one way connection on isa 2004 site to site vpn using ipsec tunnel mode

Posted on 2011-10-06
Last Modified: 2012-05-12
i am not a network guru by far but managed to setup a site to site vpn in ipsec tunnel mode (i know l2tp/ipsec is a more secure option and that is my next step) between two edge isa 2004 firewalls (see attached diagram).  both servers are 2003 and up to date and they both have two nics one for wan and one for lan.  all  protocols are working from main to branch but not vice versa.  i can ping, rdp, and everything else from main to branch but not vice versa.  ping from branch to main.  ping from branch to main shows 'negotiating ip security' which i believe is a sign of ipsec working.  using logging in isa at the main i cannot see any traffic coming from the branch but logging at branch shows traffic going out to main.  i do get a denied connection on occasion due to IP address on source adapter and destination (see attached) which i don't understand.  i don't think this is an issue with rules as i have opened everything both ways between the internals and remotes.  it seems to be a routing issue from branch to main but i thought isa takes care of routing when site to site vpn is setup.  tracert gives me the same negotiation message.  let me know if you need more info about the setup and thanks in advance for your help
Question by:scraby
    LVL 29

    Expert Comment

    IPSec and L2TP use the same kind of encryption.

    You use L2TP when it is two ISA Server because they handle it more efficiently,..but the security level is the same.   You could also be reasonably safe using PPTP if the truth be known particularly since it is a simple point-to-point between two dedicated devices (meaning there is no place to "sniff" from to read the packets).  Now I am not telling you to use PPTP,...I'm just simply trying to put things into perspective.

    When it is one ISA and some "other" firewall product on the other end then you use IPSec because that is the only way you can do it.

    After the tunnel is up it is 100% the Access Rules controlling the Access.  Rule have to be in agreement on both ISAs,...if one says "yes" and the other says "No" then the traffic will be denied.

    Yes/No = "No"
    No/No = "No"
    Yes/Yes = "Yes"

    You have single subnet LANs on each end, there is no "routing",...routing doesn't exist there, have to have two or more segments in order for there to be any routing.   Now you have two segments if you count both remote sites together,..but the VPN Devices (the ISA's) are covering that. and they are already the LAN's Default Gateway,.. and so it doesn't count.
    LVL 7

    Accepted Solution

    here's a quote from (Dr. Shinder) (pwindell, you are right in using ipsec for compatability between differently branded firewall but incorrect in the security assumption)

    " IPSec tunnel mode is not a high security solution – it’s a compatibility solution. The third party IPSec tunnel mode site to site VPN methods are not as secure as industry standard L2TP/IPsec site to site links.  IPSec tunnel mode is susceptible to man in the middle attacks. IPSec wasn’t designed to handle PPP-like functions which are part of the virtual network connection establishment process. In order to handle Point to Point Protocol (PPP) functions, such as log on credential confirmation and encrypted session management, IPSec tunnels use IKE aggressive mode and functions like XAUTH/MODCFG which are susceptible to well-known man in the middle attacks"

    regarding rules, i am allowing everything between internal / local host to and from remote on the main and branch offices so i'm not sure how the rules could affect this.  i tracked traffic and did not see any rules blocking so i gave up and reconfigured the two isa servers for l2tp/ipsec with the same rules and everything started working as it should in both directions.

    i never did figure out why the traffic was only in one direction in the previous configuration but the only thing that i did different was to reboot both servers in order to establish the tunnel which i had not done with the ipsec tunnel before.

    thanks for taking a stab at it, i understand it is difficult to trouble shoot a scenario like this not being there.
    LVL 29

    Expert Comment

    It is a matter of context.   I was talking about the encryption of IPSec and the L2TP/IPSec being comparably the same.  I wasn't talking about the other functionality the IPSec has or lacks.  IPSec also has "firewall-like" abilities that L2TP does not have, some argue that IPSec is more secure, it is a matter of context.  So Tom Shinder is not in disagreement with me.

    I'm familiar with Tom.  If you happen to have gotten that from the ISA2004 book and you look at the beginning of the book in the section  "From Deb and Tom Shinder, Authors", it is a 2 page section, you will see me listed there along with many others on the second page.  Tom is a friend of mine and my comments on IPSec -vs- L2TP come from what I learned from him.

    On the rules,... I have had on occasion that my ISA continued to use a Rule even after I disabled the Rule, so i had to delete the Rule to get it to quit.  So sometimes it just gets fouled up, so when you backed up and reconfigured that is probably what got it working.
    LVL 7

    Author Closing Comment

    Probably should have rebooted both servers before changing configurations but the new tunnel and reboot has fixed the problem.

    thanks pwindell for taking a stab at it.  i just got a copy of isa2004 and did see your name in it as you mentioned.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
    If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now