RE: Site-to-Site VPN not working
- From: Rob <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 21 Jul 2006 15:25:01 -0700
I was looking through my documentation on this setup. Here is what I have
used in the past.
1. Add domain user to use for demand dialing. The username MUST have the
same name as the demand dial connection for the ISA setup. (VPNNET in this
example)
2. In ISA on the remote server, add a site-to-site VPN using the name of the
domain user created in #1, protocol is PPTP. Add the IP addresses of
192.168.x.0.192.168.x.255.
3. In ISA on the domain controller, set up a site-to-site VPN using the name
of the domain user created in #1, protocol is PPTP. Add the IP addresses of
the remote office file server (e.g. 192.168.x.0 - 192.168.x.255).
4. On the remote file server, add a Network Rule called MAINOFFICE to route
traffic from all protected networks including Local Host to VPNNET.
5. On the domain controller, add a Network Rule called REMOTEOFFICE to route
traffic from all protected networks including Local Host to VPNNET
6. Create firewall policy on the domain controller to allow traffic from
Internal to VPNNET. Make sure to duplicate rule for reverse traffic.
7. Create firewall policy on the remote file server to allow traffic from
Internal to main office. Duplicate rule for reverse traffic.
8. Add a Host A record in the main domain controller DNS zone that points to
the internal, static IP of the remote office server.
Not sure if this helps or not. Make sure the localhost is included in the
route. I have had problems with that before.
"Erasmo" wrote:
UMMMM that is exactly right, just the way you described, so what in the heck.
am I doing wrong? What did I miss? I being going over and over a thousnad
times the configuration and settings, my main office subnet is 192.168.1.x
and my branh is 192.169.3.x, I have defined those networks in the VPN
configuration network access, I have setup the network routes and i have the
rules, what else? Any way I could send you screenshots?
"Rob" wrote:
Just to be clear...there are two rules on each ISA server. Each rule allows
all outbound traffic from the Branch to Internal (better is All Protected
Networks) and one the other way, Internal to Branch.
Generally, as long as I have the VPN connection defined properly (includes
all IP's in the remote subnet), route defined, and firewalls allowing
outbound both ways, I haven't had an issue with PPTP connections.
"Erasmo" wrote:
Both rules are allowing access from Branch to Internal and vice versa on both
ISA servers. Any other ideas?
"Rob" wrote:
Clarification...the rule should allow all between the "All protected
networks" and the remote interface.
"Erasmo" wrote:
The ISA server in my main office can ping the remote branch, if I go to a
command prompt on the ISA server in the main office I can ping remote branch
office, but once I try to do it from a Windows client inside the main office,
it does not go anywhere beyond the ISA internal interface.
"Erasmo" wrote:
Both username and password are the same at both ends, exactly the same, I can
see the tunnel up from my main office, but I cannot ping anything, when I do
a tracert I stop at the ISA server in my main office and from there does not
go anywhere, I do see the interface in the routing via ISA
"Rob" wrote:
Just to confirm a few things:
1. The username you set up is the same name as the VPN connection (e.g.
VPNU1 is the VPN connection and VPNU1 would be the username)?
2. You see the network interface in Routing and Remote Access. Have you
tried right-clicking on the interface in Routing and Remote Access and
choosing Connect?
If you attempt to do a tracert to 192.168.3.1 (assuming that is your
firewall) from the 192.168.1.1 machine, what comes back?
Rob
"Erasmo" wrote:
I have two locations, my Main office and a branch office, I have ISA Server
2004 at both ends as firewall edge servers, in the main office we configured
VPN clients to be able to VPN in and access the London network, this piece
works just fine... now we are trying to setup a Site to Site VPN between Main
Office and Branch, I followed the document from Microsoft:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sitetositevpn.mspx?pf=true
But after setting up and following the instructions on PPTP Walk through, we
can't seem to access the Branch site. Here is what I did:
- Setup Remote Branch and all components such as network, credntials and
authentication
- setup network rules as route
- setup an access rule in the firewallm policy to allow both ways
After all that, I cannot get to the network, I can see the VPN tunnel in the
Monitoring Sessions, but I cannot get to anything, what am I missing?
Main office is 192.168.1.x
Branch 192.168.3.x
Any help on getting this working will be appreciated.
- References:
- RE: Site-to-Site VPN not working
- From: Rob
- RE: Site-to-Site VPN not working
- From: Erasmo
- RE: Site-to-Site VPN not working
- Prev by Date: RE: Site-to-Site VPN not working
- Next by Date: Re: Lock Down Mode
- Previous by thread: RE: Site-to-Site VPN not working
- Next by thread: Re: Lock Down Mode
- Index(es):
Relevant Pages
|
