PCLANTECHS
asked on
ISA 2004 IPSEC configuration
Hi all,
We are looking to create an IPSEC connection to a clients ISA 2004 using Global VPN client from either Sonicwall or Watchguards client. I have gone through the 5 steps to set this up but need some help.
I see in the logs that the VPN client tries to make the connection to the ISA Server using Ike but that it. On the client system it states message not received> Retransmitting!
Any thoughts.
Thanks
We are looking to create an IPSEC connection to a clients ISA 2004 using Global VPN client from either Sonicwall or Watchguards client. I have gone through the 5 steps to set this up but need some help.
I see in the logs that the VPN client tries to make the connection to the ISA Server using Ike but that it. On the client system it states message not received> Retransmitting!
Any thoughts.
Thanks
Any help?
ASKER
Keith,
We did take a look at those links, and I personally have been doing remote (road warrior type or other) VPNs into routers, firewalls, etc. for three years. Although I have successfully used other clients, I favor the Sentinel VPN client used by WatchGuard, Netgear, etc.. and which works beautifully for Linksys/Cisco, Netopia, Juniper and other hardware implementations. Takes about twenty minutes or less to set up on both sides.
Now even the isaserver.org tutorials say to keep it simple, plain vanilla and use defaults, which we strive to do, unless its a gateway-to-gateway permanent connection with multiple proposals to ensure 24-7 connections. Especially to make a base remote-to-server set before any customization. As far as we know, setting up a remote PC or Mac IPSec VPN client entails:
1. Keep away from piggybacking IPSec on L2Tp (use UDP 500 as it was originally)
2. Stay away from certificates. (exclude any compromisable third-party as a rule of thumb)
3. Setting up an IKE policy on the server with helpful remote and local Identity handles.
4. Use Shared-Key, PFS, 3-DES/MD-5 or 3-DES/SHA-1 for encryption/authentication.
5. Setting up the VPN policy (or Tunnel, if you wish) to match & reference that IKE policy.
6. Match the PFS with Diffie-Hellman 1 or 2, 3-DES/MD-5 or SHA-1, correspondingly.
7. Match the remote Sentinel VPN Client with or without using a Virtual Adapter.
Note we also learned to remove VPN passthru and all redirects or triggers on UDP 500..
Now those steps are pretty darn simple. Where is this described in ISA 2000 or 2004, both of which we have? The links you sent seem hellbent on us using certificates and on using ISA-specific nomenclature for terms and technology that have been pretty standard for what, 20 years? Rude awakening after easily setting up successful PPTP VPN remote-to-server sets on ISA.. but then again, PPTP security is a joke, comparatively. Is there something inherently stupid about ISA and original IPSec? How can it be hard to make an IKE, refer to it with a VPNPol/Tunnel, and then match with the dang remote client?. Isn't there a 7-10 step way to fill in ISA and match the procedure enumerated above?
We did take a look at those links, and I personally have been doing remote (road warrior type or other) VPNs into routers, firewalls, etc. for three years. Although I have successfully used other clients, I favor the Sentinel VPN client used by WatchGuard, Netgear, etc.. and which works beautifully for Linksys/Cisco, Netopia, Juniper and other hardware implementations. Takes about twenty minutes or less to set up on both sides.
Now even the isaserver.org tutorials say to keep it simple, plain vanilla and use defaults, which we strive to do, unless its a gateway-to-gateway permanent connection with multiple proposals to ensure 24-7 connections. Especially to make a base remote-to-server set before any customization. As far as we know, setting up a remote PC or Mac IPSec VPN client entails:
1. Keep away from piggybacking IPSec on L2Tp (use UDP 500 as it was originally)
2. Stay away from certificates. (exclude any compromisable third-party as a rule of thumb)
3. Setting up an IKE policy on the server with helpful remote and local Identity handles.
4. Use Shared-Key, PFS, 3-DES/MD-5 or 3-DES/SHA-1 for encryption/authentication.
5. Setting up the VPN policy (or Tunnel, if you wish) to match & reference that IKE policy.
6. Match the PFS with Diffie-Hellman 1 or 2, 3-DES/MD-5 or SHA-1, correspondingly.
7. Match the remote Sentinel VPN Client with or without using a Virtual Adapter.
Note we also learned to remove VPN passthru and all redirects or triggers on UDP 500..
