?
Solved

How to setup Multiple LOCAL IP subnets as advertisements in IPSEC Tunnels/

Posted on 2009-04-09
2
Medium Priority
?
433 Views
Last Modified: 2012-05-06
I need to know of a way (if any) you can create an IPSEC tunnel with multiple Local Sub nets based of of a multiple Local disjointed Sub nets In ISA 2006. This is running in the Edge Firewall configuration.

I know I can create multiple remote sub nets but not sure how to create multiple local sub nets.

For instance the DIRECT attached local subnet is 10.100.0.0/23 with VLAN routing happening for 10.100.2.0/24 10.100.30.0/ 21 and 10.100.102.0/24 on a another router BEHIND it. How can you setup the tunnel to Properly list these subnets as "advertised Networks" on the IKE exchange information. Any Idea's?
0
Comment
Question by:Odytest
2 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1500 total points
ID: 24131064
Not sure you can do this - or even why you would want to.

The tunnel will terminate on ISA's external interface - and ISA will know already that 10.100.0.0 - 10.100.1.255 are directly attached due to the /23 mask on the internal nic. Adding static routes on the ISA for 10.100.30.0 /21 and 10.100.102.0 .24 with a gateway to the Ip address of the inside router that is also connected to the 10.100.0.0 /23 network is all that is required.

At the remote sites, as long as they know that these subnets are available through the VPN then that should be it. locally, of course there must all be either default or static routes so response traffic knows how to get back again
0
 

Author Comment

by:Odytest
ID: 24131899
That's the problem.When ever I have to try and setup a remote IPsec Peer, they always fail with mismatched advertisements even though there is a static route on each of the NLB firewall's if I have the second subnets added in. if  just have the directly attached (ISA) subnet it matches up no problem.


Networks in order to get to other "Sites"

10.100.2.0/24 or  10.100.30/21 -->     10.100.0.1/23 (procurve Switch with VLAN routing) --> 10.100.0.254 (ISA Enterprise NLB Farm) Internet.

If,on the remote side, we add the secondary subnets (of 10.100.2/24 or 10.100.30.0/21) to the remote subnet group the connection fails to connect. any Ideas'?


0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
Did you know PowerShell can save you time with SaaS platforms? Simply leverage RESTfulAPIs to build your own PowerShell modules. These will kill repetitive tickets and tabs, using the command Invoke-RestMethod. Tune into this webinar to learn how…
Watch the video to know the process of migration of Exchange or Office 365 mailboxes in absence of MS Outlook. It is an eminent tool which can easily migrate Public, Archive user mailboxes from one another Exchange server and Office 365. Kernel Migr…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question