andersjj_IL
asked on
ISA 2006 Site to Site VPN issue
Got a site to site VPN working with ISA 2006 to Linksys WRV210 as follows
WRV210 192.168.1.x <-------> ISA 2006 192.168.5.x
After it's connected, I try to ping 192.168.5.99 from 192.168.1.102. it shows up in the ISA logs as being allowed, but I still get request timed out on the originating side. So, ISA doesn't think it's stopping it, but I'm still not getting a response. If I VPN into same ISA server, I can ping 192.168.5.99 just fine.
HELP!
WRV210 192.168.1.x <-------> ISA 2006 192.168.5.x
After it's connected, I try to ping 192.168.5.99 from 192.168.1.102. it shows up in the ISA logs as being allowed, but I still get request timed out on the originating side. So, ISA doesn't think it's stopping it, but I'm still not getting a response. If I VPN into same ISA server, I can ping 192.168.5.99 just fine.
HELP!
Raj-GT
Check the default gateway of the host 192.168.5.99, it should have ISA set as it's default gateway. Also make sure the host you are testing from (192.168.1.x) has iit's default gateway set to WRV210.
ASKER
192.168.5.99 does indeed have it's gateway set to 192.168.1.102 (ISA Server).
"Branch office" PC does have it's gateway set as WRV210.
When I try to ping, I can see the incoming traffic coming in the logs of ISA server, so I know it's at least getting that far, and the traffic is being allowed, as the logs show.
One other note, when I try to ping from ISA 2006 to an IP on the remote network, I get "Negotiating security policy" instead of request timed out. I did some googling and it seems that could be related to IPSec security settings.
On the ISA site to site vpn connection definition, I have the public ip's for each endpoint, along with the private range for the remote network, 192.168.1.0 - 192.168.1.255. The IP for the WRV210 is 192.168.1.2, which from what I've read shoudl be OK since it's included in the network range entered. The private IP for the ISA is 192.168.5.102, which is included in the ISA definition of "Internal Network" so that seems to be OK....any ideas?
"Branch office" PC does have it's gateway set as WRV210.
When I try to ping, I can see the incoming traffic coming in the logs of ISA server, so I know it's at least getting that far, and the traffic is being allowed, as the logs show.
One other note, when I try to ping from ISA 2006 to an IP on the remote network, I get "Negotiating security policy" instead of request timed out. I did some googling and it seems that could be related to IPSec security settings.
On the ISA site to site vpn connection definition, I have the public ip's for each endpoint, along with the private range for the remote network, 192.168.1.0 - 192.168.1.255. The IP for the WRV210 is 192.168.1.2, which from what I've read shoudl be OK since it's included in the network range entered. The private IP for the ISA is 192.168.5.102, which is included in the ISA definition of "Internal Network" so that seems to be OK....any ideas?
Are the ISA and WRV210 connected directly to each other through a router? I don't see any public IPs mentioned anywhere in the configuration above.
Basically, for the gateways to be able to ping each other, you need to include the external/public IP of the remote gateway in the policy definition. You can still ping hosts from either side of the network without this. Also make sure you have edited the System policy under Remote Management to allow ICMP (ping) from the remote network in your ISA Server.
Basically, for the gateways to be able to ping each other, you need to include the external/public IP of the remote gateway in the policy definition. You can still ping hosts from either side of the network without this. Also make sure you have edited the System policy under Remote Management to allow ICMP (ping) from the remote network in your ISA Server.
ASKER
The public IP's for the ISA server and the WRV are contained in the site to site VPN definition in ISA.
On the ISA side, the policy should have 192.168.1.x and the public IP of WRV210 as the remote network (Addresses tab), and on the WRV side the policy should have 192.168.5.x and the public IP of the ISA Server as the remote network. You should also enable the ICMP (Ping) allow system policy in ISA.
If it's not a typo, looking at your reply above - "192.168.5.99 does indeed have it's gateway set to 192.168.1.102 (ISA Server)" - the gateway settings are wrong! The hosts on the WRV side should have the WRV as their default gateway and ISA Side should have ISA Server as the default gateway.
Also, like I suggested before, try pinging hosts behind each gateways instead and see whether you get a reply.
If it's not a typo, looking at your reply above - "192.168.5.99 does indeed have it's gateway set to 192.168.1.102 (ISA Server)" - the gateway settings are wrong! The hosts on the WRV side should have the WRV as their default gateway and ISA Side should have ISA Server as the default gateway.
Also, like I suggested before, try pinging hosts behind each gateways instead and see whether you get a reply.
ASKER
OK, here's what I've got now...still same results...
ISA Server VPN Connection Tabs
Addresses Tab
wrv has local secure group as 192.168.1.0 mask 255.255.255.0
wrv has remote secure group as 192.168.5.0 mask 255.255.255.0
remote gateway of 63.xx.xx.xx
it was a typo, the computer on the 192.168.1.x side has a remote gateway of 192.168.1.2, the ip address of my WRV
ISA Server VPN Connection Tabs
Addresses Tab
99.xx.xx.xx - 99.xx.xx.xx (public ip for WRV)Connection Tab
192.168.1.0 -- 192.168.1.255
99.xx.xx.xx (public ip for WRV)
63.xx.xx.xx (public ip for ISA)
wrv has local secure group as 192.168.1.0 mask 255.255.255.0
wrv has remote secure group as 192.168.5.0 mask 255.255.255.0
remote gateway of 63.xx.xx.xx
it was a typo, the computer on the 192.168.1.x side has a remote gateway of 192.168.1.2, the ip address of my WRV
ASKER
I mean local computer has "default" gateway of 192.168.1.2, the WRV ip address.
I am able to ping host 192.168.5.99 from ISA server 192.168.5.102...
I am able to ping host 192.168.5.99 from ISA server 192.168.5.102...
ASKER
Baby steps...getting there.
In the WRV210, I had a FQDN for the other side, so I replaced that with the actual IP, as you suggested, and that helped. On the WRV210, was always getting "trying" but on the ISA side it said connected. Now I've got a big beautiful "C" on the WRV210 side saying it's connected, but still having the same issues actually connecting to the other side. I get log entris in the ISA server with the correct IP address from the 192.168.1.x side, and showing it going to the correct destination server on the 192.168.5.x side, but no connectivity...I'll double check the remote servers all have the ISA server as their default gateway.
In the WRV210, I had a FQDN for the other side, so I replaced that with the actual IP, as you suggested, and that helped. On the WRV210, was always getting "trying" but on the ISA side it said connected. Now I've got a big beautiful "C" on the WRV210 side saying it's connected, but still having the same issues actually connecting to the other side. I get log entris in the ISA server with the correct IP address from the 192.168.1.x side, and showing it going to the correct destination server on the 192.168.5.x side, but no connectivity...I'll double check the remote servers all have the ISA server as their default gateway.
On the WRV side, you have to create a new remote secure group 63.x.x.x (ISA's public IP) and assign it to the policy as well.
On the ISA side, do you have the network rules and firewall rules in place to allow traffic to and from the remote site?
Also, can you test vpn connectivity from hosts behind each gateways (ping 192.168.5.99 from 192.168.1.x)
On the ISA side, do you have the network rules and firewall rules in place to allow traffic to and from the remote site?
Also, can you test vpn connectivity from hosts behind each gateways (ping 192.168.5.99 from 192.168.1.x)
ASKER
I'm not sure if i know how to create a secure group on the WRV side. I've got the public IP address for ISA (63.x.x.x) in on the IPSEC definition in WRV, not sure what else I would need to do with that.
Rules are in place on the ISA side, and I can see the log entries with the correct IP address from the 192.168.1.x network when I try to ping a server on the 192.168.5.x side, so that traffic is definitely getting over to ISA. When I vpn in with PPTP, I'm able to ping and remote desktop into servers, so I believe the gateways and other network settings on the 192.168.5.x side are OK.
When I'm on the ISA server and try to ping the 192.168.1.x network I'm getting "Negotiating IP security", which seems to be an IPSEC misconfiguration somewhere on the WRV side. I've got a NETGEAR VPN router that I may try and see if I get any better results with that.
Rules are in place on the ISA side, and I can see the log entries with the correct IP address from the 192.168.1.x network when I try to ping a server on the 192.168.5.x side, so that traffic is definitely getting over to ISA. When I vpn in with PPTP, I'm able to ping and remote desktop into servers, so I believe the gateways and other network settings on the 192.168.5.x side are OK.
When I'm on the ISA server and try to ping the 192.168.1.x network I'm getting "Negotiating IP security", which seems to be an IPSEC misconfiguration somewhere on the WRV side. I've got a NETGEAR VPN router that I may try and see if I get any better results with that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I VPN in as a single user using Windows VPN from the client, I can ping remote hosts and it works fine.
It's only with the site to site VPN that I'm having issues with. I'll give the Netgear a try and see if that works any better or if it has options not available on the WRV.
It's only with the site to site VPN that I'm having issues with. I'll give the Netgear a try and see if that works any better or if it has options not available on the WRV.
You are still not answering my questions - "try pinging from hosts behind the gateways (NOT from ISA to WRV or ISA to remote hosts) just from a host behind ISA to a host behind WRV. If I am guessing correctly, you will get the reply back." - is that working?
ASKER
Well, made some changes and it seems to be working...kind of...
I (kind of accidentally) ending up NAT'ing my WRV behind my DSL router, and it all started working OK. So, now the WRV is NAT'ed to a 172.x.x.x ip address, since the DSL router is setup for 172.x.x.x network. So, with the WRV having a WAN address of 172.16.1.34, and a LAN address of 192.168.1.2, it all seems to fall in place...kind of.
It works fantastic for like 10 minutes, I can ping anything and rdp to/from anything. I can ping from 192.168.5.x network to 192.168.1.x network fine and all is good. After about 10 minutes, it stops working and I'm back to where I was again. I reboot the WRV and it's all connected again.
Since I actually got it working, I'm going to close out this thread and start a new one on the 10 minute thing.
I (kind of accidentally) ending up NAT'ing my WRV behind my DSL router, and it all started working OK. So, now the WRV is NAT'ed to a 172.x.x.x ip address, since the DSL router is setup for 172.x.x.x network. So, with the WRV having a WAN address of 172.16.1.34, and a LAN address of 192.168.1.2, it all seems to fall in place...kind of.
It works fantastic for like 10 minutes, I can ping anything and rdp to/from anything. I can ping from 192.168.5.x network to 192.168.1.x network fine and all is good. After about 10 minutes, it stops working and I'm back to where I was again. I reboot the WRV and it's all connected again.
Since I actually got it working, I'm going to close out this thread and start a new one on the 10 minute thing.
ASKER
Thanks for all your help Raj-GT...I think they key thing you helped me with was having the remote site's IP address instead of FQDN in the WRV...