one way connection on isa 2004 site to site vpn using ipsec tunnel mode

Posted on 2011-10-06
Medium Priority
Last Modified: 2012-05-12
i am not a network guru by far but managed to setup a site to site vpn in ipsec tunnel mode (i know l2tp/ipsec is a more secure option and that is my next step) between two edge isa 2004 firewalls (see attached diagram).  both servers are 2003 and up to date and they both have two nics one for wan and one for lan.  all  protocols are working from main to branch but not vice versa.  i can ping, rdp, and everything else from main to branch but not vice versa.  ping from branch to main.  ping from branch to main shows 'negotiating ip security' which i believe is a sign of ipsec working.  using logging in isa at the main i cannot see any traffic coming from the branch but logging at branch shows traffic going out to main.  i do get a denied connection on occasion due to IP address on source adapter and destination (see attached) which i don't understand.  i don't think this is an issue with rules as i have opened everything both ways between the internals and remotes.  it seems to be a routing issue from branch to main but i thought isa takes care of routing when site to site vpn is setup.  tracert gives me the same negotiation message.  let me know if you need more info about the setup and thanks in advance for your help
Question by:scraby
  • 2
  • 2
LVL 29

Expert Comment

ID: 36931594
IPSec and L2TP use the same kind of encryption.

You use L2TP when it is two ISA Server because they handle it more efficiently,..but the security level is the same.   You could also be reasonably safe using PPTP if the truth be known particularly since it is a simple point-to-point between two dedicated devices (meaning there is no place to "sniff" from to read the packets).  Now I am not telling you to use PPTP,...I'm just simply trying to put things into perspective.

When it is one ISA and some "other" firewall product on the other end then you use IPSec because that is the only way you can do it.

After the tunnel is up it is 100% the Access Rules controlling the Access.  Rule have to be in agreement on both ISAs,...if one says "yes" and the other says "No" then the traffic will be denied.

Yes/No = "No"
No/No = "No"
Yes/Yes = "Yes"

You have single subnet LANs on each end,...so there is no "routing",...routing doesn't exist there,...you have to have two or more segments in order for there to be any routing.   Now you have two segments if you count both remote sites together,..but the VPN Devices (the ISA's) are covering that. and they are already the LAN's Default Gateway,.. and so it doesn't count.

Accepted Solution

scraby earned 0 total points
ID: 36939188
here's a quote from isaserver.org (Dr. Shinder) (pwindell, you are right in using ipsec for compatability between differently branded firewall but incorrect in the security assumption)

" IPSec tunnel mode is not a high security solution – it’s a compatibility solution. The third party IPSec tunnel mode site to site VPN methods are not as secure as industry standard L2TP/IPsec site to site links.  IPSec tunnel mode is susceptible to man in the middle attacks. IPSec wasn’t designed to handle PPP-like functions which are part of the virtual network connection establishment process. In order to handle Point to Point Protocol (PPP) functions, such as log on credential confirmation and encrypted session management, IPSec tunnels use IKE aggressive mode and functions like XAUTH/MODCFG which are susceptible to well-known man in the middle attacks"

regarding rules, i am allowing everything between internal / local host to and from remote on the main and branch offices so i'm not sure how the rules could affect this.  i tracked traffic and did not see any rules blocking so i gave up and reconfigured the two isa servers for l2tp/ipsec with the same rules and everything started working as it should in both directions.

i never did figure out why the traffic was only in one direction in the previous configuration but the only thing that i did different was to reboot both servers in order to establish the tunnel which i had not done with the ipsec tunnel before.

thanks for taking a stab at it, i understand it is difficult to trouble shoot a scenario like this not being there.
LVL 29

Expert Comment

ID: 36942356
It is a matter of context.   I was talking about the encryption of IPSec and the L2TP/IPSec being comparably the same.  I wasn't talking about the other functionality the IPSec has or lacks.  IPSec also has "firewall-like" abilities that L2TP does not have,...so some argue that IPSec is more secure,...so it is a matter of context.  So Tom Shinder is not in disagreement with me.

I'm familiar with Tom.  If you happen to have gotten that from the ISA2004 book and you look at the beginning of the book in the section  "From Deb and Tom Shinder, Authors", it is a 2 page section, you will see me listed there along with many others on the second page.  Tom is a friend of mine and my comments on IPSec -vs- L2TP come from what I learned from him.

On the rules,... I have had on occasion that my ISA continued to use a Rule even after I disabled the Rule, so i had to delete the Rule to get it to quit.  So sometimes it just gets fouled up, so when you backed up and reconfigured that is probably what got it working.

Author Closing Comment

ID: 36984583
Probably should have rebooted both servers before changing configurations but the new tunnel and reboot has fixed the problem.

thanks pwindell for taking a stab at it.  i just got a copy of isa2004 and did see your name in it as you mentioned.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question