Good article, although one hopefully constructive critisism. Any article i can find on how to do this always seems to duck out of using Certificates and uses pre-shred keys. I understand this makes it simpler but ideally is not how a production enviroment should be. For simplicity you may want to go as far as assuming the user already has an internal certificate authority or has bought a certificate from Versisign etc but it would be nice to see what type of certificate should be used (and ideally how to request them). Anyway keep up the good work and hopefully we will all buy your book when available.
PS I think figured out how to do it. Just need to add the router certificate as one of the ones that can be requested from the CA and then do the advanced web based request,and it is now an option then the usual export import etc.
Nope, just ISA 2004. That is one of the big advantages, is that you can use IPSec tunnel mode for third party integration. In general, you want to steer clear of IPSec tunnel mode unless you have to use it with third party VPN devices.
I'm glad you wrote this article. Years ago I investigated doing this with ISA 2000 and could not. I put the product down and have waited until now. And so comes the questions.
I want to configure a site-to-site IPSec VPN tunnel between ISA 2004 and a Cisco. While I know that the configuration of the Cisco is beyond the scope of this site, I have that part covered, and you can help.
IPSec has many configuration parameters that can be changed. Your example shows two machines configured without delving into anything beyond the pre-shared key. What are the default settings for the other critical parameters (AH integrity, ESP integrity, ESP encryption, key lifetime [in sec.], etc.)? Is it using a specific policy? I need to know what ISA is using so I can setup the Cisco properly.
You betcha - it's already gone through Tech Review and we're just waiting on the product to release.
It has procedures for using a Pre-Shared key and also how to use the Cisco Simple Certificate Enrollment Protocol add-on for Microsoft Cert Services (MSCEP Download) to get a cert onto the PIX and ISA to use it as the auth method for Main Mode.
I have a Netgear FVM318 that I am trying to setup an IPSEC tunnel to with ISA 2004. Phase 1 will connect but phase 2 will not. What am I doing wrong. I followed your instructions on how to setup the tunnel in ISA 2004. I can get the router to establish both connections on a Windows 2000 RRAS server but not with ISA 2004 isntalled.