Solved

How to setup Multiple LOCAL IP subnets as advertisements in IPSEC Tunnels/

Posted on 2009-04-09
2
422 Views
Last Modified: 2012-05-06
I need to know of a way (if any) you can create an IPSEC tunnel with multiple Local Sub nets based of of a multiple Local disjointed Sub nets In ISA 2006. This is running in the Edge Firewall configuration.

I know I can create multiple remote sub nets but not sure how to create multiple local sub nets.

For instance the DIRECT attached local subnet is 10.100.0.0/23 with VLAN routing happening for 10.100.2.0/24 10.100.30.0/ 21 and 10.100.102.0/24 on a another router BEHIND it. How can you setup the tunnel to Properly list these subnets as "advertised Networks" on the IKE exchange information. Any Idea's?
0
Comment
Question by:Odytest
2 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 24131064
Not sure you can do this - or even why you would want to.

The tunnel will terminate on ISA's external interface - and ISA will know already that 10.100.0.0 - 10.100.1.255 are directly attached due to the /23 mask on the internal nic. Adding static routes on the ISA for 10.100.30.0 /21 and 10.100.102.0 .24 with a gateway to the Ip address of the inside router that is also connected to the 10.100.0.0 /23 network is all that is required.

At the remote sites, as long as they know that these subnets are available through the VPN then that should be it. locally, of course there must all be either default or static routes so response traffic knows how to get back again
0
 

Author Comment

by:Odytest
ID: 24131899
That's the problem.When ever I have to try and setup a remote IPsec Peer, they always fail with mismatched advertisements even though there is a static route on each of the NLB firewall's if I have the second subnets added in. if  just have the directly attached (ISA) subnet it matches up no problem.


Networks in order to get to other "Sites"

10.100.2.0/24 or  10.100.30/21 -->     10.100.0.1/23 (procurve Switch with VLAN routing) --> 10.100.0.254 (ISA Enterprise NLB Farm) Internet.

If,on the remote side, we add the secondary subnets (of 10.100.2/24 or 10.100.30.0/21) to the remote subnet group the connection fails to connect. any Ideas'?


0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you are trying to access the server, have you ever encountered "The terminal server has exceeded the maximum number of allowed connection" error?  or "The user is attempting to log on to a Terminal Server in Remote Administration mode, but the …
This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question