• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion for article on Site to Site ISA to DLink VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion for article on Site to Site ISA to DLink VPN Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion for article on Site to Site ISA to DLink VPN - 5.Aug.2004 12:32:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing Tiago's article on joining the ISA firewall to a DLink VPN device for a site to site VPN.

Thanks!
Tom
Post #: 1
RE: Discussion for article on Site to Site ISA to DLink... - 6.Aug.2004 10:11:00 AM   
HedgeHog

 

Posts: 12
Joined: 14.Feb.2002
From: Germany
Status: offline
Is it also possible to use this if the D-Link-804HV itself dials for example via DSL and gets an Dynamic IP via the DHCP-Server from the Provider? What to set in ISA-Server?

(in reply to tshinder)
Post #: 2
RE: Discussion for article on Site to Site ISA to DLink... - 6.Aug.2004 1:24:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Hedge,

You can use the FQDN if you're using a DDNS service like TZO at the DLink site.

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion for article on Site to Site ISA to DLink... - 7.Aug.2004 12:11:00 AM   
tiagoaviz

 

Posts: 4
Joined: 24.Jan.2003
From: Curitiba/PR - Brasil
Status: offline
But the IPSec wizard doesn't allow you to put the FQDN, Tom.

I'd highly recommend getting a fixed IP address for the D-Link in this case. That's not a problem if you make VPN only between two d-link routers...

How can we tell Microsoft to change it? is there a suggestion box? [Wink]

(in reply to tshinder)
Post #: 4
RE: Discussion for article on Site to Site ISA to DLink... - 8.Aug.2004 7:15:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tiago,

Ha! You are right. I was thinking of L2TP/IPSec.

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion for article on Site to Site ISA to DLink... - 9.Aug.2004 4:01:00 PM   
HedgeHog

 

Posts: 12
Joined: 14.Feb.2002
From: Germany
Status: offline
So this is nearly useless for getting homeworkers online.

Currently we use D-Link 804HV on both sides. But would likely use the ISA-Server on the mainsite to have better control of traffic etc.

But as far as I can see the ISA-Server only allows fixed IPs in its settings. To bad.

Is it for security reason not to allow FQDN in ISA-VPN peer settings?

(in reply to tshinder)
Post #: 6
RE: Discussion for article on Site to Site ISA to DLink... - 13.Aug.2004 5:38:00 AM   
hborja

 

Posts: 4
Joined: 9.Aug.2004
From: Florida
Status: offline
Thanks for the article it helped out a lot. I'm having a problem and maybe you guys can shed some light. The IKE connection is establish and I can start to ping two ip's in the internal range (10.0.0.1 and 10.0.0.100) after a while of the ping the 10.0.0.100 stops to respond and 10.0.0.1 continues. I checked the Alerts and I have the following two errors:

Spoof attack on 10.0.0.100...

and

ISA Server detected routes through adapter "External" that do not correlate with the network element to which this adapter belongs. The adapter ranges in conflict are: 10.255.255.255 - 10.255.255.255...

P.S. I'm new to ISA so be gentle [Wink]

(in reply to tshinder)
Post #: 7
RE: Discussion for article on Site to Site ISA to DLink... - 17.Aug.2004 12:53:00 AM   
hborja

 

Posts: 4
Joined: 9.Aug.2004
From: Florida
Status: offline
It turns out I figured out what my problem was. The test machine I was pinging on the internal LAN (10.0.0.100) was establishing a VPN connection to the ISA server as well ending up with an adaptor in the private ip ranage(172.x.x.x). When ever I have the VPN connection up on this machine the ping starts to fail. I guess ISA feels there some spoofing going on. This wont be a real problem because I won't have clients in the inside establishing VPN connections.

(in reply to tshinder)
Post #: 8
RE: Discussion for article on Site to Site ISA to DLink... - 17.Aug.2004 1:18:00 AM   
hborja

 

Posts: 4
Joined: 9.Aug.2004
From: Florida
Status: offline
Is it possible to setup the DI-804HV so it routes all traffic through the VPN tunnel to the ISA server? If so can you let me know what I need to do?

Thanks...

(in reply to tshinder)
Post #: 9
RE: Discussion for article on Site to Site ISA to DLink... - 20.Aug.2004 5:38:00 PM   
tiagoaviz

 

Posts: 4
Joined: 24.Jan.2003
From: Curitiba/PR - Brasil
Status: offline
quote:
Originally posted by ne0nm4n:
Is it possible to setup the DI-804HV so it routes all traffic through the VPN tunnel to the ISA server? If so can you let me know what I need to do?

Thanks...

Well, you could create filters on the D-Link in order to allow only traffic going to your HQ network and the ISA External IP Address and block all the rest. I don't know if it's possible but it should!

(in reply to tshinder)
Post #: 10
RE: Discussion for article on Site to Site ISA to DLink... - 20.Aug.2004 5:42:00 PM   
tiagoaviz

 

Posts: 4
Joined: 24.Jan.2003
From: Curitiba/PR - Brasil
Status: offline
quote:
Originally posted by HedgeHog:
So this is nearly useless for getting homeworkers online.

