ClintD -> RE: Problem: Site-to-Site VPN ISA2004 and Sonicwall (21.Jan.2005 12:46:00 AM)
When you test connectivity from the ISA Server, it sources from it's external IP address 126.96.36.199. Does the Sonicwall have this address in it's list of address for the IPSec Tunnel Mode config?
I've explained this in the past and here's a copy/paste of the description - sorry for the length.
SubnetA -- ISA-A -- Internet -- Sonicwall -- SubnetB
ISA-A has a Remote Site for SubnetB that contains the addresses of that subnet.
This results in ISA-A having an IPSec Filter List of
A1 - SubnetA ū SubnetB
A2 - SubnetB - SubnetA
A3 - ISA-A - SubnetB
A4 - SubnetB - ISA-A
Sonicwall has a IPSec Tunnel Mode policy for SubnetA that contains the addresses of that subnet.
This results in Sonicwall having an IPSec Filter List of
B1 - SubnetB - SubnetA
B2 - SubnetA - SubnetB
It's a subtle problem, but when you PING from ISA-A to SubnetB, the traffic sources from ISA-A's external IP address. Because of this, ISA-A has a matching filter for the traffic (A3 above) but the Sonicwall doesn't have a matching filter for this (B1 through B2 don't match the traffic). As a result, ISA-A continue trying to negotiate IP Security with ISA-B but this will never complete as there is not a match for the traffic on ISA-B.
To fix this, on ISA-A, you'll need to add the SonicwallĘs external IP address into the Addresses tab of the Remote Site. On the Sonicwall, you'll need to add ISA-A's external IP address.
What happens is now ISA and the Sonicwall will now have the following filters...
A1 SubnetA - SubnetB
A2 SubnetB - SubnetA
A3 ISA-A - SubnetB
A4 SubnetB - ISA-A
A5 ISA-B - SubnetA
A6 SubnetA - ISA-B
B1 SubnetB - SubnetA
B2 SubnetA - SubnetB
B3 ISA-B - SubnetA
B4 SubnetA - ISA-B
B5 ISA-A - SubnetB
B6 SubnetB - ISA-A
With this setup, when ISA-A tries to communicate with SubnetB, A3 now matches B5 and A4 matches B6 and the Security Associations can come online.
[ January 21, 2005, 12:55 AM: Message edited by: ClintD ]