product down and have waited until now. And so comes the questions.

I want to configure a site-to-site IPSec VPN tunnel between ISA 2004 and a Cisco. While I know that the configuration of the Cisco is beyond the scope of this site, I have that part covered, and you can help.

IPSec has many configuration parameters that can be changed. Your example shows two machines configured without delving into anything beyond the pre-shared key. What are the default settings for the other critical parameters (AH integrity, ESP integrity, ESP encryption, key lifetime [in sec.], etc.)? Is it using a specific policy? I need to know what ISA is using so I can setup the Cisco properly.

- Patrick



ClintD -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (3.Jul.2004 7:45:00 AM)

When you create a Remote Site network, the wizard uses some default settings.

Once you create the Remote Site, go into the properties of it and onto the Connections tab - at the bottom, there will be a IPSEC Settings option.

This brings up a 2 tab window with both the Main and Quick Mode settings for that IPSEc Tunnel Mode config (labeled Phase I and Phase II).



tshinder -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (3.Jul.2004 7:11:00 PM)

Hi Patrick and Clint,

Like Clint said, you can find the IPSec parameters in the UI after you configure the remote site network on the ISA firewall machine.

There should be a very good paper on how to configure the site to site network with ISA 2004 and pix by the time the product is in general release. Do you think that will happen, Clint?

Thanks!
Tom



ClintD -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (3.Jul.2004 11:06:00 PM)

You betcha - it's already gone through Tech Review and we're just waiting on the product to release.

It has procedures for using a Pre-Shared key and also how to use the Cisco Simple Certificate Enrollment Protocol add-on for Microsoft Cert Services (MSCEP Download) to get a cert onto the PIX and ISA to use it as the auth method for Main Mode.

[ July 03, 2004, 11:08 PM: Message edited by: ClintD ]



tshinder -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (4.Jul.2004 12:19:00 AM)

Hi Clint,

The MSCEP is really cool! I didn't even know it existed until I found out from you.

Thanks!
Tom



d-zam -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (21.Jul.2004 5:21:00 PM)

I have a Netgear FVM318 that I am trying to setup an IPSEC tunnel to with ISA 2004. Phase 1 will connect but phase 2 will not. What am I doing wrong. I followed your instructions on how to setup the tunnel in ISA 2004. I can get the router to establish both connections on a Windows 2000 RRAS server but not with ISA 2004 isntalled.



tshinder -> RE: Discussion of IPSec Tunnel Mode Site to Site VPN (30.Jul.2004 1:52:00 AM)

Hi D-zam,

Do the IPSec policies match?

Thanks!
Tom



Page: [1] 2 3 4   next >   >>