Solved

TMG 2010 Site-to-site VPN Setup problems

Posted on 2010-11-22
3
1,914 Views
Last Modified: 2012-06-21
Hi,

Wonder if anyone can help, I have a TMG 2010 setup as primary firewall solution with dual NICS (3LEG) where one NIC is the external public IP all is working well, internet access, proxy, URL filtering even remote PTPP VPN dial in for end users works great.

The issue ia around setting up a site to site VPN solution with a branch office, ive tried PTPP with another TMG box, IPSEC and PTPP with draytek/zyxel routers. Ive got as close as the TMG box recieving IKE 500 requests which it accepts but nothing more..

Now for the daft questions:

1.) When setting up a site to site VPN when it asks to specifiy the VPN tunnel end points is it refering to the Public IP of the internet connection 83.244.X.X at both ends of the VPN or the private IP of the TMG gateway and router: 10.20.30.10 for example?

2.) Under network address range does this just need to be the remote internal address range: 10.20.33.1 - 10.20.33.254 (only internal range) or do we need to add the gateway IP either internal or external of the TMG box or public IP?

3.) In addition can anyone provide any other additional obvious config pointers i need to be aware, other network rules im missing etc Im really struggling with what should be a simple concept and im considering going back to my Watchguard fireboxes!

In addition if anyone has any other setup guides or sample rule sets/screen shots that work for them that would be greatly appreciated.

Many thanks in advance for any advice.

Regards

Bob

0
Comment
Question by:Bobjedi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
q2q earned 500 total points
ID: 34188172
SEction 1, yes you will need to enter the public IP address each router is using and where traffic appears to come from for your router to reconnise it.

Section 2, yes netwrok address rarnge is refering to the remote LAN subnet so that it knows which packets to fire accross the vpn

3
As a rule of thumb, try setting up with pptp first as this has very few options to set. If this works you can then move onto trying the ipsec.
General guidelines are
use differnet ip subnet ranges at each site.
Try to keep the hardware the same (makes the whole processes mnuch easier)
If you can provide screen shots of the router vpn config I will be happy to tell you how to set them.
0
 

Author Comment

by:Bobjedi
ID: 34189134
Many thanks for your prompt response, i think item 3 maybe putting us on the right track as we were using IP ranges on the same subnet. (10.20.30.0/10.20.33.0)

Were going to try a 192.168.x.x range now and will come back to you.

FYI the main site FW is TMG and the branch office is a Firebox X10e

Many thanks

Bob
0
 

Author Comment

by:Bobjedi
ID: 34189666
Hi,

Worked like a charm! The subnets were the issue and we just needed that little bit of advice to push us in the right direction!

Have been pulling my hair out for 4 days so thanks very much! ;)

Kind regards

Bob
0

Featured Post

Everything You Need to Know about Petya 2.0

Get an overview of the what, when and how of Petya 2.0  from our threat analyst Marc Labilerte, as well as a look at how WatchGuard Total Security Suite protected our customers from the recent attack!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question