Draytek 2830 to Microsoft ISA 2004 Server LAN to LAN VPN Setup
Experts,
We are currently trying to configure a LAN to LAN VPN connection for a client of ours using a Draytek 2830 router at the remote site and a Microsoft ISA 2004 server at the head office side.
Currently the ISA server is acting as the gateway for the main office and has a public IP address setup on it's WAN network interface.
We were looking for some help and guidance on setting this up, if anyone has achieved this before then I would be interested to know the steps they've taken. We have tried setting it up based on what we think we should be doing but without any real step by step guide to follow we're struggling even to get the VPN link established.
We are currently trying to configure a LAN to LAN VPN connection for a client of ours using a Draytek 2830 router at the remote site and a Microsoft ISA 2004 server at the head office side.
Currently the ISA server is acting as the gateway for the main office and has a public IP address setup on it's WAN network interface.
We were looking for some help and guidance on setting this up, if anyone has achieved this before then I would be interested to know the steps they've taken. We have tried setting it up based on what we think we should be doing but without any real step by step guide to follow we're struggling even to get the VPN link established.
ASKER
Thanks. We have actually found and followed that first guide without success.
It never seems to get past Phase 1.
Struggling to understand some of the settings on the ISA server too as to what it means for some parts.
It never seems to get past Phase 1.
Struggling to understand some of the settings on the ISA server too as to what it means for some parts.
You may want to try PPTP just to get it working 1st, but I think there is little or no encryption with that, so I'd only use it to test!
Here's an old bookmark if it helps, plenty of ISA VPN info:
http://technet.microsoft.com/en-us/library/cc302474.aspx
It should help you understand the ISA settings. They Draytek is fairly simple in comparision!
Here's an old bookmark if it helps, plenty of ISA VPN info:
http://technet.microsoft.com/en-us/library/cc302474.aspx
It should help you understand the ISA settings. They Draytek is fairly simple in comparision!
Turn it round please. What are the issues you are actually seeing. How have you configured the ISA - I assume it is a two-nic, domain joined implementation?
Before you change anything - have you run the ISA best practice analyser to check the basics?
Which part of the ISA terminology are you having difficulty with?
Keith
Before you change anything - have you run the ISA best practice analyser to check the basics?
Which part of the ISA terminology are you having difficulty with?
Keith
ASKER
OK, thanks for everyone's feedback so far and sorry about the delay on coming back to this.
We have now managed to get the VPN connection established between the Draytek router and the ISA server now. The issue appeared to be the network address for Local Network setup on the ISA server. After we changed this so it correctly had the subnet in place the VPN established.
We now have a different issue though, in that the VPN connection only seems to allow traffic through it for about 15 minutes before we can no longer ping either side.
I have uploaded a couple of log files from the Draytek which were requested by their support in case anyone knows enough about them to determine what is going on. If anyone could give me any indication on how to get some logging info from ISA server then I can produce logs from there also.
On the log files attached all external IP addresses have been changed to random ones.
Would appreciate any suggestions as to how to best diagnose this problem.
For info we have already changed the IKE lifetimes down to 900 for Phase 1 and 600 for Phase 2. This impacted slightly in that the VPN would then occasionally drop out for 1 ping every 6 minutes or so.
Looking for a solution to have a stable VPN connection, I'm sure someone has got VPN working successfully between ISA server and Draytek routers in the past.
vpnlog-after-drop-log.txt
vpnlog-before-drop-log.txt
We have now managed to get the VPN connection established between the Draytek router and the ISA server now. The issue appeared to be the network address for Local Network setup on the ISA server. After we changed this so it correctly had the subnet in place the VPN established.
We now have a different issue though, in that the VPN connection only seems to allow traffic through it for about 15 minutes before we can no longer ping either side.
I have uploaded a couple of log files from the Draytek which were requested by their support in case anyone knows enough about them to determine what is going on. If anyone could give me any indication on how to get some logging info from ISA server then I can produce logs from there also.
On the log files attached all external IP addresses have been changed to random ones.
Would appreciate any suggestions as to how to best diagnose this problem.
For info we have already changed the IKE lifetimes down to 900 for Phase 1 and 600 for Phase 2. This impacted slightly in that the VPN would then occasionally drop out for 1 ping every 6 minutes or so.
Looking for a solution to have a stable VPN connection, I'm sure someone has got VPN working successfully between ISA server and Draytek routers in the past.
vpnlog-after-drop-log.txt
vpnlog-before-drop-log.txt
ASKER
Keith, to answer your questions. Yes it is a 2 NIC Domain joined implementation.
One network card has an external IP address connected through a Cisco router which is connected to a 25MB leased line.
The other NIC is the LAN interface on the local subnet.
As mentioned, the VPN now establishes however traffic stops working after between 5 - 15 minutes.
There is also (possibly unrelated) another issue whereby we cannot ping a couple of server IP addresses from the remote site to the head office, even though you can ping them in the head office. There is no other firewall on the servers which we cannot ping.
One network card has an external IP address connected through a Cisco router which is connected to a 25MB leased line.
The other NIC is the LAN interface on the local subnet.
As mentioned, the VPN now establishes however traffic stops working after between 5 - 15 minutes.
There is also (possibly unrelated) another issue whereby we cannot ping a couple of server IP addresses from the remote site to the head office, even though you can ping them in the head office. There is no other firewall on the servers which we cannot ping.
ASKER
Also, when we start having issues with traffic no longer going over the VPN we get these messages in Syslog on the Draytek:
2013-02-15 15:08:04 connection: 81bc1ea0 is dial-out and NOT for dynamic client; in_index=0, out_index=-1. U can try to reduce phase1 lifetime...
2013-02-15 15:08:04 Responding to Main Mode from 92.208.159.114
2013-02-15 15:07:56 connection: 81bc1ea0 is dial-out and NOT for dynamic client; in_index=0, out_index=-1. U can try to reduce phase1 lifetime...
2013-02-15 15:07:56 Responding to Main Mode from 92.208.159.114
2013-02-15 15:07:53 sent QI2, IPsec SA established with 92.208.159.114. In/Out Index: 0/-1
2013-02-15 15:07:53 Client L2L remote network setting is 192.168.46.0/24
However as mentioned previously, we cannot set the key lifetime any lower as it's already at the lowest supported.
2013-02-15 15:08:04 connection: 81bc1ea0 is dial-out and NOT for dynamic client; in_index=0, out_index=-1. U can try to reduce phase1 lifetime...
2013-02-15 15:08:04 Responding to Main Mode from 92.208.159.114
2013-02-15 15:07:56 connection: 81bc1ea0 is dial-out and NOT for dynamic client; in_index=0, out_index=-1. U can try to reduce phase1 lifetime...
2013-02-15 15:07:56 Responding to Main Mode from 92.208.159.114
2013-02-15 15:07:53 sent QI2, IPsec SA established with 92.208.159.114. In/Out Index: 0/-1
2013-02-15 15:07:53 Client L2L remote network setting is 192.168.46.0/24
However as mentioned previously, we cannot set the key lifetime any lower as it's already at the lowest supported.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We had to work around the solution by implementing router-router setup.
http://theangryangel.co.uk/blog/ms-isa-server-2004-to-draytek-vigor-2800-ipsec-tunnel
Draytek has some guides about different VPNs accross different platforms:
http://www.draytek.com.tw/index.php?option=com_k2&view=itemlist&task=category&id=125:lan2lan&Itemid=293&lang=en&limitstart=0