• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3402
  • Last Modified:

ISA - Linksys Site to Site VPN Issues

I am trying to create a site to site VPN tunnel from our Linksys RV082 to an ISA 2006 server (Windows 2003 R2) with is connected to the internet via a DSL router. I am however having difficulties connecting.

The VPN Log on the RV082 reads the following:

Main mode peer ID is ID_IPV4_ADDR: '192.168.2.10'  
We require peer to have ID '*External Static IP*', but peer declares '192.168.2.10'  
[Tunnel Negotiation Info] <<< Initiator Receive Main Mode 6th packet from *External Static IP*  

The DSL has a static IP, the ISA server has 2 nics. The ip for the external nic connected to the DSL router is 192.168.2.10. The Internal nic has an ip of 193.168.101.1.

IPSec settings are identical on both ISA & the RV082. (IKE with Preshared Key)

The DSL modem/router has DMZ enabled.

What am I missing? Is there a configuration on the DSL or ISA that needs to be done to get the site to site tunnel to connect? The RV082 is already connected to 3 other RV082 vis VPN tunnels at remote locations and works just fine.

Any help would be Appreciated.  Thanks!
0
LTIADMIN
Asked:
LTIADMIN
  • 7
  • 7
  • 6
2 Solutions
 
RGRodgersCommented:
I am currently trying to get two RV042's talking gateway-to-gatewayVPN.  I had that problem at first, but am past it.  This is what I found...

The VPN software checks the responding address to ensure that it is talking to the peer that it requested.  So, it cannot talk to a NAT'd address like 192.168.2.10.  It must talk directly to the external static IP address that it is programmed to access.  I am betting that the other locations have RV082's directly attached to the Internet with external static IP's on their WAN ports, but that is not what you are doing in this configuration.  I believe that all of this is to prevent a man-in-the-middle attack.  But, it sure is a pain.

Good luck.
0
 
Keith AlabasterEnterprise ArchitectCommented:
What is the DSL router on the outside of the ISA?
Does it support VPN passthrough? If so, you can use its external IP but pass the traffic through to ISA.
How many public IP addresses do you have?
0
 
LTIADMINAuthor Commented:
The DSL Router is a Siemens SpeedStream 6520, it is loaded with custom software courtesy of our ISP (Bell Sympatico in Canada). There is no option for VPN passthrough. At best I have an option for a static route, but I'm not sure if thats what I want.

I can enter:  Destination : NetMask : Next Hop : Interface (choice of LAN or PPoE)

We only have 1 public IP per router.

Thank you for the responses.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Keith AlabasterEnterprise ArchitectCommented:
No, static routes are something completely different.
0
 
LTIADMINAuthor Commented:
Any else I should look for in the router setup to try? Port redirection?
0
 
RGRodgersCommented:
In my configuration, I am going to convert my SBC-provided Netopia DSL modem/router with a SpeedStream 4000 DSL modem.  Then, I am going to use the RV042 as a true gateway with a public IP address and configure VPN on it...
0
 
Keith AlabasterEnterprise ArchitectCommented:
That would be a good way to go.
0
 
LTIADMINAuthor Commented:
That doesn't help me though.
0
 
RGRodgersCommented:
Okay, I just thought it might.

I have not been able to find any way to get an RV042 talking to another RV042 through any NAT.  It has to have an external address, as far as I can tell.  Linksys also told me this after several long technical chats.  I have tried several methods to get an esternal address delivered to an internal device, including IP passthrough and have been extremely unsuccessful.  In my case, I have 5 static IP's plus the gateway IP, so I have them to use.  To do something like this, you are going to need to expose your ISA as an external address to the opposing RV082, using either your gateway IP or another static IP.
0
 
Keith AlabasterEnterprise ArchitectCommented:
No, it doesn't but if you do not have VPN passthrough capabilities and you do not have a way of putting a public IP onto the outside NIC of ISA then the options are limited.

A private IP address of 192.168.2.10 is not routeable across the public Internet so cannot act as the termination point of the VPN, that point I am afraid is unequivocable.

So options are:
A router is required that will accept the vpn traffic and port forward it internally to the 192.168.2.10 address OR you need a second public IP that can be assigned to the interface.
0
 
LTIADMINAuthor Commented:
That I understand... as our RV082's are all direct to the internet. So the site to site tunnels work fine. The issue with ISA is that the connection is via DSL and the modem is needed to access the net. If I could put ISA direct with a public IP like I want to, the issue should go away. Right now I'm handicapped with DSL for "financial reasons".

Thanks for the suggestions though.
0
 
LTIADMINAuthor Commented:
Thank you. I will contact the ISP and inquire about another router.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Welcome :)
0
 
RGRodgersCommented:
Okay, I got it working.  Here is what is needed.  On the RV082 in the VPN definition under Advanced options, turn on NAT Traversal.  Then, in your DSL Router, open ports 500 and 4500 and point them to ISA.  You may or may not need to turn on NAT Traversal in ISA.  See http://www.microsoft.com/technet/isa/2004/plan/vpnprotocol.mspx. According to RFC 3497, the VPN connection should "immediately" switch from IPSEC port 500 to 4500 to support NAT Traversal.  Immediately in the case of an RV042 to RV042 connection across my DSL router was at the start of Phase 2 processing.  I hope that helps, and next time pass me some points, too, thanks...


0
 
Keith AlabasterEnterprise ArchitectCommented:
I am quite happy to reopen the question if a distribution of points is required.
0
 
LTIADMINAuthor Commented:
You can reopen and distribute points, but the problem still is not solved even with RGRodgers solution.

Just for clarification...

Main Branch RV082 <-> Internet <-> DSL <-> ISA Remote Site
0
 
RGRodgersCommented:
As long as the custom software still permits it, here is a dsicussion on seeting up port forwarding in the SpeedStream 6250: http://faq.frontiernet.net/faq_answer.asp?q=370
0
 
LTIADMINAuthor Commented:
I actually solved this a different way. I reset the DSL modem/router into bridged mode and reconfigured ISA to do the PPPoE dialing. This put the public ip as the external network in ISA and enabled the site to site VPN tunnel.
0
 
Keith AlabasterEnterprise ArchitectCommented:
<<<No, it doesn't but if you do not have VPN passthrough capabilities and you do not have a way of putting a public IP onto the outside NIC of ISA then the options are limited.
>>>

Good - and well done. :)
0
 
RGRodgersCommented:
Correct.  "It must talk directly to the external static IP address that it is programmed to access."  Exposing the VPN server, ISA, to a public address was the first recommendation.  Unluckily for me, my stupid Netopia router wouldn't work in bridge mode.  I was about to convert it to a DSL modem but went to port-forwarding mode instead.
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 7
  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now