Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion for article on Site to Site ISA to DLink VPN
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion for article on Site to Site ISA to DLink... - 13.Oct.2004 11:02:00 PM
|
|
|
Guest
|
Hi andy, getting the draytek talking to the isa 2004 server seemed to be ok for me. I pretty much used the default settings on both machines using IPSEC tunnel VPNs. I had to make sure that on the draytek was set to MD5_SHA1_G2 with PFS turned on. I just seemed to get a VPN connection for about 45 minutes before it was disconnected, it would generally reconect OK. This has been working fine for weeks with checkpoint -> draytek however. I am also having problems with PPTP VPNs bombing out between two isa 2004 firewalls. The interface in RRAS keeps getting stuck in a 'connecting' state at one end, wher as the other end thinks it is 'connected'. I have been running checkpoint vpns on our network for about 3/4 years without any serious problems, but under ISA and RRAS it seems a little flakey, I am porbably missing something though;) Good luck with the draytek config!
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 18.Nov.2004 2:23:00 PM
|
|
|
wbplomp
Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
|
Hi,
I dit the same with a SpeedTouch 610i.
But can you please help me with the question below???
I have a problem with a IPSec VPN connection using ISA Server 2004.
I have connected a THOMSON/Alcatel SpeedTouch 610i VPN router using IPSec tunnel as a remote site. (VPN)
We have a large enterprise network with more than 180 subnets. (Main office)
The remote site uses 10.150.25.0/24. (Branch office)
I want to configure the branch office to use the IPSec tunnel as the default route to the main office.
But when I configure the SpeedTouch with 0.0.0.0 as the remote network, it does not accept is because of the IPSec policy.
I seems to work fine when I use a subnet wich is defined in my Internal network on the ISA Server.
How can I use the IPSec tunnel as the default route to our main office.
We are a construction company, I need these for building locations.
Please help me out with this problem!
Kind regards,
Boudewijn Plomp
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 22.Nov.2004 5:19:00 PM
|
|
|
Xignals
Posts: 31
Joined: 9.May2002
From: Alabama
Status: offline
|
I have followed the instructions and have the link working. I can ping and remote desktop to the ISA server but nothing else on the network!
Can someone please tell me what I am missing? Thank you.
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 27.Nov.2004 3:15:00 PM
|
|
|
dmutsaers
Posts: 45
Joined: 1.Aug.2003
From: The Netherlands
Status: offline
|
This is exactly what happens with my setup. Does anybody know what's happening here?
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 18.Jan.2005 9:25:00 PM
|
|
|
DatDamnZotz
Posts: 8
Joined: 18.Nov.2004
Status: offline
|
Hey Gang,
Since this realm is loaded with gurus I wanted to bounce this off you guys.
We basically have the same setup here as what was described in the article, except we are using a Watchguard SOHO 6TC (eleven of them) coming in to our main Corp HQ. We tested initially with 4 SOHO's connecting and it works great! ISA rocks for this.
Now that we have swung over the rest (eleven in all) we now see that the IPSec tunnels drop. (which leads me to believe there isn't enough ports on the ISA Server) Speed shouldn't be an issue because we are on a 100Mb pipe.
The question really is. How many IPSec tunnels can ISA 2004 handle and where do you configure this?
Under the ISA Manager -> Virtual Private Networks(VPN) -> Verify that VPN Client Access is Enabled, we have set the maximum clients enabled to 200, and rebooted.
The issue still exists.
Any prodding in the right direction would be appreciated.
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 22.Feb.2005 9:40:00 PM
|
|
|
truggeri3002
Posts: 4
Joined: 13.Jul.2003
From: Tampa
Status: offline
|
The problem I am facing is that I have ISA2000 and company is not upgrading anytime soon. Is there a how-to on creating a persistent site-to-site VPN between ISA2000 and third party firewalls/routers?
TR
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 22.Aug.2005 10:49:00 AM
|
|
|
Guest
|
Hi,
I having a problem with the communication with ISA to Local Remote Network. The tunnel is established successfully. I can ping from internal network to remote network and vice versa, but from ISA Machine (Windows 2003+ISA 2004) i can't communicate. It display:
"Negotiation ip security" and don't receive any reply.
Am i missing something ???
Thanks.
Edson.
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 14.Sep.2005 3:56:00 AM
|
|
|
aeropostale
Posts: 65
Joined: 19.Jul.2005
From: Lake of Zurich, Switzerland
Status: offline
|
the only thing i know, is that you have to add the Gateway IP address from the branch office to the remote subnet site.
Question: did you get running this with ISA 2004 to watchguard appliance ?
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 3.Oct.2005 12:37:00 PM
|
|
|
Guest
|
Hi,
I have the same problem as Edson. Any solutions?
Qba
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 10.Nov.2005 8:04:20 PM
|
|
|
ibre34
Posts: 11
Joined: 10.Nov.2005
Status: offline
|
I have the same proble as Edson too
Please HELP !
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 22.Dec.2005 1:09:06 PM
|
|
|
tmccull2
Posts: 1
Joined: 22.Dec.2005
Status: offline
|
I am also having the same problem as Edson. Consequently I cannot promote the member server behind the router in the branch office to be a domain controller. Do you have any additional suggestions to resolve this issue? I have added gateway IP address from the branch office to the remote subnet site. The ISA server resides on a small business server.
Thanks,
_____________________________
Terry McCullagh
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 5.Jan.2006 3:06:39 PM
|
|
|
QbaW
Posts: 1
Joined: 5.Oct.2005
From: Poland
Status: offline
|
Hi!
At last I found solution!
I have added second vpn connection on D-Link using ISA external IP as “Remote IP network”.
Now when I ping from internal network to remote network the first vpn connection is established, and when I ping from ISA to remote network the second connection is established.
Hope it will help you too,
Qba
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 25.Jan.2006 4:13:40 PM
|
|
|
iceman.s
Posts: 3
Joined: 25.Jan.2006
Status: offline
|
Hi,
I have problems. Can anybody confirm that this work with Windows Server 2003 SP1 German and D-Link DI-804HV V1.41(G)? The D-Link established the ESP tunnel, but I can not Ping to a remote Host :-(
Any other method to test the tunnel? Show 'route print' the tunnel on the ISA Server?
Another topic. Have someone a script or a program to modify the Remote VPN gateway IP address? I want ping xxx.dyndns.org, if IP changed than modify Remote IP.
Thanks.
Sven
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 30.Jan.2006 8:23:48 AM
|
|
|
iceman.s
Posts: 3
Joined: 25.Jan.2006
Status: offline
|
Hi,
I have problems. Can anybody confirm that this work with Windows Server 2003 SP1 German and D-Link DI-804HV V1.41(G)? The D-Link established the ESP tunnel, but I can not Ping to a remote Host :-(
Any other method to test the tunnel? Show 'route print' the tunnel on the ISA Server?
Another topic. Have someone a script or a program to modify the Remote VPN gateway IP address? I want ping xxx.dyndns.org, if IP changed than modify Remote IP.
Thanks.
Sorry for the double post, I first replied it wrong.
Sven
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 1.Feb.2006 10:52:50 AM
|
|
|
bonzo
Posts: 14
Joined: 12.Mar.2004
Status: offline
|
Hi,
I experience the problem mentioned in this tutorial with pages taking long time before they are displayed, but I don't quite understand this procedure with ping www.google.com -f -l 1500. Can someone explain this a bit more detailed or point me to a doc, white paper or something?
Thanks and regards
Ueli
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 17.Feb.2006 4:30:22 PM
|
|
|
onovotny
Posts: 14
Joined: 17.Feb.2006
Status: offline
|
I was also looking for a script to update the remote ip of a VPN route if something changes.
If I have time, I was going to investigate the possiblity of writing a service to do this, but I'd rather not if someone else already had :)
It actually looks like it may not be that hard:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isasdk/isa/fpcvpnnetworkipsecsettings_object.asp
Here's what could work:
Have a Windows Service on the ISA box that monitors a config file for mapping information -- Network object (name of remote site network) to dynamic dns name. If the config file changes, the service would just reload the config. The service would run in an account that has admin access to the ISA Server. The config file should be secured correctly since it'd be updating ISA config...
Anyway, the service would periodically check the reverse dns lookup of the remote host, and if it changes can update the network's remote ip setting in the ISA Server.
The only catch is avoiding DNS caching to ensure that you always get a current value. DynDNS uses a 60s TTL on Dynamic hosts, so it should work out.
I don't have time this weekend, but if there's interest, I might be able to whip something up.
--Oren
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 20.Feb.2006 11:31:32 PM
|
|
|
onovotny
Posts: 14
Joined: 17.Feb.2006
Status: offline
|
Just an update on this. I created a windows service that will monitor a DNS name associated with a Remote site's IP address and when the DNS changes, will updated the ISA Server's entry (DynDNS for the remote site is ideal for this). This currently works with IPSec VPN tunnels as described in the DLink article. It does not work with other types of network objects, including PPTP/L2TP Remote Sites, though if someone wants to contribute it, it shouldn't be too hard to support those too.
I've put the files here:
http://novotny.org/files/IsaSite2SiteRemoteIpChecker.exe
http://novotny.org/files/IsaSite2SiteRemoteIpChecker-src.zip
I haven't yet created a ReadMe, so here it is:
1) It requires .NET 2.0 on the machine running the service. It can be run from the ISA Server directly or another domain machine. If .NET 2.0 isn't installed, the setup program will prompt you and allow you to install it (it'll d/l the .net installer from Microsoft's servers).
