ISA Server 2004 Site to Site VPN

To who ever reads this:

This is possibly the hardest question I have posted and the solution has eluded me for the last three days and I am on the verge of giving up altogether in trying to get this to work.  The problem has probably generated itself because I am probably attempting to make something work in what everyone else would think as an impossible scenario.  I applied logic to this problem and I think it should work but it just doesn't.  Here goes:

I have two networks - they are seperated by the Internet.  My main network at the HQ is set up as follows:

One Server - Two NICS
NIC One - Internal Network - Range 192.168.1.0 Mask 255.255.255.0
NIC Two - Perimeter Network - Range 10.0.10.0 Mask 255.255.255.0 Gateway 10.0.10.1

The Perimeter network is connected to my ADSL Router (10.0.10.1) which obviously services the Internet.  All incoming connection to my ADSL router are immediately forwarded to the Perimeter NIC.

My network at the Branch Office is set up as follows:

One Server - Two NICS
NIC One - Internal Network - Range 192.168.2.0 Mask 255.255.255.0
NIC Two - Perimeter Network - Range 10.0.11.0 Mask 255.255.255.0 Gateway 10.0.11.1

The Perimeter network is connected to my ADSL Router (10.0.11.1) which in turn is connected to a ADSL Modem.  The Router is a WAN router so I had to use a MODEM to do the Modemy bits.  The modem projects the External IP address on the device connected to it.  In this case the WAN port on my ADSL Router.  Consider the modem and router to be as one for arguements sake.  Internet connectivity is working fine with no problem.

My Main HQ network as its own static IP address and my Branch Office also has its own static IP Address.  Both server are part of the same domain.

I have install ISA 2004 on both servers.  The HQ server is allowed to receive everything I think it needs.  The Branch Office server is allowed to pass any traffic through any card - its got bugger all on it so not fussed about security yet.  I have followed the ISA 2004 Book, Help File and every Internet document I can find as to how to correctly set up a Site to Site VPN.  I created a user account with the same name as the remote network entity as the book states in order for it to work.  I gave 5 addresses to each side as a static pool to issue to incoming connections.  I first of all used the 192.168.x.x range but that didn't work and so I tried using the 10.0.x.x range.  I can change this easily.

Obvioulsy ISA 2004 has no way of actually initialising a connection.  If I try to ping an address from the Branch Office that lives on the Main HQ site I get no response.  The VPN tunnel doesn't even dial.  So I take a trip to Routing and Remote Access (from now on RRAS) and actually dial the connection myself.  First of all it says the username and password are invalid.  So I check the credentials and I have to take out the .LOCAL bit of my domain name listed to leave just what we call the "NETBios" name - fill in the passwords and bang it connects.  I get an IP address on my WAN PPP/SLIP connection from the other side and vice versa.  I try to ping anything and still no joy.

If anyone can help me I would be most appreciative.  I understand this might be a bit tricky without you actually seeing it.  I am willing to forward a Visio diagram if needs be to whoever wants to take a look.

If you need any extra info let me know!!

Rowan
Rowan_InsiteAsked:
Who is Participating?
 
Keith AlabasterEnterprise ArchitectCommented:
Hello Rowan. I'm a little busy but by all means send the diag.

Are you setting up a pptp or an l2lp/ipsec tunnel?
Which book are your using as your guide?

keith_alabaster@experts-exchange.com

regards
keith
0
 
Rowan_InsiteAuthor Commented:
Hi Keith

Sorry haven't got back to you stupid thing didn't tell me there was a reply!!! - I have made some changes to the config and got another step closer.  Its just a simple PPTP tunnel I want.  Nothing too difficult!  I am using the ISA Server 2004 Administrators Consultant but also have used the ISA 2004 help file too.

Thanks Keith

Rowan
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
Keith AlabasterEnterprise ArchitectCommented:
Have you looked at the isa2004 vpn kit?
0
 
Rowan_InsiteAuthor Commented:
Hi Keith

Thanks for that - its worked a treat.  I have managed to get the two servers working perfectly and they can ping and do all sorts.  Now my next issue is getting workstations on either side to ping the other side.  So for example my laptop I want it to be able to RDP to the remote server.  What do I need to do to get that working?
0
 
Rowan_InsiteAuthor Commented:
Keith

Halt everything - It all works!

I am now going to attempt to follow the Active Directory Domain Controller tutorial I found on ISAServer.org to get that bit in place.  But thanks for the articles they did the trick - I was pleasantly surprised.

Now I know where to come if I get stuck again!

Rowan
0
 
Keith AlabasterEnterprise ArchitectCommented:
You are more than welcome. I am only up the road from you :). I am the Technical Architect at the CAA at Gatwick....

Regards

Keith
0
 
Rowan_InsiteAuthor Commented:
Ah excellent - Bet thats great fun!

I have it all working now apart from DNS - do you know of any reason why DNS wouldn't transfer zones across the VPN????????
0
 
Keith AlabasterEnterprise ArchitectCommented:
Have you added port 53 TCP (as its zone transfers, not name resolution which uses udp port 53) to the rules?
0
 
Rowan_InsiteAuthor Commented:
Yeah I have done that - the problem was that it was trying to obtain DNS updates with some other IP Address - So I have resolved this and it is all ready to go up to the branch office - thanks again for your help Keith!
0
 
Keith AlabasterEnterprise ArchitectCommented:
OK. Neat :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.