SBS 2003 to ISA 2006 pptp site to site vpn connection

Discussion in 'Server Networking' started by averied, Sep 5, 2007.

  1. averied

    averied Guest

    Hi..



    I'm trying to create a site to site VPN connection between a machine with
    ISA 2006 and a machine with SBS2003 SP2



    So I created a remote site in ISA with the details o fthe remote location,
    and created the user with the same name as the network.. The network has the
    same name on both servers, so I don't think the username will be a issue...



    In SBS I enabled RRAS, and created a new demand dial interface with ISA 2006
    Public IP address as destination server.. I also added the username and pass
    information..



    Now the strange thing is once I setup everything, I try to connect from the
    SBS2003 site to the ISA site, but not a single packet with ISA2006's IP is
    sent.. I tested with wireshark.. and I have no firewalls in this server.. at
    least when I try to ping the ISA2006 server I can see the outgoing packets,
    but nothing when trying to enable the site to site VPN connection I just
    setup...



    any ideas??
     
    averied, Sep 5, 2007
    #1
    1. Advertisements

  2. Does the DoD interface in RRAS actually connect? Error out? what?

    You need to differenciate between the Tunnel not "going up" -vs- traffic
    simply not flowing through the Tunnel after it is up. They are two different
    things.

    Traffic not goint through the existing Tunnle I can probably figure out.
    The Tunnel not "going up" at all I might have trouble with.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
     
    Phillip Windell, Sep 5, 2007
    #2
    1. Advertisements

  3. averied

    Bill Grant Guest

    I agree with Philip. This is tricky to set up. If you are using RRAS at
    both ends, you have to configure both servers manually and you know where
    you are. If you are using ISA at both ends the wizard gives you the config
    for the second server. If you use the ISA set up at one end, how do you know
    what to configure at the RRAS end?
     
    Bill Grant, Sep 6, 2007
    #3
  4. I think ISA still does it similar "under the hood" so on the RRAS box you
    just treat the situation as if the ISA was really an RRAS box. ISA2000 and
    2004 actually used RRAS to perform that task. ISA2006 has the abilities
    built into itself but I think it follows the same principles underneath
    everything.

    After my last post I tried to set up a "model" of what he is doing using an
    ISA2004 on one end and an ISA2006 on the other end. I could not get it to
    work [yet],...it's embarrassing,..so don't tell anyone :) The hard part is
    figuring out what component or at what level along the way it "doesn't work"
    whenever it "doesn't work". Maybe I'll mess with it more this after noon or
    at home tonight. That's pretty bad when a former ISA-MVP can't get the S2S
    VPN up, so we'll have to keep that quiet :)

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
     
    Phillip Windell, Sep 6, 2007
    #4
  5. averied

    Bill Grant Guest

    I think the tricky part setting up the RRAS side would be to figure out
    what name to use to initiate the connection. You can configure the
    demand-dial interface at the RRAS end assign the necessary static route so
    that traffic for the "other" site will go through the VPN when it is up.
    (You link the route to the dd interface through the new static route wizard
    in RRAS). But all of that is useless if it doesn't connect to the correct
    interface at the other end.

    In a RRAS to RRAS connection you actually use the name of the
    demand-dial interface on the answering router as the username to initiate
    the connection. That ensures that the connection binds to the correct dd
    interface and that the static route back to the calling router's subnet is
    activated. If you use a password which doesn't match the dd interface name
    you just connect as a dialup type client and the routing doesn't work
    (because you only get a host route back to the calling machine, not a subnet
    route for the machines behind the calling router).
     
    Bill Grant, Sep 7, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.