Re: SBS2000 to router IPSEC

Have a look at KB816514

Claus

"acon" <ezacon@xxxxxxxxxxx> wrote in message
news:%23%23028bCcGHA.2404@xxxxxxxxxxxxxxxxxxxxxxx
OK. I will ask for the log files and exact model.

Meanwhile, can you explain me where should i create the IPSEC Policies in
the SBS server?. In local policies or in a GPO aplied to an OU?.
I am not sure also what IP filters are needed in ISA server to allow
trafic for a normal IPSEc negociation.



"cjobes" <cjobes@xxxxxxxxxxxxx> escribió en el mensaje
news:OlvXOh8bGHA.3348@xxxxxxxxxxxxxxxxxxxxxxx
In order to find more answers the people at the remote site need to look
at the SonicWall log files or email them to you. You also need to know
what IPSEC tunnel they created. Depending on the SW model there are some
known issues with Branch Office tunnels SW to SBS. Until we know more
about the configuration on the SW and see the logfiles there isn't much
to go on.

Claus


"acon" <ezacon@xxxxxxxxxxx> wrote in message
news:u1PQS%237bGHA.864@xxxxxxxxxxxxxxxxxxxxxxx
Sorry, when a say router i mean firewall.
The wan nic of the sbs server is conected to an adsl bridge, and the
internet public (static) address is assigned to this nic, so there is
nothing to configure between the sbs router and internet.

"cjobes" <cjobes@xxxxxxxxxxxxx> escribió en el mensaje
news:u7D43m4bGHA.4672@xxxxxxxxxxxxxxxxxxxxxxx
I'm not asking about the router, I'm asking about the Firewall
(SonicWall). What do you have on your end in front of your SBS?

Claus

"acon" <ezacon@xxxxxxxxxxx> wrote in message
news:e0Nj5%23zbGHA.3344@xxxxxxxxxxxxxxxxxxxxxxx
I d'ont know. The router is at a central office in another country, and
his configuration is responsibility of it people in this office.
I must assume they know what they do, because they connect other
countries brach office with this router/firewall.
My job is to configure the sbs box here in a branch office with the
data provided by central it people.
Acording to the router log, they think that the problem is at isa
server.
I have never configured an ipsec conection with ipsec policies, and i
d'ont even know how to monitor the negotiation process in the sbs
side, or monitor isa activitie in real time.
Another big doubt is where to create the ipsec policies. In a member
server, it shoult be done in local policies MMC, but SBS is domain
controler....


"cjobes" <cjobes@xxxxxxxxxxxxx> escribió en el mensaje
news:OXiw5czbGHA.628@xxxxxxxxxxxxxxxxxxxxxxx
Which SonicWall product are you using?

Claus

"acon" <ezacon@xxxxxxxxxxx> wrote in message
news:O9NIiLubGHA.5116@xxxxxxxxxxxxxxxxxxxxxxx
I need to connect a SBS2000 server and a Sonicwall router with an
IPSEC tunel.
I have configured the router, the IPSEC policies and ISA 2000 but
the tunel does not come up.
The SBS server has 2 nic adapters. One to the local network
(192.168.1.0/24) and the other conected to Internet, througt an adsl
router configured as a bridge (the internet static public address is
asigned to to the external SBS server nic)

Here is what i did:

In secpol.msc mmc in "IPsec local policies" i have created a new
policie with two IP filters:
One from remote lan to local lan, with the SBS public IP as
endpoint.
another from local lan to remote lan, with the Sonicwall public
address as endpoint.
I have configured encription and autentication (shared key for now).
In the TCPIP advanced properties of the public nic, i have selected
to use the created IPSEC policie.
In ISA server, i have created tho new IP filters:
One caled ESP for protocol number 50 in both directions, aply to
default IP address interfaces, and from all remotes sites.
the other called 500UDP for port 500 UDP, in both directions, from
local port 500 to remote port 500, default ip..., all remote
sites...

I am not sure if tunel negotiation is blocked by ISA. If i look in
"C:\program files\Microsoft ISA Server\ISALogs" i can see files
named WEBEXTD...log, FWSEXTD...log and IPPEXTD...log. The last entry
in these files is from several hours in the past. I d'ont know where
i can dinamicaly monitor the ISA server activity, to look for
blocked packets.

Another thing wich i am not sure is if i have to create the IPsec
policie in secpol.mmc (local policies) or througt a GPO, because the
isa server is also a domain controler.

Somebody has experience with ipsec stuff and sbs? I agree some more
light on any of my doubts.

Thanks















.

Relevant Pages

  • Re: SBS2000 to router IPSEC
    ... In local policies or in a GPO aplied to an OU?. ... I am not sure also what IP filters are needed in ISA server to allow trafic ... for a normal IPSEc negociation. ... known issues with Branch Office tunnels SW to SBS. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2000 to router IPSEC
    ... IPSEC tunnel they created. ... The wan nic of the sbs server is conected to an adsl bridge, ... they think that the problem is at isa ... Another big doubt is where to create the ipsec policies. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2000 to router IPSEC
    ... controler (as SBS is) and the ipsec policie is configures in Local policies. ... Today, after some more testings and a full server restart, it seems like the ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2000 to router IPSEC
    ... when a say router i mean firewall. ... The wan nic of the sbs server is conected to an adsl bridge, ... they think that the problem is at isa server. ... Another big doubt is where to create the ipsec policies. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN not working when client behind another firewall
    ... [from SBS 2003 Best Practices] ... place a hardwarebased firewall router out in front of SBS 2003 and want ... This area is NAT-T over IPSec across the firewall. ... client and the remote access server must be IPSec NAT-T-capable. ...
    (microsoft.public.windows.server.sbs)
Loading