• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 910
  • Last Modified:

Outgoing VPN not working with ISA 2006

Hi!
I recently installed a new ISA 2006 server.
The installation was successful and configuration also.
Everything works OK,clients can access the internet and all relevant policy rules are defined and seem to work.
Outgoing VPN is not working.
I mean, I created the policies allowing the internal network to connect through VPN with external servers but the connections still get rejected by the firewall.
When I monitor the logs on the firewall, it says that the connection is rejected using the rule that was supposed to allow the connection and gives an error 0x0 Error_Success.
I tried all combinations I could think of. I even tried to allow my computer an any to any rule, but still cannot connect outside through VPN.
I also tried various solutions I found on the internet,with no success.
I have no idea of what to do next. The policies are verified and are correct but still everything works except VPN.
Any help woul be appreciated.
Thanks in advance
0
Yiogi
Asked:
Yiogi
  • 9
  • 8
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
What client are you using and what transport?
Have you fully patched ISA with the ISA2006 updates?
if the rule you have put in is causing the block then ISA recognises the traffic as meeting the condition you have set  ie type and direction of flow but another criteria is failing - have you put authentication on that outbound rule or have you used the All Users authenicator?
Are you using the ISA firewall client?
0
 
YiogiAuthor Commented:
Hi
I am using PPTP and the Windows client.
ISA is not patched,no..
I am using the All Users authenticator and also using the ISA firewall client.
Any ideas?
Thanks for the reply.
0
 
YiogiAuthor Commented:
ISA is fully patched now.
Still it doesn't work.
Any ideas furthermore?
Thanks!!
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
Keith AlabasterEnterprise ArchitectCommented:
Please post the detail of the rule you are using IN FULL
Opemn the ISA gui, select monitoring - logging - click start query - what is seen in the realtime monitor when a connection attempt is made?
Please post the full resuilt of the couple of lines involved
0
 
YiogiAuthor Commented:
Allright.
The rule I am using is the following (by column name):

Order:1
Policy:Array
Name:VPN Connection
Action:Allow
Protocols:IKE Client,IPSec ESP,IPSec NAT-T Client,L2TP Client,PPTP
From:Internal
To:External
Condition:All Users

Attached you can find a spreadsheet containing the log of ISA server when trying to connect through VPN.
Thanks again!!

serverlog.xls
0
 
YiogiAuthor Commented:
Keith any ideas? Or any other experts? I need to get this resolved.
0
 
YiogiAuthor Commented:
Another thing I just found out. If I connect to a VPN network with a pre-shared IPSec key VPN works. All other networks that do not use a pre-shared key do not function.

I have also reformatted the machine and reinstalled windows and ISA from scratch. It still does NOT work no matter what rule I enable.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Sorry, been really busy at work and end of financial year so working on reports when I get home. I will look at this again tomorrow - promise - but my own work has to come first.

Keith
0
 
Keith AlabasterEnterprise ArchitectCommented:
Interesting about the key. I assume this is an ipsec vpn based on your protocols yet the log shows a pptp vpn?
0
 
YiogiAuthor Commented:
Hi Keith and thanks for sticking by with this for so long.

The log is from a non ipsec vpn. However we do use ipsec ones as well. We have plenty of clients that give us VPN access so that we can work remotely on their systems. Only one of them is IPSec based (L2TP) and that one works.

Unfortunately if I cannot get this to work I simply cannot use ISA 2006. All users in the company, including me are still using the old ISA 2002 server where VPN works perfectly with the same rules.

I really do not know what else I can try. I have pretty much search all the internet for any information that could help. I have found plenty of people with the same issue but no solutions yet.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Come on then, 'bring it on' LOL  lets see what we can do.

You say it works with pre-shared keys?
What are you changing?
What is providing the authentication when not using pre-shared?
How are you making the changes?
How is the other end set up?
Are you sure its ISA that is the issue?
Does this work OK from your cleints when outside ISA?
As a test, if you allow ALL protocols rather than just the security specifics on your rule, does it work then?
0
 
YiogiAuthor Commented:
Ok here are your answers:


You say it works with pre-shared keys?
We only have once client with pre-shared key and that one works
What are you changing?
I'm not changing anything it's just the default windows VPN. I tried changing pretty much all options there but none worked.
What is providing the authentication when not using pre-shared?
Just a username and password.
How are you making the changes?
Not sure what you mean here.
How is the other end set up?
Most clients have UNIX machines that act as firewalls but others have hardware firewalls as well.
Are you sure its ISA that is the issue?
Yup. It works when the same clients connect using the good old ISA 2002 or when not using any ISA and going out directly.
Does this work OK from your cleints when outside ISA?
Yup as above it does.
As a test, if you allow ALL protocols rather than just the security specifics on your rule, does it work then?
Nope it doesn't. I tried it still no luck.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Not sure if we are moving forward here.

Lets try it from a different tack. What if I create a VPN Server here? its lunchtime here so i have a few hours to spare. Check out my profile - this will give you an email address to give me your contact address etc as i do not want to publish those details. When we sort it.... we can update this question with the results and method.
0
 
YiogiAuthor Commented:
Hi Keith,

Would like to thank you for all your help with this. Sorry this didn't work but will assign the points to you for your effort. I have been pretty busy lately and so has our network admin but anyway we have decided to drop ISA completely and install untangle. It works perfectly and we have been testing it for a while.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thats kind of you but the whole point of EE is to provide solutions - thats a solution for you and a solution for other askers in the future who may have a similar issue and need help and might be able to use this answer. We don't reward for effort - just completed results.

just to explain that a little, the points are simply for fun and self-importance amongst my peers lol- nothing else. Besides, I already got my 1,000,000-point Genius ticket for ISA. So, as we did not come up with a solution, lets delete the question, refund your points and you can then use them for a different question later. - but thank you for the thought :)   The Mods will come and deal with it shortly for you.

Regards
Keith
0
 
YiogiAuthor Commented:
I just believed, and still do to be honest, that after all that effort you went through you deserved the points. I acknowledge the fact that we didn't find a solution yes and that is why I didn't accept a solution by you but simply awarded points.

Anyway I won't argue about giving you the points or not, although I really don't need them for another question as I have the nice unlimited question points feature.

I suppose I'll accept my solution above and award no points this time.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Works for me :)

Catch you another time. I work practically all of the networkingf zones so I'll get 500 from you another time, I'm sure. Later :-)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now