IPSec Tunnel

Discussion in 'Windows Small Business Server' started by Richard Winstock, Dec 14, 2004.

  1. Hi Everyone,

    Now I must admit, although I understand a lot of the principles, I am not
    exactly a network expert.

    I'm having difficulty setting up a IPSec VPN between my office and another
    office in France. I use SBS 2003/ISA 2000 as the proxy server and gateway
    this end, with a CISCO 2600 as the tailend of a leased line to the outside
    world. In France they have a Fortinet device, alegedyly sat there waiting
    for my tunnel. I followed the KB guide (816514) to setup the tunnel, and it
    seemed to go ok, the IPSec policy all seemed sensible. I think the trouble
    is the static route to the french subnet, as everytime I try to add it, it
    says "The route addition failed: Either the interface index is wrong or the
    gateway does not lie on the same network as the interface. Check the IP
    Address Table for the machine." The command I am using is: "C:\Documents and
    Settings\Administrator>route add 128.1.0.0 mask 255.255.0.0 81.255.xxx.yyy"
    (I've blanked the full IP address of the french router!)

    ....here is a quick diagram of what I'm trying to do:


    +------+ +------+ +------+ +------+
    | SBS | |Router| |Fort. | |Server|
    | | ---> | | <~~~~> | | ---> | |
    | ISA | | | Inet | | | |
    +------+ +------+ +------+ +------+


    SBS:
    Private Subnet: 194.202.136.x

    French:
    Private Subnet: 128.1.x.y

    Any advice from anyone?

    Please!

    Many Thanks!
     
    Richard Winstock, Dec 14, 2004
    #1
    1. Advertisements

  2. This question is kind of complicated. The pic that you showed us is kind of
    garbled... would this be right?

    PCs on France (128.1.x.y)
    |
    Fortinet
    |
    Internet
    |
    Cisco
    |
    ISA
    |
    PCs on main office
    (194.202.136.x)

    Where are the VPN endpoints (between Fortinet and Cisco)? If so, this
    wouldn't work because its terminated in front of ISA. If you have the Cisco
    on your local subnet (which BTW both are not *private* addresses) then it
    would be correct but ISA wouldn't work. Also, you are trying to create an
    erroneous route (the gateway should be on the local lan, not 81.255.x.y) in
    fact depending on your setup you wouldn't even need to create that route.

    I guess we need a detailed pic of your setup before we continue. You may
    also want to check this out:
    http://msmvps.com/javier/archive/2004/12/08/23045.aspx
    Although in your case you might be better off by creating a PPTP VPN tunnel
    (I think Fortinet has this capability) between France and SBS (as opposed to
    Cisco).
     
    Javier Gomez [SBS MVP], Dec 14, 2004
    #2
    1. Advertisements

  3. Hi Javier,

    Sorry about the garbled diagram....it looked ok in a fixed font!

    You are right about almost everything. The Cisco only has a public IP,
    whilst the ISA/SBS machine has one public and one private. The cisco only
    ends the circuit, nothing else. The VPN end points are supposed to be the
    Fortinet box and the ISA/SBS server. Your diagram is right about everything
    else. I looked at your link, and I guess I am trying to achieve option 2 -
    Use a PPTP VPN-capable router on the remote site and establish the VPN
    directly to the SBS box. I can go for option 3 though if it is easier!

    Many, many thanks for your help!


    rich


     
    Richard Winstock, Dec 14, 2004
    #3
  4. I have little experience with that particular setup (PPTP VPN in a gateway
    to gateway config)... so maybe you want to wait for someone else experienced
    in this to chime in. In the mean time, I can tell you a thing or two:

    1) This is not an IPSec type of VPN (just so you know).
    2) AFAIK-> You don't need to create a static route because SBS/ISA are the
    default gateway of your network.

    [Option 3 would require you to buy another IPSec VPN capable router (i.e.
    another Fortinet)... which you might not want to do. Also, I don't think you
    would benefit a lot from this.]

    Ok... going back to your scenario I would start by running the Remote Access
    Wizard. Then I would test that you can VPN to the SBS box using a client
    from outside your network (this is pretty simple and SBS does everything for
    you... only have to download the Remote Access Connection Thingy on RWW).
    After this is working... then I would go to the Fortinet and read the PPTP
    VPN instructions and try to VPN to the SBS box and see if it works. [again I
    must point out that this is what *I think* should be the steps].

    --
    Javier [SBS MVP]
    www.msmvps.com/javier
    << SBS ROCKS!!! >>

     
    Javier Gomez [SBS MVP], Dec 14, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.