Solved

ISA 2006 Site to Site VPN issue

Posted on 2009-03-30
15
1,302 Views
Last Modified: 2012-05-06
Got a site to site VPN working with ISA 2006 to Linksys WRV210 as follows

WRV210 192.168.1.x   <-------> ISA 2006 192.168.5.x
After it's connected, I try to ping 192.168.5.99 from 192.168.1.102.  it shows up in the ISA logs as being allowed, but I still get request timed out on the originating side.  So, ISA doesn't think it's stopping it, but I'm still not getting a response.  If I VPN into same ISA server, I can ping 192.168.5.99 just fine.

HELP!
0
Comment
Question by:andersjj_IL
  • 9
  • 6
15 Comments
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24027103
Check the default gateway of the host 192.168.5.99, it should have ISA set as it's default gateway. Also make sure the host you are testing from (192.168.1.x) has iit's default gateway set to WRV210.
0
 

Author Comment

by:andersjj_IL
ID: 24028931
192.168.5.99 does indeed have it's gateway set to 192.168.1.102 (ISA Server).
"Branch office" PC does have it's gateway set as WRV210.
When I try to ping, I can see the incoming traffic coming in the logs of ISA server, so I know it's at least getting that far, and the traffic is being allowed, as the logs show.

One other note, when I try to ping from ISA 2006 to an IP on the remote network, I get "Negotiating security policy" instead of request timed out.  I did some googling and it seems that could be related to IPSec security settings.

On the ISA site to site vpn connection definition, I have the public ip's for each endpoint, along with the private range for the remote network, 192.168.1.0 - 192.168.1.255.  The IP for the WRV210 is 192.168.1.2, which from what I've read shoudl be OK since it's included in the network range entered.  The private IP for the ISA is 192.168.5.102, which is included in the ISA definition of "Internal Network" so that seems to be OK....any ideas?

0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24029156
Are the ISA and WRV210 connected directly to each other through a router? I don't see any public IPs mentioned anywhere in the configuration above.

Basically, for the gateways to be able to ping each other, you need to include the external/public IP of the remote gateway in the policy definition. You can still ping hosts from either side of the network without this. Also make sure you have edited the System policy under Remote Management to allow ICMP (ping) from the remote network in your ISA Server.
0
 

Author Comment

by:andersjj_IL
ID: 24029352
The public IP's for the ISA server and the WRV are contained in the site to site VPN definition in ISA.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24029490
On the ISA side, the policy should have 192.168.1.x and the public IP of WRV210 as the remote network (Addresses tab), and on the WRV side the policy should have 192.168.5.x and the public IP of the ISA Server as the remote network. You should also enable the ICMP (Ping) allow system policy in ISA.

If it's not a typo, looking at your reply above - "192.168.5.99 does indeed have it's gateway set to 192.168.1.102 (ISA Server)" - the gateway settings are wrong! The hosts on the WRV side should have the WRV as their default gateway and ISA Side should have ISA Server as the default gateway.

Also, like I suggested before, try pinging hosts behind each gateways instead and see whether you get a reply.
0
 

Author Comment

by:andersjj_IL
ID: 24034820
OK, here's what I've got now...still same results...

ISA Server VPN Connection Tabs
Addresses Tab
99.xx.xx.xx     -  99.xx.xx.xx   (public ip for WRV)
192.168.1.0   --     192.168.1.255
Connection Tab
99.xx.xx.xx (public ip for WRV)
63.xx.xx.xx (public ip for ISA)

wrv has local secure group as 192.168.1.0 mask 255.255.255.0
wrv has remote secure group as 192.168.5.0 mask 255.255.255.0
remote gateway of 63.xx.xx.xx
it was a typo, the computer on the 192.168.1.x side has a remote gateway of 192.168.1.2, the ip address of my WRV
0
 

Author Comment

by:andersjj_IL
ID: 24034835
I mean local computer has "default" gateway of 192.168.1.2, the WRV ip address.
I am able to ping host 192.168.5.99 from ISA server 192.168.5.102...
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:andersjj_IL
ID: 24035206
Baby steps...getting there.

In the WRV210, I had a FQDN for the other side, so I replaced that with the actual IP, as you suggested, and that helped.  On the WRV210,  was always getting "trying" but on the ISA side it said connected.  Now I've got a big beautiful "C" on the WRV210 side saying it's connected, but still having the same issues actually connecting to the other side.  I get log entris in the ISA server with the correct IP address from the 192.168.1.x side, and showing it going to the correct destination server on the 192.168.5.x side, but no connectivity...I'll double check the remote servers all have the ISA server as their default gateway.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24036768
On the WRV side, you have to create a new remote secure group 63.x.x.x  (ISA's public IP) and assign it to the policy as well.

On the ISA side, do you have the network rules and firewall rules in place to allow traffic to and from the remote site?

Also, can you test vpn connectivity from hosts behind each gateways (ping 192.168.5.99 from 192.168.1.x)
0
 

Author Comment

by:andersjj_IL
ID: 24059757
I'm not sure if i know how to create a secure group on the WRV side.  I've got the public IP address for ISA (63.x.x.x) in on the IPSEC definition in WRV, not sure what else I would need to do with that.

Rules are in place on the ISA side, and I can see the log entries with the correct IP address from the 192.168.1.x network when I try to ping a server on the 192.168.5.x side, so that traffic is definitely getting over to ISA.  When I vpn in with PPTP, I'm able to ping and remote desktop into servers, so I believe the gateways and other network settings on the 192.168.5.x side are OK.

When I'm on the ISA server and try to ping the 192.168.1.x network I'm getting "Negotiating IP security", which seems to be an IPSEC misconfiguration somewhere on the WRV side.  I've got a NETGEAR VPN router that I may try and see if I get any better results with that.
0
 
LVL 14

Accepted Solution

by:
Raj-GT earned 500 total points
ID: 24060117
Your VPN is up then? It's just that you are unable to ping hosts on the remote site from the ISA Server itself?  Like I said before, try pinging from hosts behind the gateways (NOT from ISA to WRV or ISA to remote hosts) just from a host behind ISA to a host behind WRV. If I am guessing correctly, you will get the reply back.

For ISA to be able to ping a remote host, you need to be able to edit the IPSec definition on the WRV and add the external IP of ISA to the remote secure group (which indecently the WRV cannot do by the looks of it)

Hope this helps.
0
 

Author Comment

by:andersjj_IL
ID: 24061089
When I VPN in as a single user using Windows VPN from the client, I can ping remote hosts and it works fine.

It's only with the site to site VPN that I'm having issues with.  I'll give the Netgear a try and see if that works any better or if it has options not available on the WRV.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24061243
You are still not answering my questions - "try pinging from hosts behind the gateways (NOT from ISA to WRV or ISA to remote hosts) just from a host behind ISA to a host behind WRV. If I am guessing correctly, you will get the reply back." - is that working?
0
 

Author Comment

by:andersjj_IL
ID: 24072993
Well, made some changes and it seems to be working...kind of...

I (kind of accidentally) ending up NAT'ing my WRV behind my DSL router, and it all started working OK.  So, now the WRV is NAT'ed to a 172.x.x.x ip address, since the DSL router is setup for 172.x.x.x network.  So, with the WRV having a WAN address of 172.16.1.34, and a LAN address of 192.168.1.2, it all seems to fall in place...kind of.

It works fantastic for like 10 minutes, I can ping anything and rdp to/from anything.  I can ping from 192.168.5.x network to 192.168.1.x network fine and all is good.  After about 10 minutes, it stops working and I'm back to where I was again.  I reboot the WRV and it's all connected again.  

Since I actually got it working, I'm going to close out this thread and start a new one on the 10 minute thing.
0
 

Author Closing Comment

by:andersjj_IL
ID: 31564651
Thanks for all your help Raj-GT...I think they key thing you helped me with was having the remote site's IP address instead of FQDN in the WRV...
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now