Re: netopia 3346 and site to site vpn with sbs 2003 premium

Shashank,

Thanks for the post and the help. I understand what you are saying now. I
had already been through that. Actually, the netopia had fairly good
documentation on this part. You are right. If you don't put the external ip
address in the place for the internal address it will not work.

Everything works between all clients and the server and all clients EXCEPT
the fact that when the remote clients try to logon to the domain, it is
unavailable and the client uses cached creds. In fact, they can check the vpn
box on login and it will work, and they can establish a client side vpn after
they are logged on, but this is not what I need. If they don't authenticate
to the domain, then there is no login script run, no group policy run, etc.
For some reason the domain authentication traffic is blocked. I am beginning
to wonder if it is coming from the netopia router.

Anybody else have any experience with these routers? This is what ATT/SBC is
supplying for their pro dsl circuits.
--
Tim B
MS SBS, MCP


"Shashank" wrote:


Tim lemme give you a better idea by giving you a synopsis of what
happened a week back, and like i said i've done this 4-5 times and
everythime its an issue with the route from the remote site router.
===========================================================
Example configuration
----------------------------------
SBS 2003 SP 1 with ISA 2004 installed.
Internal IP: 192.168.16.2 / 24
External IP: 1.1.1.1

Remote Site (Safari)
Linksys router external IP: 2.2.2.2
Linksys router internal IP: 10.0.0.1
Server IP: 10.0.0.2 / 24

and this is what must be happenig to you too:>

A client computer on the SBS LAN can ping the remote server
10.0.0.2.The remote server (10.0.0.2) can ping the internal IP of the
SBS server (192.168.16.2).

If you try pinging the remote server IP 10.0.0.2 you may not be able to
ping it. The result may be "Negotiating IP security".Even if you are
able to ping it, you won't be able to view shares. Here is how i found
out what to do:>

I Loaded IPsecmon in mmc, Saw that there is a Specific Filter with a
Source of 1.1.1.1 (SBS external IP) and a destination of 10.0.0.0 / 24
(remote network) for any outbound port and protocol.

So i checked The remote side and Checked its IPSec policies and there
was no
one to connect to 1.1.1.1 (SBS external IP). There is only one to
connect to 192.168.16.0 / 24. This has been the common
mis-configuration on all the issues i have faced.

We Need to add an ipsec policy to the Linksys router for connections to
the SBS
external IP (1.1.1.1). When connections originate from the SBS server
in this
scenario, the outgoing IP address will be the SBS external address
(1.1.1.1).

So i Added one using the following steps which are specific to the
Linksys RV042.

Linksys RV042

1. Log into the Linksys web management interface.
2. Click VPN
3. Click client to gateway
4. Click Add New Tunnel

5. On the subsequent screen, under 'Client to Gateway' click Add Now.
6. Select the Tunnel radio button.
7. Specify a name for the tunnel.
8. Select the correct interface. (WAN1 or WAN2)

9. In the Local Group Setup section, set the appropriate configuration
for the site
where this Linksys router is.

10. In the Remote Client Setup section, set Remote Client to IP Only.
11. Set the IP address field to the external IP address of the SBS
2003/ISA 2004
server. (1.1.1.1 in the example used above).

12. In the IPSec Setup section, set the appropriate configuration.
This will be
the same settings that are defined in the remote site to site IPSec
tunnel in ISA
2004.

To access this,
a. Open the ISA 2004 MMC.
b. Click Virtual Private Networks (VPN) and then click the Remote Sites
tab.
c. View the properties of the remote site network connection and click
the
Connection tab.
d. Click the IPSec Settings button.
e. Match the settings on the tunnel you are creating above to the
settings on the
Phase I and Phase II tabs here.
f. Once you are done, you can cancel out of this properties dialog box.

13. Click Save Settings in the Linksys web management interface.

=============================================================
Here are the steps necessary to implement the required changes to a
Sonicwall
TZ170:

1. Access the adminstration interface of the router (usually by opening
a web
browser and navigating to <http://(default gateway address)>.
2. Login to the device as an administrator.
3. Click on 'VPN' on the panel on the left-hand side.
4. On the main panel you will see a section called 'VPN Policies' with
a policy for
the VPN in question in the list. Next to that policy you will see an
icon with a
pencil and paper under the column heading 'Configure'. Click on that
icon (be
careful not to click on the trash can).
5. On the 'General' tab you will see a 'Destination Networks' section.
They
probably have already selected 'specify destination networks below' and
have
specified the address of the LOCAL network for the SBS network (for
example
192.168.16.0 / 255.255.255.0). If so, click on 'Add' and add the
public IP address
of the SBS network with a subnet mask of 255.255.255.255.
6. Save the settings and reset the router/VPN connection if necessary.

====================================================

Here are the steps necessary to implement the required changes to a
Netgear
FVS318V3 router:

1. Access the adminstration interface of the router (usually by opening
a web
browser and navigating to <http://(default gateway address)>.
2. Login to the device as an administrator.
3. Click on 'VPN' on the panel on the left-hand side and thne 'VPN
policies'.
4. Add a new policy identical to the existing one but specify the
remote IP address
as a single IP address the external IP of the SBS network with a subnet
mask of
255.255.255.255.
6. Save the settings and reset the router/VPN connection if necessary.
=============================================================

I Hope these help and Netopia matches em or atleast gives you an idea
on what to do.

Good Luck,

Shashank MS EPS


.

Loading