• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of IPSec Tunnel Mode Site to Site VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion of IPSec Tunnel Mode Site to Site VPN Page: [1] 2 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion of IPSec Tunnel Mode Site to Site VPN - 8.Mar.2004 7:47:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for the ISA 2004 site to site VPN using IPSec tunnel mode article at http://isaserver.org/tutorials/2004ipsectunnelmode.html

Thanks!
Tom

[ March 08, 2004, 07:55 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 10.Mar.2004 6:32:00 AM   
Turan

 

Posts: 13
Joined: 25.Mar.2002
Status: offline
Hi Tom,

There was an another document about IPSec Tunnel VPN on isa2004, you've published before. Is there any difference in this new article?

Regards..

(in reply to tshinder)
Post #: 2
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 10.Mar.2004 11:32:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Turan,

They are essentially the same. I added a few more details to the online version on this site, but the procedures are the same as the pre-release article you saw before.

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 10.Mar.2004 3:37:00 PM   
Tray

 

Posts: 3
Joined: 16.Jul.2002
Status: offline
Tom:

Is there a way to create a IPSEC tunnel that will work where one of the ISA servers will get a dhcp address?

--Tray

(in reply to tshinder)
Post #: 4
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 11.Mar.2004 12:58:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tray,

This is one of the limitation of IPSec tunnel mode. It needs to know the IP address of the tunnel endpoint. If you want to use dynamic addresses, you can use PPTP or L2TP/IPSec.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 11.Mar.2004 5:00:00 PM   
awj

 

Posts: 107
Joined: 26.Feb.2004
From: UK
Status: offline
Hi Tom

Good article, although one hopefully constructive critisism. Any article i can find on how to do this always seems to duck out of using Certificates and uses pre-shred keys. I understand this makes it simpler but ideally is not how a production enviroment should be. For simplicity you may want to go as far as assuming the user already has an internal certificate authority or has bought a certificate from Versisign etc but it would be nice to see what type of certificate should be used (and ideally how to request them).
Anyway keep up the good work and hopefully we will all buy your book when available.

Al

(in reply to tshinder)
Post #: 6
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 12.Mar.2004 1:35:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Al,

Not taken as critism at all. I had considered showing how to do the certificate deployment, but choose not to because I was getting tired [Smile]

However, you make a good point. I'll do another article using this one as a based, but I'll append and update the sections that apply with the certificate info.

Thanks!
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 12.Mar.2004 10:40:00 AM   
awj

 

Posts: 107
Joined: 26.Feb.2004
From: UK
Status: offline
Sounds good.

PS I think figured out how to do it. Just need to add the router certificate as one of the ones that can be requested from the CA and then do the advanced web based request,and it is now an option then the usual export import etc.

(in reply to tshinder)
Post #: 8
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 12.Mar.2004 12:42:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Al,

That should do it!

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.May2004 4:07:00 AM   
Guest
Hi Tom,

I am using ISA 2000 Enterprise Edition. Can it support IPSec Tunnel Mode Site to Site VPN, just as ISA Server 2004 Firewalls do?

Thanks

Joe

(in reply to tshinder)
  Post #: 10
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.May2004 5:36:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Joe,

Nope, just ISA 2004. That is one of the big advantages, is that you can use IPSec tunnel mode for third party integration. In general, you want to steer clear of IPSec tunnel mode unless you have to use it with third party VPN devices.

HTH,
Tom

(in reply to tshinder)
Post #: 11
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.May2004 7:46:00 AM   
Guest
Hi Tom,

Thanks for your kind reply.
However, I found an article at Microsoft Website,saying that we can hack the register table to use pre-shared key for IPSec connection. http://support.microsoft.com/default.aspx?scid=kb;en-us;240262

Do you think it's a way to do IPSec VPN tunnels in ISA Server 2000?

Thanks,

Joe

(in reply to tshinder)
  Post #: 12
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 4.May2004 12:59:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Joe,

The problem is with ISA's packet filtering mechanism, so it can't work, even though you can make it work with Win2k RRAS.

HTH,
Tom

(in reply to tshinder)
Post #: 13
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.Jul.2004 3:21:00 AM   
patanne

 

Posts: 3
Joined: 3.Jul.2004
Status: offline
Tom -

I'm glad you wrote this article. Years ago I investigated doing this with ISA 2000 and could not. I put the product down and have waited until now. And so comes the questions.

I want to configure a site-to-site IPSec VPN tunnel between ISA 2004 and a Cisco. While I know that the configuration of the Cisco is beyond the scope of this site, I have that part covered, and you can help.

IPSec has many configuration parameters that can be changed. Your example shows two machines configured without delving into anything beyond the pre-shared key. What are the default settings for the other critical parameters (AH integrity, ESP integrity, ESP encryption, key lifetime [in sec.], etc.)? Is it using a specific policy? I need to know what ISA is using so I can setup the Cisco properly.

- Patrick

(in reply to tshinder)
Post #: 14
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.Jul.2004 7:45:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
When you create a Remote Site network, the wizard uses some default settings.

Once you create the Remote Site, go into the properties of it and onto the Connections tab - at the bottom, there will be a IPSEC Settings option.

This brings up a 2 tab window with both the Main and Quick Mode settings for that IPSEc Tunnel Mode config (labeled Phase I and Phase II).

(in reply to tshinder)
Post #: 15
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.Jul.2004 7:11:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Patrick and Clint,

Like Clint said, you can find the IPSec parameters in the UI after you configure the remote site network on the ISA firewall machine.

There should be a very good paper on how to configure the site to site network with ISA 2004 and pix by the time the product is in general release. Do you think that will happen, Clint?

Thanks!
Tom

(in reply to tshinder)
Post #: 16
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 3.Jul.2004 11:06:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
You betcha - it's already gone through Tech Review and we're just waiting on the product to release.

It has procedures for using a Pre-Shared key and also how to use the Cisco Simple Certificate Enrollment Protocol add-on for Microsoft Cert Services (MSCEP Download) to get a cert onto the PIX and ISA to use it as the auth method for Main Mode.

[ July 03, 2004, 11:08 PM: Message edited by: ClintD ]

(in reply to tshinder)
Post #: 17
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 4.Jul.2004 12:19:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Clint,

The MSCEP is really cool! I didn't even know it existed until I found out from you.

Thanks!
Tom

(in reply to tshinder)
Post #: 18
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 21.Jul.2004 5:21:00 PM   
d-zam

 

Posts: 16
Joined: 17.Sep.2002
Status: offline
I have a Netgear FVM318 that I am trying to setup an IPSEC tunnel to with ISA 2004. Phase 1 will connect but phase 2 will not. What am I doing wrong. I followed your instructions on how to setup the tunnel in ISA 2004. I can get the router to establish both connections on a Windows 2000 RRAS server but not with ISA 2004 isntalled.

(in reply to tshinder)
Post #: 19
RE: Discussion of IPSec Tunnel Mode Site to Site VPN - 30.Jul.2004 1:52:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi D-zam,

Do the IPSec policies match?

Thanks!
Tom

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion of IPSec Tunnel Mode Site to Site VPN Page: [1] 2 3 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts