ClintD -> RE: Problem: Site-to-Site VPN ISA2004 and Sonicwall (21.Jan.2005 12:46:00 AM)
|
When you test connectivity from the ISA Server, it sources from it's external IP address 111.111.111.111. Does the Sonicwall have this address in it's list of address for the IPSec Tunnel Mode config?
I've explained this in the past and here's a copy/paste of the description - sorry for the length.
SubnetA -- ISA-A -- Internet -- Sonicwall -- SubnetB
ISA-A has a Remote Site for SubnetB that contains the addresses of that subnet.
This results in ISA-A having an IPSec Filter List of A1 - SubnetA ū SubnetB A2 - SubnetB - SubnetA A3 - ISA-A - SubnetB A4 - SubnetB - ISA-A
Sonicwall has a IPSec Tunnel Mode policy for SubnetA that contains the addresses of that subnet.
This results in Sonicwall having an IPSec Filter List of B1 - SubnetB - SubnetA B2 - SubnetA - SubnetB
It's a subtle problem, but when you PING from ISA-A to SubnetB, the traffic sources from ISA-A's external IP address. Because of this, ISA-A has a matching filter for the traffic (A3 above) but the Sonicwall doesn't have a matching filter for this (B1 through B2 don't match the traffic). As a result, ISA-A continue trying to negotiate IP Security with ISA-B but this will never complete as there is not a match for the traffic on ISA-B.
To fix this, on ISA-A, you'll need to add the SonicwallĘs external IP address into the Addresses tab of the Remote Site. On the Sonicwall, you'll need to add ISA-A's external IP address.
What happens is now ISA and the Sonicwall will now have the following filters...
ISA-A A1 SubnetA - SubnetB A2 SubnetB - SubnetA A3 ISA-A - SubnetB A4 SubnetB - ISA-A A5 ISA-B - SubnetA A6 SubnetA - ISA-B
Sonicwall B1 SubnetB - SubnetA B2 SubnetA - SubnetB B3 ISA-B - SubnetA B4 SubnetA - ISA-B B5 ISA-A - SubnetB B6 SubnetB - ISA-A
With this setup, when ISA-A tries to communicate with SubnetB, A3 now matches B5 and A4 matches B6 and the Security Associations can come online. [ January 21, 2005, 12:55 AM: Message edited by: ClintD ]
|
|
|
|