Link to home
Create AccountLog in
Avatar of scraby
scraby

asked on

one way connection on isa 2004 site to site vpn using ipsec tunnel mode

i am not a network guru by far but managed to setup a site to site vpn in ipsec tunnel mode (i know l2tp/ipsec is a more secure option and that is my next step) between two edge isa 2004 firewalls (see attached diagram).  both servers are 2003 and up to date and they both have two nics one for wan and one for lan.  all  protocols are working from main to branch but not vice versa.  i can ping, rdp, and everything else from main to branch but not vice versa.  ping from branch to main.  ping from branch to main shows 'negotiating ip security' which i believe is a sign of ipsec working.  using logging in isa at the main i cannot see any traffic coming from the branch but logging at branch shows traffic going out to main.  i do get a denied connection on occasion due to IP address on source adapter and destination (see attached) which i don't understand.  i don't think this is an issue with rules as i have opened everything both ways between the internals and remotes.  it seems to be a routing issue from branch to main but i thought isa takes care of routing when site to site vpn is setup.  tracert gives me the same negotiation message.  let me know if you need more info about the setup and thanks in advance for your help
ping-branch-to-main.PNG
ping-main-to-branch.PNG
branch-isa-logging.png
network.PNG
Avatar of pwindell
pwindell
Flag of United States of America image

IPSec and L2TP use the same kind of encryption.

You use L2TP when it is two ISA Server because they handle it more efficiently,..but the security level is the same.   You could also be reasonably safe using PPTP if the truth be known particularly since it is a simple point-to-point between two dedicated devices (meaning there is no place to "sniff" from to read the packets).  Now I am not telling you to use PPTP,...I'm just simply trying to put things into perspective.

When it is one ISA and some "other" firewall product on the other end then you use IPSec because that is the only way you can do it.

After the tunnel is up it is 100% the Access Rules controlling the Access.  Rule have to be in agreement on both ISAs,...if one says "yes" and the other says "No" then the traffic will be denied.

Yes/No = "No"
No/No = "No"
Yes/Yes = "Yes"

You have single subnet LANs on each end,...so there is no "routing",...routing doesn't exist there,...you have to have two or more segments in order for there to be any routing.   Now you have two segments if you count both remote sites together,..but the VPN Devices (the ISA's) are covering that. and they are already the LAN's Default Gateway,.. and so it doesn't count.
ASKER CERTIFIED SOLUTION
Avatar of scraby
scraby

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
It is a matter of context.   I was talking about the encryption of IPSec and the L2TP/IPSec being comparably the same.  I wasn't talking about the other functionality the IPSec has or lacks.  IPSec also has "firewall-like" abilities that L2TP does not have,...so some argue that IPSec is more secure,...so it is a matter of context.  So Tom Shinder is not in disagreement with me.

I'm familiar with Tom.  If you happen to have gotten that from the ISA2004 book and you look at the beginning of the book in the section  "From Deb and Tom Shinder, Authors", it is a 2 page section, you will see me listed there along with many others on the second page.  Tom is a friend of mine and my comments on IPSec -vs- L2TP come from what I learned from him.

On the rules,... I have had on occasion that my ISA continued to use a Rule even after I disabled the Rule, so i had to delete the Rule to get it to quit.  So sometimes it just gets fouled up, so when you backed up and reconfigured that is probably what got it working.
Avatar of scraby
scraby

ASKER

Probably should have rebooted both servers before changing configurations but the new tunnel and reboot has fixed the problem.

thanks pwindell for taking a stab at it.  i just got a copy of isa2004 and did see your name in it as you mentioned.