RE: L2TP/IPSEC site-to-site question

Thanks Bill

For your question 1 I'm pretty sure that I have followed all the steps, at
leat for the pptp cpnnection because this way it is working

I would like to try pre-shared key. but at the main branch I have Windows
2000/Isa 2000 server and at the remote office I have a Windows 2003/Isa 2004
server. At the remote offices it's easy to configure a pre-shared key but it
seems more difficult on Windows and Isa 2000 mix, Am I right ? How can I do
that ?

If I want to use certificates what type I have to use ?

Thanks

""Bill Peng [MSFT]"" wrote:

> Hi,
>
> Thanks for posting here.
>
> Based on your description, it seems that this is a complex scenario. I'd
> like to provide some general info for your reference:
>
> 1. Please make sure that you've followed this article to deploy
> site-to-site VPN connection.
>
> Site-to-Site VPN in ISA Server 2004
> Microsoft Internet Security and Acceleration (ISA) Server 2004
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sitetositevpn.msp
> x
>
> 2. Other articles for your reference:
>
> Creating a Site-to-Site L2TP/IPSec VPN Between ISA 2004 VPN Gateways:
> How to Configure the Pre-shared Key
> http://download.microsoft.com/download/c/3/c/c3c121ad-2c3f-49b8-ad47-aacecc1
> 74d6e/Creating%20a%20Site%20to%20Site%20L2TP-IP%20with%20Pre-shared%20key%20
> -%20MDW.doc
>
> 3. If you're still not able to get the VPN to work, I recommend you to
> contact our PSS or Advisory service for further troubleshooting.
>
> Advisory Services is a remotely delivered, hourly fee-based, consultative
> support option that provides a comprehensive result beyond your break-fix
> product maintenance needs. This support option includes working with the
> same technician for assistance with issues like product migration, code
> review, or new program development.
>
> For more info in the US and Canada:
> http://support.microsoft.com/default.aspx?pr=AdvisoryService
>
> Outside of the US/Canada:
> http://support.microsoft.com/common/international.aspx
>
> I hope the above info helps. If you have any concerns, please feel free to
> post back.
>
> Regards,
>
> Bill Peng
> MCSE 2000, MCDBA, CCNP, CCDA
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> The public newsgroup only focuses on ISA related technical issues, for
> other Microsoft products, we recommend you to post to appropriate newsgroup
> to get most qualified responses.
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive notification. When responding to
> posts via your newsreader, please "Reply to Group" so that others may learn
> and benefit from your issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
> --------------------
> >Thread-Topic: L2TP/IPSEC site-to-site question
> >thread-index: AcYHyklVkhrR/1bZRGC8U7mjwW9erw==
> >X-WBNR-Posting-Host: 206.162.174.228
> >From: "=?Utf-8?B?dG90b21hc3Rlcg==?=" <totomaster@xxxxxxxxxxxxxx>
> >Subject: L2TP/IPSEC site-to-site question
> >Date: Fri, 23 Dec 2005 06:08:02 -0800
> >Lines: 66
> >Message-ID: <BA8828B7-23BF-4F9D-842C-A3A412469781@xxxxxxxxxxxxx>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.isa
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.isa:61414
> >X-Tomcat-NG: microsoft.public.isa
> >
> >Hi
> >
> >Here are my scenario. I have two sites that are connected through a isdn
> >lines but I don't want to use that line anymore, instead I will use a
> >site-to-site vpn connection.
> >
> >My main site is using a Windows 2000 server with ISa 2000, this computer
> is
> >a member of my domain. Ip adress 10.10.x.x/16. On this site I have a
> Stand
> >alone certificate server on Windows 2003. This server is not a Domain
> >Controller.
> >
> >The remote site is using a Windows 2003 server with ISA server 2004, he is
> >also a member of my domain. Ip adress 10.30.x.x/16
> >
> >On both isa server I have made the necessary configuration to make a pptp
> >conection, and with this type of connnection I am able to make the
> connection
> >between both sites.
> >
> >My problem is when i'm trying to use a L2TP/IPsec connection. On the ISA
> >2004, I change the protocol type of the remote site to L2TP. On the ISA
> >server 2000, packet filters for this type of traffic is there, and I
> changed
> >the type of protocol the netwotk interface is using for LP2TP vpn type.
> >
> >My concerns are about the certificates part. On the ISA 2000, I use the
> >certifictaes mmc to request and install a computer certificates with
> success.
> >
> >
> >On the ISA server 2004, I tried the same thing but I receive this error
> The
> >certificate request was submitted to CA that is not started or you don't
> have
> >permissions to request certificates from availabe CAs. I restarted the
> >routing and remote access and IPSec policies services on both computers
> >without success. So on this server I use the a web request
> >(http://10.10.0.x/certsrv) to request a administrator template
> certificates.
> >
> >When I tried to connect I receive this error on both ISA servers
> >Event Type: Error
> >Event Source: RemoteAccess
> >Event Category: None
> >Event ID: 20111
> >Date: 12/23/2005
> >Time: 8:53:50 AM
> >User: N/A
> >Computer: MASTER3
> >Description:
> >A Demand Dial connection to the remote interface IsaMoncton on port VPN2-0
> >was successfully initiated but failed to complete successfully because of
> the
> > following error: The L2TP connection attempt failed because security
> policy
> >for the connection was not found.
> >Data:
> >0000: 17 03 00 00 ....
> >
> >I have read many articles and some articles tells that I need a computer
> >certificates, some other a IPsec template, others a Router(offline)
> >templates... So my first idea was to use a computer type certificates but
> I
> >can not use the MMC Certificates snap-in on the ISA 2004 to reuqest one
> and
> >the the computer templates is not available for installation when I'm
> using
> >the web.
> >
> >I can't figured out where is my errors and all my reading haven't help me
> it
> >mixed me up instead
> >
> >Thanks
> >
> >
> >
> >
> >
>
>
.

Relevant Pages