RE: Site to Site VPN Spoofing packets

Your traffic is being marked as spoofed for the following reason:
When a client at a remote site requests services published at the main
office it is leaving through the ISA server at the remote site which performs
a NAT operation to the internet and will rewrite the source IP address as
that of the external IP address of your ISA server in your remote site. Once
your ISA server in your main office receives this traffic with a source IP
address of the external IP address of the ISA server in the remote site it
compares it against the networks it already knows about. In this case it
locates the external IP address of the remote ISA server as part of the IPSec
site-to-site vpn network, as because it received traffic on a network that
belongs to another network it will mark that traffic as spoofed. This is a
normal security feature in ISA server.

But, there are some workarounds:
You could use PPTP instead of IPSec, but I won’t recommend that due to
security.
You can however perform the following change to your site-to-site
connection; in your main office ISA server go to the properties of your
site-to-site VPN select the ‘Addresses’ tab and remove the IP address range
that includes the remote end point (external) address range of your remote
ISA server. Proceed to the ‘Connection’ tab and select the button labelled
‘IPsec Settings…’ this will open up the IPsec Configuration window, now
select the ‘Phase II’ window and uncheck ‘Use Perfect Forward Security’. You
will also need to uncheck the ‘Use Perfect Forward Security’ option in the
site-to-site vpn properties on the ISA server in the remote site.

Results:
This operation has some side effects, your ISA servers won’t be able to
directly talk to each other when the VPN is up. Your ISA servers won’t be
able to talk to the remote client network in each site. This will work with
integrated NLB in the main office, but not in a remote site. That being said
your remote client network will be able to communicate to each other and to
the external IP addresses of the ISA server in the main office.

.

Relevant Pages

  • ISA as a One-legged Route
    ... By one-legged route I mean that the routing device forwards the packet to be ... I'm currently on ISA Server 2K4 SP1. ... We thus have two holes by which packets leave the building, ... ISA Server has a route for the remote site that ...
    (microsoft.public.isa.configuration)
  • Re: unable to connect site to site vpn
    ... remote site would it have any affect on a IPSec connection that the remote ... Microsoft Internet Security & Acceleration Server: Partners ... Microsoft ISA Server Partners: Partner Hardware Solutions ...
    (microsoft.public.isa.vpn)
  • Branch Domains
    ... We have two company locations each with an ISA server creating site-to-site ... second domain controller and active directory at the remote site and let the ...
    (microsoft.public.windows.server.networking)
  • ISA server issues with remote site
    ... Our main office is connected to a remote site between 2 pix 501 routers. ... Pix at the main office is on the same subnet as to SBS 2003R2 & ISA server. ... ISA allows a ping using the SBS protected network access rule. ...
    (microsoft.public.windows.server.sbs)
  • Re: AD Sites and Services Question
    ... Tested the set logonserver and it is showing the DC on the remote site. ... I had one old NS record that I deleted for a server that no longer existed. ... site was created in case we ever did stick an AD server into that network. ... Run dcdiag, netdiag and repadmin in verbose mode. ...
    (microsoft.public.windows.server.active_directory)