Re: L2TP/IPSec Client VPN Kills Passthrough IPSec VPN

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

*Assuming* you have a Single-Subnet LAN.....

Once you added the Cisco Router for the S2S-VPN it *became* the primary LAN
Router for the LAN.
This means that your LAN Hosts need to use it for the Default Gateway and
not the ISA
The Default Gateway of the Cisco box needs to be the ISA, which is probably
already is anyway since they are not side-by-side. If they were side by side
things would get more complicated there.

You cannot use the ISA as the Default LAN Hosts Gateway, add a Static Route
to the ISA and expect all the routing to work between the two remote
Offices,..it just ain't gonna happen.

Then lastly,...remember that VPN is local, internal, private. That is what
the "P" in the VPN means. Therefore it has to be treated functionally just
like it was an additional LAN Segment on the local LAN. This means that the
remote *private* (not public) IP Range or the other Office needs to be added
to the Internal Network Definition under the Addresses Tab.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Anon" <Anon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:165A1B6A-B13A-40EF-AE0D-9FD20CFAA055@xxxxxxxxxxxxxxxx
Thanks for your help Phillip. What you describe as solution 1 is my
present
not entirely working configuration.

A site2site VPN is originated by the Cisco router behind the ISA firewall
and simply passes through the ISA firewall outbound. I needed the ability
for
dial-in remote access clients to have their own separate VPNs terminating
at
the ISA 2006 firewall. These clients are not related to the Cisco VPN
traffic.

I configured this access and it works for the dial-in clients. But, once
RRAS starts on the ISA server, after setting up the client remote access,
the
Cisco VPN stops passing traffic. It's tunnel still comes up but, it
doesn't
pass traffic.

Obviously, this sounds like a routing problem but, I cannot find the
issue.
Everything looks right and traceroutes indicate that the routing is
correct
but, when RRAS starts nothing traverses the Cisco VPN. The moment that I
stop
the RRAS service, the Cisco VPN starts working but, of course, Dial in
clients terminating at the ISa server can no longer connect.

I can make either or work but, I need to have them both working at the
same
time and so far that is not happening.

"Phillip Windell" wrote:

Site to Site VPN (what you started with) and Remote Access VPN (what you
are
doing with the users) are two entirely differnt and unrelated type of
"VPN".

Simply put:
1. The Site2Site will work as you are doing it,...although I wouldn't
do
it that way.
2. The Remote Access VPN will never work.

Solutions:
1. If you keep the current design the ISA will have to be the "VPN
Server" for the Remote Access Clients while the Cisco box continues to do
the Site2SiteVPN as it is now. The user would "dial in" to the ISA and
not
the Cisco box and the ISA would handle all their needs.

2. If you are willing to change the design (I would), then move the
Cisco box to the network Edge (side-by-side with the ISA) and then it
would
do both jobs and would do so independently of the ISA and the two
"firewalls" would never be concerned with what each other is doing. This
would also allow you to have *2* fully capable "VPN Servers" since the
ISA
is every bit as capable with VPN as the cisco box is,...in fact it has
abilities that the Cisco box won't have.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


"Anon" <Anon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F3AA5F97-6444-4BB1-9C75-4E1BAE61D854@xxxxxxxxxxxxxxxx
In my scenario I have a single ISA 2006 server serving as a firewall.
On
the
private network, I have a Cisco router that is setup to establish a
IPSec
VPN
connection with a remote site. ISA has the necessary rules to allow the
Cisco
tunnel to passthrough ISA without issue and this setup works fine.

Later came the need for client VPN access. I enabled L2TP/IPSec Client
VPN
access on ISA with the necessary access rules. This allowed remote
clients
to
connect and function properly. However...

After setting up the client access VPN the outgoing Cisco passthrough
VPN
stops passing traffic. It establishes its tunnel connection and does
not
show
any errors but, no traffic will pass through that VPN. The only way to
get
that VPN working again is to disable VPN Client Access which is
basically
just stopping the RRAS service.

Can anyone offer advise on this scenario? Have I got a configuration
problem
and if so, what? Or, is ISA not able to passthrough outbound IPSec
while
also
terminating a Client Access VPN?

TIA for your help.






.

Relevant Pages

  • Re: Outgoing VPN Error 619
    ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ...
    (microsoft.public.isa.vpn)
  • [NEWS] Cisco VPN 5000 Client Multiple Vulnerabilities
    ... Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN) ... 5000 Client software. ... These vulnerabilities are documented as Cisco bug ID ... CSCdx17109 - MAC OS VPN 5000 Client password vulnerability ...
    (Securiteam)
  • RE: VPN timeouts
    ... I do not use ISA & was wondering if there is a configurable option on the ... You remote clients VPN connection will timeout while trying to connect SBS ... between remote client and SBS server which caused by lack of network ...
    (microsoft.public.windows.server.sbs)
  • RE: ISA2004 kills VPN outbound
    ... I understand that after you upgraded ISA 2000 to ISA ... 825763 How to configure Internet access in Windows Small Business Server ... Then, establish the VPN connection again, does it work this time? ... FW client and configure the client as a SecureNAT client. ...
    (microsoft.public.windows.server.sbs)
  • RE: Configuring ISA 2004 for outbound MS VPN access
    ... > internal users to connect to an external VPN server through Microsoft ... > firewall client application and then sent to the ISA server. ... > remote VPN network is not in the local ISA server's LAT (for ISA 2004, ...
    (microsoft.public.windows.server.sbs)