Solved

How to setup Multiple LOCAL IP subnets as advertisements in IPSEC Tunnels/

Posted on 2009-04-09
2
418 Views
Last Modified: 2012-05-06
I need to know of a way (if any) you can create an IPSEC tunnel with multiple Local Sub nets based of of a multiple Local disjointed Sub nets In ISA 2006. This is running in the Edge Firewall configuration.

I know I can create multiple remote sub nets but not sure how to create multiple local sub nets.

For instance the DIRECT attached local subnet is 10.100.0.0/23 with VLAN routing happening for 10.100.2.0/24 10.100.30.0/ 21 and 10.100.102.0/24 on a another router BEHIND it. How can you setup the tunnel to Properly list these subnets as "advertised Networks" on the IKE exchange information. Any Idea's?
0
Comment
Question by:Odytest
2 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
Comment Utility
Not sure you can do this - or even why you would want to.

The tunnel will terminate on ISA's external interface - and ISA will know already that 10.100.0.0 - 10.100.1.255 are directly attached due to the /23 mask on the internal nic. Adding static routes on the ISA for 10.100.30.0 /21 and 10.100.102.0 .24 with a gateway to the Ip address of the inside router that is also connected to the 10.100.0.0 /23 network is all that is required.

At the remote sites, as long as they know that these subnets are available through the VPN then that should be it. locally, of course there must all be either default or static routes so response traffic knows how to get back again
0
 

Author Comment

by:Odytest
Comment Utility
That's the problem.When ever I have to try and setup a remote IPsec Peer, they always fail with mismatched advertisements even though there is a static route on each of the NLB firewall's if I have the second subnets added in. if  just have the directly attached (ISA) subnet it matches up no problem.


Networks in order to get to other "Sites"

10.100.2.0/24 or  10.100.30/21 -->     10.100.0.1/23 (procurve Switch with VLAN routing) --> 10.100.0.254 (ISA Enterprise NLB Farm) Internet.

If,on the remote side, we add the secondary subnets (of 10.100.2/24 or 10.100.30.0/21) to the remote subnet group the connection fails to connect. any Ideas'?


0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now