Currently we use D-Link 804HV on both sides. But would likely use the ISA-Server on the mainsite to have better control of traffic etc.

But as far as I can see the ISA-Server only allows fixed IPs in its settings. To bad.

Is it for security reason not to allow FQDN in ISA-VPN peer settings?

I guess there is, because the IPSec policies must be created using IP Addresses. They could create a workaround to first find out the IP address of that DNS name and then apply the IPSec Policy.

Here in Brazil it's cheap to get a fixed IP address for your DSL, so there's no real problems when you need to change that.

(in reply to tshinder)
Post #: 11
RE: Discussion for article on Site to Site ISA to DLink... - 21.Aug.2004 4:10:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tiago,

Thanks!

Tom

(in reply to tshinder)
Post #: 12
RE: Discussion for article on Site to Site ISA to DLink... - 24.Aug.2004 12:41:00 AM   
Fire

 

Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
Is that possible to setup this kind of connection between ISA Server 2000 and VPN Router?

I think ISA2000 does not support pre-shared key...right?

(in reply to tshinder)
Post #: 13
RE: Discussion for article on Site to Site ISA to DLink... - 24.Aug.2004 6:32:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Fire,

That's correct. The 2000 ISA firewall did not support IPSec tunnel mode.

HTH,
Tom

(in reply to tshinder)
Post #: 14
RE: Discussion for article on Site to Site ISA to DLink... - 24.Aug.2004 2:10:00 PM   
Fire

 

Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
Hi Tshinder

There are couple questions.
1. Can we assign the ipsec policy on the ISA Server 2000 and also open some UDP port for ipsec to make the ISA2000 support IPSec VPN? I remember it was udp500,4500 and something.

2. ISA2000 only support ISA to ISA in the Gateway to Gateway mode. How about there is only couple computer in the branch office and there is a cheap router to hookup all the computer to the internet. Is there any cheap router (linksys,smc,dlink) can support vpn(site to site) with ISA 2000?

3. Does the remote site have to use static ip address? I know the cisco device can support ip pool on ipsec vpn. How about ISA 2004? Because most remote site doesn't have static ip address.

(in reply to tshinder)
Post #: 15
RE: Discussion for article on Site to Site ISA to DLink... - 24.Aug.2004 3:04:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Fire,

The 2000 ISA firewall does not support IPSec tunnel mode for site to site VPN.

HTH,
Tom

(in reply to tshinder)
Post #: 16
RE: Discussion for article on Site to Site ISA to DLink... - 20.Sep.2004 8:19:00 PM   
Guest
Hi:

I have configured a IPSec tunnel from a remote site to the home office as described in the article.

I can do most things thru the tunnel OK, ping, ping by name,PC Anywhere into machines on the home office LAN, etc. I cannot browse the network in my network places.

Interestingly, though I can RDP into any server that is running Server 2000, I cannot RDP into servers running server 2003. I CAN RDP into the ISA2004 server (changed the system policy to allow that).

I have setup numerous IPSec tunnels using netgear VPN routers with no difficulty.

Monitoring shows the connection initiated to the sever I wish to RDP into but then shortly later a connection denid log is entered with no rule to indicate why it was denied.

Anybody have any clues?

Thanks

Scott

(in reply to tshinder)
  Post #: 17
RE: Discussion for article on Site to Site ISA to DLink... - 28.Sep.2004 4:57:00 PM   
Guest
Hi, Thanks for the article. I have done a similar configuration with a Draytek DSL Router. I can do everything I need to (file share browsing, exchange access etc) apart from getting the firewall client to connect to the isa server, or being able to use the web proxy client to browse the web. I would still like my clients to browse the web via the isa server because of http filter and GFI. I don't think they can beacuse the web proxy requests are coming from a network outside 'Internal', is this correct and if so how do I fix it? Also, my draytek does not like it if I include the gateway address of the isa server as part if the VPN networks protected by isa, but I can include the gateway address of the darytek in the isa config.

Many thanks!

James

(in reply to tshinder)
  Post #: 18
RE: Discussion for article on Site to Site ISA to DLink... - 8.Oct.2004 9:59:00 AM   
Guest
Hi, thanks for the reply! Yes absolutly everything works except for the web proxy stuff. At present I have got around this by tunneling my draytek into a checkpoint box that runs in parallel to my ISA 2004 at the head office. I have then included the 'draytek' remote network in the internal network object on the isa 2004 and all works prefectly. It is my aim to remove the checkpoint at some point in the future and have the drayteks tunnelling in to the isa once I have the web proxy client issue sorted.

Bit stuck with this one [Wink]

(in reply to tshinder)
  Post #: 19
RE: Discussion for article on Site to Site ISA to DLink... - 12.Oct.2004 1:32:00 PM   
Guest
James,

You sound in a VERY similar position to me.

I'm slowly migrating away from Checkpoint and over to ISA2004. I've got one site to site VPN set up RemoteFW1-LAN_ISA2004 but having trouble with the Draytek at another site.

Do you have any clues/setup docs on how to get the Vigor to behave ?

Please post here or email andybh1969@hotmail.com - THANKS !

Andy

(in reply to tshinder)
  Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion for article on Site to Site ISA to DLink VPN Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts