Solved

ISA - Linksys Site to Site VPN Issues

Posted on 2007-04-10
21
3,201 Views
Last Modified: 2009-06-25
I am trying to create a site to site VPN tunnel from our Linksys RV082 to an ISA 2006 server (Windows 2003 R2) with is connected to the internet via a DSL router. I am however having difficulties connecting.

The VPN Log on the RV082 reads the following:

Main mode peer ID is ID_IPV4_ADDR: '192.168.2.10'  
We require peer to have ID '*External Static IP*', but peer declares '192.168.2.10'  
[Tunnel Negotiation Info] <<< Initiator Receive Main Mode 6th packet from *External Static IP*  

The DSL has a static IP, the ISA server has 2 nics. The ip for the external nic connected to the DSL router is 192.168.2.10. The Internal nic has an ip of 193.168.101.1.

IPSec settings are identical on both ISA & the RV082. (IKE with Preshared Key)

The DSL modem/router has DMZ enabled.

What am I missing? Is there a configuration on the DSL or ISA that needs to be done to get the site to site tunnel to connect? The RV082 is already connected to 3 other RV082 vis VPN tunnels at remote locations and works just fine.

Any help would be Appreciated.  Thanks!
0
Comment
Question by:LTIADMIN
  • 7
  • 7
  • 6
21 Comments
 
LVL 8

Expert Comment

by:RGRodgers
ID: 18883747
I am currently trying to get two RV042's talking gateway-to-gatewayVPN.  I had that problem at first, but am past it.  This is what I found...

The VPN software checks the responding address to ensure that it is talking to the peer that it requested.  So, it cannot talk to a NAT'd address like 192.168.2.10.  It must talk directly to the external static IP address that it is programmed to access.  I am betting that the other locations have RV082's directly attached to the Internet with external static IP's on their WAN ports, but that is not what you are doing in this configuration.  I believe that all of this is to prevent a man-in-the-middle attack.  But, it sure is a pain.

Good luck.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18884018
What is the DSL router on the outside of the ISA?
Does it support VPN passthrough? If so, you can use its external IP but pass the traffic through to ISA.
How many public IP addresses do you have?
0
 

Author Comment

by:LTIADMIN
ID: 18884298
The DSL Router is a Siemens SpeedStream 6520, it is loaded with custom software courtesy of our ISP (Bell Sympatico in Canada). There is no option for VPN passthrough. At best I have an option for a static route, but I'm not sure if thats what I want.

I can enter:  Destination : NetMask : Next Hop : Interface (choice of LAN or PPoE)

We only have 1 public IP per router.

Thank you for the responses.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18884309
No, static routes are something completely different.
0
 

Author Comment

by:LTIADMIN
ID: 18884417
Any else I should look for in the router setup to try? Port redirection?
0
 
LVL 8

Expert Comment

by:RGRodgers
ID: 18884418
In my configuration, I am going to convert my SBC-provided Netopia DSL modem/router with a SpeedStream 4000 DSL modem.  Then, I am going to use the RV042 as a true gateway with a public IP address and configure VPN on it...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18884429
That would be a good way to go.
0
 

Author Comment

by:LTIADMIN
ID: 18884472
That doesn't help me though.
0
 
LVL 8

Expert Comment

by:RGRodgers
ID: 18884649
Okay, I just thought it might.

I have not been able to find any way to get an RV042 talking to another RV042 through any NAT.  It has to have an external address, as far as I can tell.  Linksys also told me this after several long technical chats.  I have tried several methods to get an esternal address delivered to an internal device, including IP passthrough and have been extremely unsuccessful.  In my case, I have 5 static IP's plus the gateway IP, so I have them to use.  To do something like this, you are going to need to expose your ISA as an external address to the opposing RV082, using either your gateway IP or another static IP.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 18884700
No, it doesn't but if you do not have VPN passthrough capabilities and you do not have a way of putting a public IP onto the outside NIC of ISA then the options are limited.

A private IP address of 192.168.2.10 is not routeable across the public Internet so cannot act as the termination point of the VPN, that point I am afraid is unequivocable.

So options are:
A router is required that will accept the vpn traffic and port forward it internally to the 192.168.2.10 address OR you need a second public IP that can be assigned to the interface.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:LTIADMIN
ID: 18884704
That I understand... as our RV082's are all direct to the internet. So the site to site tunnels work fine. The issue with ISA is that the connection is via DSL and the modem is needed to access the net. If I could put ISA direct with a public IP like I want to, the issue should go away. Right now I'm handicapped with DSL for "financial reasons".

Thanks for the suggestions though.
0
 

Author Comment

by:LTIADMIN
ID: 18884726
Thank you. I will contact the ISP and inquire about another router.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18884799
Welcome :)
0
 
LVL 8

Assisted Solution

by:RGRodgers
RGRodgers earned 250 total points
ID: 18886750
Okay, I got it working.  Here is what is needed.  On the RV082 in the VPN definition under Advanced options, turn on NAT Traversal.  Then, in your DSL Router, open ports 500 and 4500 and point them to ISA.  You may or may not need to turn on NAT Traversal in ISA.  See http://www.microsoft.com/technet/isa/2004/plan/vpnprotocol.mspx. According to RFC 3497, the VPN connection should "immediately" switch from IPSEC port 500 to 4500 to support NAT Traversal.  Immediately in the case of an RV042 to RV042 connection across my DSL router was at the start of Phase 2 processing.  I hope that helps, and next time pass me some points, too, thanks...


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18887633
I am quite happy to reopen the question if a distribution of points is required.
0
 

Author Comment

by:LTIADMIN
ID: 18891181
You can reopen and distribute points, but the problem still is not solved even with RGRodgers solution.

Just for clarification...

Main Branch RV082 <-> Internet <-> DSL <-> ISA Remote Site
0
 
LVL 8

Expert Comment

by:RGRodgers
ID: 18892528
As long as the custom software still permits it, here is a dsicussion on seeting up port forwarding in the SpeedStream 6250: http://faq.frontiernet.net/faq_answer.asp?q=370
0
 

Author Comment

by:LTIADMIN
ID: 18899836
I actually solved this a different way. I reset the DSL modem/router into bridged mode and reconfigured ISA to do the PPPoE dialing. This put the public ip as the external network in ISA and enabled the site to site VPN tunnel.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18900246
<<<No, it doesn't but if you do not have VPN passthrough capabilities and you do not have a way of putting a public IP onto the outside NIC of ISA then the options are limited.
>>>

Good - and well done. :)
0
 
LVL 8

Expert Comment

by:RGRodgers
ID: 18900752
Correct.  "It must talk directly to the external static IP address that it is programmed to access."  Exposing the VPN server, ISA, to a public address was the first recommendation.  Unluckily for me, my stupid Netopia router wouldn't work in bridge mode.  I was about to convert it to a DSL modem but went to port-forwarding mode instead.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now