2) The machine needs to have the ISA Server Management tools installed. There is currently no installer check for this, but I'm sure you'll get a nasty error if you try to start the service without it being there :)
3) During setup, it will prompt you for a service account name/password. You must use a domain account that has Administrator Access to the ISA Server.
4) The Service installs as manual startup to allow you a chance to configure the settings file first. In the install directory there is a file called settings.xml. It should be self-explanatory, but it lets you specify a series of mappings. Each mapping has the IsaServer hostname, Remote Site Network Object name (not sure if this is case-sensitive, but it may be) and RemoteDns name that corresponds to the remote gateway.
There is also a .config file that lets you specify the update check interval. The default is 30 seconds, but you can change it as you like. Keep in mind that DNS TTL's play in here, and even DynDNS has a TTL of 60s, so there's little point in having it much less than 30.
5) After setting your mapping(s), you can start the service and change the startup to Automatic. If you change the settings.xml file, the service will automatically pick up the change. Changing the .config file requires a service restart.
For enhanced diagnostics, you can set the EventHeartbeat to True and the service will write an event to the Application log every refresh interval. The app currently logs a before/after event in the Application log when changing an IP address, so you should be able to confirm the change there.
There's also a console app that you can run a one-time update with.
Disclaimer: I've tested this on my ISA Server, but it's a standard edition and I'm not sure how Enterprise Edition might affect things. I also disclaim all liability for using this code -- use it at your own risk. I've provided the source code if you'd like to review it prior to use. It's a VS 2005 solution.
Security issue: Make sure that the settings.xml and .config files have appropriate ACL's on them to prevent unauthorized users from modifying the files and thereby updating ISA Server's configuration.
If you find any bugs, please be sure to include as much information as you can, including looking for relevent events in the Application Log.
To any site moderators, if you find this tool useful, please feel free to host the source/binaries on your system. I'm happy to contribute a tool that others might find useful.
< Message edited by onovotny -- 21.Feb.2006 3:47:07 AM >
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 9.Aug.2006 6:52:36 AM
|
|
|
DIGGER
Posts: 1
Joined: 9.Aug.2006
Status: offline
|
Hi all,
I have this setup between our Main Branch and our Remote Office.
They use Terminal Services (to access our order system) and Exchange through the VPN tunnel but are reporting 2-3 times a day that their TS and Exchange connections are dropping out. It's not an issue with their internet connection as that continues to work.
Are there any connection timeout settings or life timers that can be changed to fix this or is it a completly different problem altogether?
Thanks in advance.
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 10.Jan.2007 9:23:09 PM
|
|
|
tspa
Posts: 2
Joined: 10.Jan.2007
Status: offline
|
Dearest Gurus,
I have a similar situation, and the same DLink router, but one problem...i'm trying to get this so that the user can just take it and put it behind their existing home network. I'm testing from my home and can't connect behind the NAT home router. I see that since this thread came out, DLink added Nat Traversal to the firmware, and i enabled it, but still with no luck...i can't ping anything. However, the DLink shows a VPN connection. The ISA 2004 box knows nothing of its existance according to "sessions" and "logging".
Is there a way to give my users a hard wired unit that they can just plug into their network and it just "work"? Guiding them through an entire home network revamp just isn't possible.
Here is the basic flow:
HQ Network <-> ISA 2k4 <-> INTERNET <-> Home user's router (NAT) <-> Dlink <-> VOIP phone and computer
I read a ISA 2000 thread that Tom wrote on how to set up ISA 2000 to accept NAT-T. Do you have to do the same on ISA 2k4?
Any help is appreciated, as our company has 12 people that "work from home" but need "office presence" (phone and computer).
_____________________________
TSPA Tech Services
|
|
|
|
|
RE: Discussion for article on Site to Site ISA to DLink... - 13.May2007 10:08:40 PM
|
|
|
whitehjb
Posts: 1
Joined: 13.May2007
Status: offline
|
I can get the VPN established but when going from the ISA server to the remote network the server (via PING) responds with "Negotiating IP security". I am not sure why it is doing this as the policys look fine. I think it may be NAT but need someone to help confirm this. Below is the setup.
Both DSL 502T modems have the IPSec/L2TP port forwarding enabled to go to their respective end-points.
HQ
Internet > DLink 502T ADSL Modem > ISA Server > Internal
DLink 502T - WAN (External Static IP)
DLink 502T - LAN (Internal IP 192.168.10.1)
ISA Server - LAN Interface (Internal IP 192.168.10.2)
The ISA server has multiple NICs for multiple LANs
Primary HQ LAN = 192.168.0.0/24
Remote Office
Internet > DLink 502T ADSL Modem > DLink DSL 804 Router > Internal
DLink 502T - WAN (External Static IP)
DLink 502T - LAN (Internal IP 192.168.15.1)
DLink DSL804 - WAN (Internal IP 192.168.15.2)
DLink DSL804 - LAN (Internal IP 192.168.16.1)
Primary Remote LAN = 192.168.16.0/24
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
