RE: L2TP/IPSEC site-to-site question

Hi,

Thanks for posting here.

Based on your description, it seems that this is a complex scenario. I'd
like to provide some general info for your reference:

1. Please make sure that you've followed this article to deploy
site-to-site VPN connection.

Site-to-Site VPN in ISA Server 2004
Microsoft Internet Security and Acceleration (ISA) Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sitetositevpn.msp
x

2. Other articles for your reference:

Creating a Site-to-Site L2TP/IPSec VPN Between ISA 2004 VPN Gateways:
How to Configure the Pre-shared Key
http://download.microsoft.com/download/c/3/c/c3c121ad-2c3f-49b8-ad47-aacecc1
74d6e/Creating%20a%20Site%20to%20Site%20L2TP-IP%20with%20Pre-shared%20key%20
-%20MDW.doc

3. If you're still not able to get the VPN to work, I recommend you to
contact our PSS or Advisory service for further troubleshooting.

Advisory Services is a remotely delivered, hourly fee-based, consultative
support option that provides a comprehensive result beyond your break-fix
product maintenance needs. This support option includes working with the
same technician for assistance with issues like product migration, code
review, or new program development.

For more info in the US and Canada:
http://support.microsoft.com/default.aspx?pr=AdvisoryService

Outside of the US/Canada:
http://support.microsoft.com/common/international.aspx

I hope the above info helps. If you have any concerns, please feel free to
post back.

Regards,

Bill Peng
MCSE 2000, MCDBA, CCNP, CCDA
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
=====================================================
The public newsgroup only focuses on ISA related technical issues, for
other Microsoft products, we recommend you to post to appropriate newsgroup
to get most qualified responses.
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive notification. When responding to
posts via your newsreader, please "Reply to Group" so that others may learn
and benefit from your issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: L2TP/IPSEC site-to-site question
>thread-index: AcYHyklVkhrR/1bZRGC8U7mjwW9erw==
>X-WBNR-Posting-Host: 206.162.174.228
>From: "=?Utf-8?B?dG90b21hc3Rlcg==?=" <totomaster@xxxxxxxxxxxxxx>
>Subject: L2TP/IPSEC site-to-site question
>Date: Fri, 23 Dec 2005 06:08:02 -0800
>Lines: 66
>Message-ID: <BA8828B7-23BF-4F9D-842C-A3A412469781@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.isa
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.isa:61414
>X-Tomcat-NG: microsoft.public.isa
>
>Hi
>
>Here are my scenario. I have two sites that are connected through a isdn
>lines but I don't want to use that line anymore, instead I will use a
>site-to-site vpn connection.
>
>My main site is using a Windows 2000 server with ISa 2000, this computer
is
>a member of my domain. Ip adress 10.10.x.x/16. On this site I have a
Stand
>alone certificate server on Windows 2003. This server is not a Domain
>Controller.
>
>The remote site is using a Windows 2003 server with ISA server 2004, he is
>also a member of my domain. Ip adress 10.30.x.x/16
>
>On both isa server I have made the necessary configuration to make a pptp
>conection, and with this type of connnection I am able to make the
connection
>between both sites.
>
>My problem is when i'm trying to use a L2TP/IPsec connection. On the ISA
>2004, I change the protocol type of the remote site to L2TP. On the ISA
>server 2000, packet filters for this type of traffic is there, and I
changed
>the type of protocol the netwotk interface is using for LP2TP vpn type.
>
>My concerns are about the certificates part. On the ISA 2000, I use the
>certifictaes mmc to request and install a computer certificates with
success.
>
>
>On the ISA server 2004, I tried the same thing but I receive this error
The
>certificate request was submitted to CA that is not started or you don't
have
>permissions to request certificates from availabe CAs. I restarted the
>routing and remote access and IPSec policies services on both computers
>without success. So on this server I use the a web request
>(http://10.10.0.x/certsrv) to request a administrator template
certificates.
>
>When I tried to connect I receive this error on both ISA servers
>Event Type: Error
>Event Source: RemoteAccess
>Event Category: None
>Event ID: 20111
>Date: 12/23/2005
>Time: 8:53:50 AM
>User: N/A
>Computer: MASTER3
>Description:
>A Demand Dial connection to the remote interface IsaMoncton on port VPN2-0
>was successfully initiated but failed to complete successfully because of
the
> following error: The L2TP connection attempt failed because security
policy
>for the connection was not found.
>Data:
>0000: 17 03 00 00 ....
>
>I have read many articles and some articles tells that I need a computer
>certificates, some other a IPsec template, others a Router(offline)
>templates... So my first idea was to use a computer type certificates but
I
>can not use the MMC Certificates snap-in on the ISA 2004 to reuqest one
and
>the the computer templates is not available for installation when I'm
using
>the web.
>
>I can't figured out where is my errors and all my reading haven't help me
it
>mixed me up instead
>
>Thanks
>
>
>
>
>

.

Relevant Pages

  • RE: L2TP/IPSEC site-to-site question
    ... seems more difficult on Windows and Isa 2000 mix, ... If I want to use certificates what type I have to use? ... > site-to-site VPN connection. ... > Site-to-Site VPN in ISA Server 2004 ...
    (microsoft.public.isa)
  • Re: RWW not working externally (R2)
    ... I am running ISA 2004, ... Ethernet adapter Server Local Area Connection: ... Set a protocol rule on your ISA Server ...
    (microsoft.public.windows.server.sbs)
  • Re: Opinion about using ISA Server for Firewalling and VPN between multiple sites ?
    ... He has heard about Microsoft ISA ... >>> HO network using this VPN on their laptop. ... >>> of ISA server present a security risk? ... >> VPN connection between sites. ...
    (comp.security.firewalls)
  • Re: The Web site cannot be found - errors
    ... problems connecting with the internet. ... Internet Connection Wizard from the server. ... > files and ISA cache on all ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW not working externally (R2)
    ... Ethernet adapter Server Local Area Connection: ... It should take care of the ISA settings for you. ... Set a protocol rule on your ISA Server ...
    (microsoft.public.windows.server.sbs)