Re: SBS2000 to router IPSEC

I d'ont know. The router is at a central office in another country, and his
configuration is responsibility of it people in this office.
I must assume they know what they do, because they connect other countries
brach office with this router/firewall.
My job is to configure the sbs box here in a branch office with the data
provided by central it people.
Acording to the router log, they think that the problem is at isa server.
I have never configured an ipsec conection with ipsec policies, and i d'ont
even know how to monitor the negotiation process in the sbs side, or monitor
isa activitie in real time.
Another big doubt is where to create the ipsec policies. In a member server,
it shoult be done in local policies MMC, but SBS is domain controler....


"cjobes" <cjobes@xxxxxxxxxxxxx> escribió en el mensaje
news:OXiw5czbGHA.628@xxxxxxxxxxxxxxxxxxxxxxx
Which SonicWall product are you using?

Claus

"acon" <ezacon@xxxxxxxxxxx> wrote in message
news:O9NIiLubGHA.5116@xxxxxxxxxxxxxxxxxxxxxxx
I need to connect a SBS2000 server and a Sonicwall router with an IPSEC
tunel.
I have configured the router, the IPSEC policies and ISA 2000 but the
tunel does not come up.
The SBS server has 2 nic adapters. One to the local network
(192.168.1.0/24) and the other conected to Internet, througt an adsl
router configured as a bridge (the internet static public address is
asigned to to the external SBS server nic)

Here is what i did:

In secpol.msc mmc in "IPsec local policies" i have created a new policie
with two IP filters:
One from remote lan to local lan, with the SBS public IP as endpoint.
another from local lan to remote lan, with the Sonicwall public address
as endpoint.
I have configured encription and autentication (shared key for now).
In the TCPIP advanced properties of the public nic, i have selected to
use the created IPSEC policie.
In ISA server, i have created tho new IP filters:
One caled ESP for protocol number 50 in both directions, aply to default
IP address interfaces, and from all remotes sites.
the other called 500UDP for port 500 UDP, in both directions, from local
port 500 to remote port 500, default ip..., all remote sites...

I am not sure if tunel negotiation is blocked by ISA. If i look in
"C:\program files\Microsoft ISA Server\ISALogs" i can see files named
WEBEXTD...log, FWSEXTD...log and IPPEXTD...log. The last entry in these
files is from several hours in the past. I d'ont know where i can
dinamicaly monitor the ISA server activity, to look for blocked packets.

Another thing wich i am not sure is if i have to create the IPsec policie
in secpol.mmc (local policies) or througt a GPO, because the isa server
is also a domain controler.

Somebody has experience with ipsec stuff and sbs? I agree some more light
on any of my doubts.

Thanks





.

Relevant Pages