IPSEC Router-to-Router Tunnel established - now what?

I thought I was starting to get a pretty good handle on routing, I'm not too
sure now. But I'm not sure if this is really an ISA issue or a routing
issue.

I have a number of remote sites which need access here to the corporate
network (and us to them). I have ISA installed on Win2K along with RRAS.
The way I have done this in the past is by installing a Win2K box at the
remote site and using RRAS to establish a PPTP tunnel back to the ISA box
(the remote site Win2K Server also has 2 NICs, internal private IP and
external public IP into the router). Then I use static routes in RRAS on
both ends to establish two-way communication. The static routes are bound
to the respective remote site interfaces in RRAS.

Now I want to try and eliminate the Win2K box at the other side and just use
a VPN router - most of the sites have only a few users and a Win2K setup
seems overkill. From what I have been able to discern, ISA won't pass IPSEC
to the internal interface without a lot of trouble (and maybe not even
then). So what I am trying to do is setup router-to-router VPNs - the
remote router being a simple Linksys and my local router right now being a
Seimens 5940 (connected to a T1). I can establish the tunnel just fine, but
I cannot get the two internal networks to see each other no matter how I try
to set up the routing. The Seimens has public IP address of, say,
100.100.100.1 and is connected to the external interface of the ISA box at
100.100.100.2 with GW 100.100.100.1. The internal ISA interface has private
IP of 10.10.10.1 with no gateway. The remote site has public IP
200.200.200.200 GW 200.200.200.1 and internal 10.20.20.20. On the Seimens
router IPSEC configuration I am setting the Remote Destination Subnet of
10.20.20.20 and Remote Gateway of 200.200.200.200. The remote router is set
for Remote IP Address of 100.100.100.1 (since there is no local private IP
subnet on the Seimens) and the Remote Gateway is the same (100.100.100.1)

As I said, I can establish the tunnel just fine and can ping the external
ISA interface from the remote router. I think maybe I just keep getting the
routing wrong, but it seems like I've tried everything that makes any sense.

I would greatly appreciate any help here.

Thanks,

- Mark


.

Relevant Pages

  • Re: IPSEC Router-to-Router Tunnel established - now what?
    ... interface, and then plugging one of the LAN interfaces on the Linksys ... directly into one of my internal switches - effectively bypassing ISA. ... the other remote sites - does that make sense? ... > (they are a type of router after all). ...
    (microsoft.public.isa)
  • Re: 3 LAN, 2 WAN - 2 LAN use 1 WAN, last LAN uses other WAN
    ... solved by routing I actually need some sort of firewall... ... can create a firewall out of a router by building ACLs. ... that is what ISA is - Except I don't need something that heavy, ... ISA does possess "packet filters" but the term referes to a very ...
    (microsoft.public.windows.server.networking)
  • RE: SDSL VPN main to bmain
    ... Can I use 2 NICs, when I have a 3rd party router to router, site to site VPN? ... Do the remote branch PCs still have the ISA client installed, ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 2004 and Point-to-point private line ... complicated!
    ... ipconfig/all on the remote hosts show the correct DNS Domain suffix provided ... by DHCP set in the router. ... Does a tracert initiated from the ISA server to something in the remote ... Remote office and other remote users in various geographical ...
    (microsoft.public.isa)
  • Re: Any idea about adding Big Network to my ISA Firewall?
    ... Is that mean i should create static route to the remote office ... through ISA 3rd NIC by using Routing & Remote Access? ... > addressed to remote networks to the internal router IP (the router IP that's ...
    (microsoft.public.isaserver)