• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on publishing VPN servers

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion about article on publishing VPN servers Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on publishing VPN servers - 19.Sep.2004 10:38:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on publishing VPN servers over at http://isaserver.org/articles/2004pubvpn.html

Answers to the questions:
1. What VPN protocols does the ISA firewall support for remote access connections?
Answer: PPTP and L2TP/IPSec

2. What VPN protocols does the ISA firewall support for site to site VPN connections?
Answer: PPTP, L2TP/IPSec and IPSec tunnel mode

3. What route relationship is required to publish non-NAT-T IPSec tunnel mode connections?
Answer: A route relationship is required. You can set the route relationship by configuring a Network Rule.

4. What port number is used by IETF IPSec NAT-T?
Answer: UDP port 4500.

5. Which is more secure? PPTP with complex passwords and or IPSec tunnel mode with pre-shared keys?
Answer: PPTP using complex passwords or user certificate authentication is more secure than IPSec tunnel mode using pre-shared keys.

6. Which protocols must you publish to allow connections to a back-end ISA firewall/VPN server when the route relationship between the external interface and the DMZ network on the front-end ISA firewall is set to NAT?
Answer: For PPTP, you can use the PPTP Server Protocol Definition. For L2TP/IPSec, you can use the L2TP/IPSec NAT-T protocols -- this requires that you publish UDP 500 for IKE and UDP 4500 for the IPSec NAT-T protocol.

Thanks!
Tom

[ September 20, 2004, 03:15 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on publishing VPN servers - 28.Oct.2004 1:57:00 PM   
achkarab

 

Posts: 14
Joined: 28.Sep.2004
Status: offline
hello Mr tom
i need to have your help and your advice if u permit

i have a back to back topology to be implemented , internet(leased line-digital modem)--->3 com super stack firewall --->DMZ---->isa 2004
i would like to have a theory how to make things work well for: where to make static route,where to enable routing , where to publish ?
-the VPN site to site(as i have multiple servers and specific ports to be open)
-internet (allowing access rule? packet filtering for the vpn connection
-smtp (internal exchange ,what to do for the isa and for the 3com firewall
-what do u suggest to use as firewall client for servers and for workstation ..secure nat , web client .....
thank u .

(in reply to tshinder)
Post #: 2
RE: Discussion about article on publishing VPN servers - 27.Jan.2005 5:00:00 PM   
bspengler

 

Posts: 1
Joined: 27.Jan.2005
From: Stockton, IL
Status: offline
My front firewall is a Pix 501 and my back firewall is an ISA Server 2004. Using parts of your article I was able to get a PPTP VPN client to connect just fine through the Pix to the back firewall--works great.

Even though I have the Pix set up for IPSEC passthrough (sysopt connection permit-ipsec), I cannot get LT2P to connect through to the ISA Server. I am using Windows XP with SP 2 and the VPN client configured for LT2P and a preshared key that matches that of the ISA 2004 Server. I followed your article for this part of things. For L2TP, the Windows XP vpn client says: "connecting to Ip: XXX.XXX.XXX.XXX", hangs for a while, and then errors out with one of two errors, either, "Error: 789 The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer" " or "Error 792: The L2TP connection attempt failed because security negotiation timed out."

Again PPTP works great, but I am trying also to get LT2P to work.

Any help would be appreciated. (I have tried various PIX settings beyond sysopt connection permit-ipsec, also including fixup protocol esp-ike and isakmp nat-t, but nothing seems to matter). I am not sure this is a Pix passthrough problem.

(in reply to tshinder)
Post #: 3
RE: Discussion about article on publishing VPN servers - 19.Apr.2005 12:04:00 PM   
cs1364

 

Posts: 3
Joined: 23.Aug.2004
From: Denmark
Status: offline
I have the exact same problem... Any resolution?

Cheers

Christian

(in reply to tshinder)
Post #: 4
RE: Discussion about article on publishing VPN servers - 19.Apr.2005 12:29:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Abdo Achkar:
hello Mr tom
i need to have your help and your advice if u permit

i have a back to back topology to be implemented , internet(leased line-digital modem)--->3 com super stack firewall --->DMZ---->isa 2004
i would like to have a theory how to make things work well for: where to make static route,where to enable routing , where to publish ?
-the VPN site to site(as i have multiple servers and specific ports to be open)
-internet (allowing access rule? packet filtering for the vpn connection
-smtp (internal exchange ,what to do for the isa and for the 3com firewall
-what do u suggest to use as firewall client for servers and for workstation ..secure nat , web client .....
thank u .

Hi Abdo,

If you're not good with routing and configuing the 3COM, I would recommend that you forward everything from the Internet to the external interface of the ISA firewall. If the router has a "DMZ" feature, just configure it to use the ISA firewall's external interface as its "DMZ" host, so that everything is allowed inbound and outbound from the ISA firewall's external interface.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion about article on publishing VPN servers - 19.Apr.2005 12:31:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by lotstolearn:
My front firewall is a Pix 501 and my back firewall is an ISA Server 2004. Using parts of your article I was able to get a PPTP VPN client to connect just fine through the Pix to the back firewall--works great.

Even though I have the Pix set up for IPSEC passthrough (sysopt connection permit-ipsec), I cannot get LT2P to connect through to the ISA Server. I am using Windows XP with SP 2 and the VPN client configured for LT2P and a preshared key that matches that of the ISA 2004 Server. I followed your article for this part of things. For L2TP, the Windows XP vpn client says: "connecting to Ip: XXX.XXX.XXX.XXX", hangs for a while, and then errors out with one of two errors, either, "Error: 789 The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer" " or "Error 792: The L2TP connection attempt failed because security negotiation timed out."

Again PPTP works great, but I am trying also to get LT2P to work.

Any help would be appreciated. (I have tried various PIX settings beyond sysopt connection permit-ipsec, also including fixup protocol esp-ike and isakmp nat-t, but nothing seems to matter). I am not sure this is a Pix passthrough problem.

Hi Lots,

Are you using the updated L2TP/IPSec VPN client, so that you can NAT between the Internet and the external interaface of the ISA firewall?

Thanks!
Tom

(in reply to tshinder)
Post #: 6
RE: Discussion about article on publishing VPN servers - 21.Jun.2005 8:02:00 PM   
Guest
My problem is similar.

2 hosts:
first - VPN Server (Windows 2003 SP1) - L2TP/IPSec

second - Windows 2003 SP1 with ISA 2004 SP1

ISA publishing VPN Server (UDP 500 & 4500).

When I try to connect I get error 678 The remote computer did not respond.
I read article KB885407 The default behavior of IPsec NAT traversal (NAT-T) is changed in Windows XP Service Pack 2 - and add registry key with value 2 - but I still have the same error.

When I look in IP Security Monitor snap-in everything looks fine.

My client is WIndows XP SP2.
I use preshared key (direct connection to vpn server without ISA work fine).

Any ideas?

Regards,
Marcin

(in reply to tshinder)
  Post #: 7
RE: Discussion about article on publishing VPN servers - 24.Aug.2005 12:57:00 PM   
jcotelo

 

Posts: 2
Joined: 13.Jul.2005
From: Montevideo, Uruguay
Status: offline
Hi,

This is my first time into this forums, please apologize me if I have did something wrong doing this post.
I have a Front-End Cisco Pix 520 with 3 interfaces and a Back-End Isa 2004. I am planing the deployment but now they have asked me to allow VPN Connections. I have read your article but I am not quite shure how to allow the vpn clients pass through the PIX.

Any help would be great.
Thanks
Jorge

(in reply to tshinder)
Post #: 8
RE: Discussion about article on publishing VPN servers - 24.Aug.2005 7:18:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jorge,

I'll let someone else jump in here to correct me, but I'm pretty sure pix doesn't have a PPTP NAT editor. However, if you're not using NAT, then you just need to allow IP Protocol 47 and the PPTP control channel TCP 1723.

HTH,
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion about article on publishing VPN servers - 20.Dec.2005 1:00:45 PM   
karmi

 

Posts: 32
Joined: 5.Nov.2004
Status: offline
Hello,

I have two quesations,

1- I have configured two ISA servers front/back, now when I connect to the Back server directly on PPTP it works, but when connect to it on the FRONT ISA IP ( from internet ), I am unable, it hanges on verifying password screen, I defined protocol 47 GRE, since I found it on the denied access list when monitored the connection, now it appeares as failed, and still have the problem.


2- I am unable to connect directly to another ISA server from internet using L2TP, neither with shared key nor using certificates.

NOTE THAT: I was to able to connect to it ( L2TP with valid Certificates ) from internal computer on the ISA internal IP address with no problems, when I disconnect the network from my computer and dial to my ISP to connect to the server from internet, it does not connect L2TP , and gives me "negotiations timed out", I tried form other computers outside as well with no luck.


I checked the followings

   - IP Fragments are not blocked on the ISA
   - Certificates ok in LOCAL Computer store (Server in Personal / CA in Root) on server (Client and CA) on client
   - IPSec is enabled on both server and client
   - L2TP Ports are created on RAS ( and I was able to connect locally as I said )
   - Access Networks checked, both external and internal
 
   But I get in the logging Several "Denied connection" as follows

Client IP              Destination          Port                              Result code                       Transport
---------           --------------      --------                        ----------------                 -----------
ISA Extarnal IP    ISA External IP      different random ports     ... UNREACHABLE_ADDRESS   UDP


What could be the problem?

Thanks


(in reply to tshinder)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion about article on publishing VPN servers Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts