Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 431
  • Last Modified:

How to setup Multiple LOCAL IP subnets as advertisements in IPSEC Tunnels/

I need to know of a way (if any) you can create an IPSEC tunnel with multiple Local Sub nets based of of a multiple Local disjointed Sub nets In ISA 2006. This is running in the Edge Firewall configuration.

I know I can create multiple remote sub nets but not sure how to create multiple local sub nets.

For instance the DIRECT attached local subnet is 10.100.0.0/23 with VLAN routing happening for 10.100.2.0/24 10.100.30.0/ 21 and 10.100.102.0/24 on a another router BEHIND it. How can you setup the tunnel to Properly list these subnets as "advertised Networks" on the IKE exchange information. Any Idea's?
0
Odytest
Asked:
Odytest
1 Solution
 
Keith AlabasterCommented:
Not sure you can do this - or even why you would want to.

The tunnel will terminate on ISA's external interface - and ISA will know already that 10.100.0.0 - 10.100.1.255 are directly attached due to the /23 mask on the internal nic. Adding static routes on the ISA for 10.100.30.0 /21 and 10.100.102.0 .24 with a gateway to the Ip address of the inside router that is also connected to the 10.100.0.0 /23 network is all that is required.

At the remote sites, as long as they know that these subnets are available through the VPN then that should be it. locally, of course there must all be either default or static routes so response traffic knows how to get back again
0
 
OdytestAuthor Commented:
That's the problem.When ever I have to try and setup a remote IPsec Peer, they always fail with mismatched advertisements even though there is a static route on each of the NLB firewall's if I have the second subnets added in. if  just have the directly attached (ISA) subnet it matches up no problem.


Networks in order to get to other "Sites"

10.100.2.0/24 or  10.100.30/21 -->     10.100.0.1/23 (procurve Switch with VLAN routing) --> 10.100.0.254 (ISA Enterprise NLB Farm) Internet.

If,on the remote side, we add the secondary subnets (of 10.100.2/24 or 10.100.30.0/21) to the remote subnet group the connection fails to connect. any Ideas'?


0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now