netopia 3346 and site to site vpn with sbs 2003 premium

Discussion in 'Windows Small Business Server' started by Tim B, Sep 8, 2006.

  1. Tim B

    Tim B Guest

    My client is running the above at the main office and a netopia 3346 at the
    remote site. I have a site to site vpn established between isa 2004 and the
    netopia. I can ping and trace between subnets. What I cannot do is have the
    clients login to the domain. I know I can have them check the dialup box when
    logging in but I want to pass the AD and domain info within the vpn directly.
    No NAT on the client side and the remote clients are running static ips in
    the 192.168.17.X range. The isa 2004 has an extenal IP on the first adapter
    and private ip in the 192.168.16.X range for the internal adapter. range
    sbs2003 premium
    24.1.x.x (external interface on isa)
    24.1.x.x(external interface on netopia)
    24.4.x.x(external interface on remote netopia)
    netopia (internal interface on remote netopia)
    192.168.17.x (remote clients)

    I configured the ipsec vpn according to the microsoft article and the vpn
    works fine, I just can't pass the domain info or browse files on the sbs box.
    Because of this, no group policy is getting passed to the remote clients. I
    have opened icmp and file share ports on the remote clients SP2 firewalls (XP

    Any suggestions to get the info passing? I want the remote clients working
    on the sbs network as if they were local to the 192.168.16 network.

    Thanks in advance
    Tim B, Sep 8, 2006
    1. Advertisements

  2. Tim B

    Tim B Guest

    Thanks for the reply. There is an ipsec tunnel setup from the remote netopia
    to the sbs box and it is working fine. Pings work in both directions, just
    not domain related traffic. So I'm not sure what you meant when you said
    there is a need for an ipsec policy on the netopia to the sbs box. Are you
    talking about putting a specific ip route on the remote netopia?
    Tim B, Sep 9, 2006
    1. Advertisements

  3. Tim B

    Tim B Guest


    Thanks for the post and the help. I understand what you are saying now. I
    had already been through that. Actually, the netopia had fairly good
    documentation on this part. You are right. If you don't put the external ip
    address in the place for the internal address it will not work.

    Everything works between all clients and the server and all clients EXCEPT
    the fact that when the remote clients try to logon to the domain, it is
    unavailable and the client uses cached creds. In fact, they can check the vpn
    box on login and it will work, and they can establish a client side vpn after
    they are logged on, but this is not what I need. If they don't authenticate
    to the domain, then there is no login script run, no group policy run, etc.
    For some reason the domain authentication traffic is blocked. I am beginning
    to wonder if it is coming from the netopia router.

    Anybody else have any experience with these routers? This is what ATT/SBC is
    supplying for their pro dsl circuits.
    Tim B, Sep 9, 2006
  4. Tim B

    Tim B Guest


    I'm thinking about replacing the netopia's with something like a linksys or
    dlink. The netopia is not that great. But it is what sbc/att uses so I can't
    believe I'm the first one with this problem.
    It's interesting to note tonight I was on the remote client via rdp and you
    could NOT ping anything behind the isa server. But you can run a vpn client
    on the remote client and then of course everything starts working. Also, I
    ran a few traceroutes and it looks like any traffic destined for the isa
    server internal lan is trying to go out the isp gateway and not the ipsec
    vpn. I could have sworn this was working before, but I have made a lot of
    changes and tests so I was probably mistaken. I am almost positive it lies in
    the netopia, considering the traces are not going out the ipsec vpn. It's
    almost like the ipsec vpn is not there, but it shows up in logs on the
    netopia and the isa server.
    Tim B, Sep 10, 2006
  5. Tim B

    Tim B Guest

    Scratch that last post. If you trace from the netopia itself it doesn't go
    out the ipsec vpn. If you trace from the remote client behind the netopia it
    times out right after hitting the netopia. This has to be a netopia problem
    with blocking.
    Tim B, Sep 10, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.