ISA Server 2004 Site to Site VPN
Posted on 2006-06-05
To who ever reads this:
This is possibly the hardest question I have posted and the solution has eluded me for the last three days and I am on the verge of giving up altogether in trying to get this to work. The problem has probably generated itself because I am probably attempting to make something work in what everyone else would think as an impossible scenario. I applied logic to this problem and I think it should work but it just doesn't. Here goes:
I have two networks - they are seperated by the Internet. My main network at the HQ is set up as follows:
One Server - Two NICS
NIC One - Internal Network - Range 192.168.1.0 Mask 255.255.255.0
NIC Two - Perimeter Network - Range 10.0.10.0 Mask 255.255.255.0 Gateway 10.0.10.1
The Perimeter network is connected to my ADSL Router (10.0.10.1) which obviously services the Internet. All incoming connection to my ADSL router are immediately forwarded to the Perimeter NIC.
My network at the Branch Office is set up as follows:
One Server - Two NICS
NIC One - Internal Network - Range 192.168.2.0 Mask 255.255.255.0
NIC Two - Perimeter Network - Range 10.0.11.0 Mask 255.255.255.0 Gateway 10.0.11.1
The Perimeter network is connected to my ADSL Router (10.0.11.1) which in turn is connected to a ADSL Modem. The Router is a WAN router so I had to use a MODEM to do the Modemy bits. The modem projects the External IP address on the device connected to it. In this case the WAN port on my ADSL Router. Consider the modem and router to be as one for arguements sake. Internet connectivity is working fine with no problem.
My Main HQ network as its own static IP address and my Branch Office also has its own static IP Address. Both server are part of the same domain.
I have install ISA 2004 on both servers. The HQ server is allowed to receive everything I think it needs. The Branch Office server is allowed to pass any traffic through any card - its got bugger all on it so not fussed about security yet. I have followed the ISA 2004 Book, Help File and every Internet document I can find as to how to correctly set up a Site to Site VPN. I created a user account with the same name as the remote network entity as the book states in order for it to work. I gave 5 addresses to each side as a static pool to issue to incoming connections. I first of all used the 192.168.x.x range but that didn't work and so I tried using the 10.0.x.x range. I can change this easily.
Obvioulsy ISA 2004 has no way of actually initialising a connection. If I try to ping an address from the Branch Office that lives on the Main HQ site I get no response. The VPN tunnel doesn't even dial. So I take a trip to Routing and Remote Access (from now on RRAS) and actually dial the connection myself. First of all it says the username and password are invalid. So I check the credentials and I have to take out the .LOCAL bit of my domain name listed to leave just what we call the "NETBios" name - fill in the passwords and bang it connects. I get an IP address on my WAN PPP/SLIP connection from the other side and vice versa. I try to ping anything and still no joy.
If anyone can help me I would be most appreciative. I understand this might be a bit tricky without you actually seeing it. I am willing to forward a Visio diagram if needs be to whoever wants to take a look.
If you need any extra info let me know!!