Now those steps are pretty darn simple. Where is this described in ISA 2000 or 2004, both of which we have? The links you sent seem hellbent on us using certificates and on using ISA-specific nomenclature for terms and technology that have been pretty standard for what, 20 years? Rude awakening after easily setting up successful PPTP VPN remote-to-server sets on ISA.. but then again, PPTP security is a joke, comparatively. Is there something inherently stupid about ISA and original IPSec? How can it be hard to make an IKE, refer to it with a VPNPol/Tunnel, and then match with the dang remote client?. Isn't there a 7-10 step way to fill in ISA and match the procedure enumerated above?
Can you drop me an email at keith_alabaster@experts-ex
I can use this to reply with my personal ftp address. From there you can pull the isa2004 vpn kit
I can use this to reply with my personal ftp address. From there you can pull the isa2004 vpn kit
Thanks Brian. I have replied; hopefully you will have received the mail. I note you alrweady have the VPN kit. As you will have seen, using ISA for site-to-site vpn's is pretty much the way you desribe although the VPN IPSEC client to ISA VPN should be simpler.
I am just pulling down the Cisco 4.8 client and will see if I can replicate your problem here.
Regards
keith
I am just pulling down the Cisco 4.8 client and will see if I can replicate your problem here.
Regards
keith
Yes. I can replicate it with this client (fails on the stage 1 SA and retransmits last packet). monitoring shows all is cool and no calls on port 4500 which is strange.
have you seen this?
http://support.microsoft.com/?id=818043#6
have you seen this?
http://support.microsoft.com/?id=818043#6
ASKER
Sorry to say that the ISA Server 2004 VPN Deployment Kit is miserable reading at best, and self-contradicting:
from Page 17-18 of 513 of the ISA S2KVPNDK:
"....Note that only PPTP and L2TP/IPSec are the only VPN protocols supported for remote access VPN clients. The reason for this is that IPSec tunnel mode is less secure than L2TP/IPSec. IPSec tunnel mode is subject to a number of well-known exploits that can lead to man-in-the-middle attacks. In contrast, L2TP/IPSec required much strong authentication and key generation mechanisms, and therefore, is not open to the same attacks. IPSec tunnel mode support greatly increases the VPN site-to-site compatibility for ISA Server 2004 and makes it possible to place an ISA Server 2004 firewall/VPN server at any branch of a main office and connect to a third-party VPN gateway. "
They basically omitted remote client support for IPSec tunnel mode, while politically glossing over Microsoft's own more laughable PPTP (even with MS-CHAP2, MPPE), which they do support, of course(?), despite the fact that it shouldn't even be close to IPSec tunnel mode. ISA 2004, at least from my first 2 readings, is 50% marketing crap. So there is absolutely no way to use IPSec tunnel mode from remote access VPN clients to ISA. Very puzzling. Very Microsoft.
from Page 17-18 of 513 of the ISA S2KVPNDK:
"....Note that only PPTP and L2TP/IPSec are the only VPN protocols supported for remote access VPN clients. The reason for this is that IPSec tunnel mode is less secure than L2TP/IPSec. IPSec tunnel mode is subject to a number of well-known exploits that can lead to man-in-the-middle attacks. In contrast, L2TP/IPSec required much strong authentication and key generation mechanisms, and therefore, is not open to the same attacks. IPSec tunnel mode support greatly increases the VPN site-to-site compatibility for ISA Server 2004 and makes it possible to place an ISA Server 2004 firewall/VPN server at any branch of a main office and connect to a third-party VPN gateway. "
They basically omitted remote client support for IPSec tunnel mode, while politically glossing over Microsoft's own more laughable PPTP (even with MS-CHAP2, MPPE), which they do support, of course(?), despite the fact that it shouldn't even be close to IPSec tunnel mode. ISA 2004, at least from my first 2 readings, is 50% marketing crap. So there is absolutely no way to use IPSec tunnel mode from remote access VPN clients to ISA. Very puzzling. Very Microsoft.
I have to say that my reading of the text is the same as yours. The ipsec tunnel to anything as long as it is 'from' ISA rather than terminating on ISA was a bit of an eye opener. Not that my dismay helps you in the slightest of course.
Yeah OK although I would prefer PAQ - refund..
This may help others in a similar position.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.windowsecurity.com/articles/Configuring_ISA_Server_For_Inbound_VPN_Calls.html
http://www.techtutorials.info/isavpn.html
http://www.isaserver.org/tutorials/ISA-Firewall-Configure-Granular-Access-Controls-VPN-Part2.html
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en