Solved

How to setup Multiple LOCAL IP subnets as advertisements in IPSEC Tunnels/

Posted on 2009-04-09
2
424 Views
Last Modified: 2012-05-06
I need to know of a way (if any) you can create an IPSEC tunnel with multiple Local Sub nets based of of a multiple Local disjointed Sub nets In ISA 2006. This is running in the Edge Firewall configuration.

I know I can create multiple remote sub nets but not sure how to create multiple local sub nets.

For instance the DIRECT attached local subnet is 10.100.0.0/23 with VLAN routing happening for 10.100.2.0/24 10.100.30.0/ 21 and 10.100.102.0/24 on a another router BEHIND it. How can you setup the tunnel to Properly list these subnets as "advertised Networks" on the IKE exchange information. Any Idea's?
0
Comment
Question by:Odytest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 24131064
Not sure you can do this - or even why you would want to.

The tunnel will terminate on ISA's external interface - and ISA will know already that 10.100.0.0 - 10.100.1.255 are directly attached due to the /23 mask on the internal nic. Adding static routes on the ISA for 10.100.30.0 /21 and 10.100.102.0 .24 with a gateway to the Ip address of the inside router that is also connected to the 10.100.0.0 /23 network is all that is required.

At the remote sites, as long as they know that these subnets are available through the VPN then that should be it. locally, of course there must all be either default or static routes so response traffic knows how to get back again
0
 

Author Comment

by:Odytest
ID: 24131899
That's the problem.When ever I have to try and setup a remote IPsec Peer, they always fail with mismatched advertisements even though there is a static route on each of the NLB firewall's if I have the second subnets added in. if  just have the directly attached (ISA) subnet it matches up no problem.


Networks in order to get to other "Sites"

10.100.2.0/24 or  10.100.30/21 -->     10.100.0.1/23 (procurve Switch with VLAN routing) --> 10.100.0.254 (ISA Enterprise NLB Farm) Internet.

If,on the remote side, we add the secondary subnets (of 10.100.2/24 or 10.100.30.0/21) to the remote subnet group the connection fails to connect. any Ideas'?


0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you are trying to access the server, have you ever encountered "The terminal server has exceeded the maximum number of allowed connection" error?  or "The user is attempting to log on to a Terminal Server in Remote Administration mode, but the …
Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question