Solved

TMG 2010 Site-to-site VPN Setup problems

Posted on 2010-11-22
3
1,908 Views
Last Modified: 2012-06-21
Hi,

Wonder if anyone can help, I have a TMG 2010 setup as primary firewall solution with dual NICS (3LEG) where one NIC is the external public IP all is working well, internet access, proxy, URL filtering even remote PTPP VPN dial in for end users works great.

The issue ia around setting up a site to site VPN solution with a branch office, ive tried PTPP with another TMG box, IPSEC and PTPP with draytek/zyxel routers. Ive got as close as the TMG box recieving IKE 500 requests which it accepts but nothing more..

Now for the daft questions:

1.) When setting up a site to site VPN when it asks to specifiy the VPN tunnel end points is it refering to the Public IP of the internet connection 83.244.X.X at both ends of the VPN or the private IP of the TMG gateway and router: 10.20.30.10 for example?

2.) Under network address range does this just need to be the remote internal address range: 10.20.33.1 - 10.20.33.254 (only internal range) or do we need to add the gateway IP either internal or external of the TMG box or public IP?

3.) In addition can anyone provide any other additional obvious config pointers i need to be aware, other network rules im missing etc Im really struggling with what should be a simple concept and im considering going back to my Watchguard fireboxes!

In addition if anyone has any other setup guides or sample rule sets/screen shots that work for them that would be greatly appreciated.

Many thanks in advance for any advice.

Regards

Bob

0
Comment
Question by:Bobjedi
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
q2q earned 500 total points
ID: 34188172
SEction 1, yes you will need to enter the public IP address each router is using and where traffic appears to come from for your router to reconnise it.

Section 2, yes netwrok address rarnge is refering to the remote LAN subnet so that it knows which packets to fire accross the vpn

3
As a rule of thumb, try setting up with pptp first as this has very few options to set. If this works you can then move onto trying the ipsec.
General guidelines are
use differnet ip subnet ranges at each site.
Try to keep the hardware the same (makes the whole processes mnuch easier)
If you can provide screen shots of the router vpn config I will be happy to tell you how to set them.
0
 

Author Comment

by:Bobjedi
ID: 34189134
Many thanks for your prompt response, i think item 3 maybe putting us on the right track as we were using IP ranges on the same subnet. (10.20.30.0/10.20.33.0)

Were going to try a 192.168.x.x range now and will come back to you.

FYI the main site FW is TMG and the branch office is a Firebox X10e

Many thanks

Bob
0
 

Author Comment

by:Bobjedi
ID: 34189666
Hi,

Worked like a charm! The subnets were the issue and we just needed that little bit of advice to push us in the right direction!

Have been pulling my hair out for 4 days so thanks very much! ;)

Kind regards

Bob
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question