VPN IPSec Tunneling Configuration

Discussion in 'Windows Small Business Server' started by lmiller, Sep 29, 2005.

  1. lmiller

    lmiller Guest

    I could use some advice here...
    I am trying to setup a IPSec VPN Tunnel to a remote site. Here are the
    details.
    I followed the Microsoft article 816514 "How to Configue IPSec Tunneling in
    Windows 2003 Server"

    SBS 2003 Standard Server with 2 NIC's, one to the router and one to internal
    LAN. The Inside Client (NetA) is a UNIX Server with an internal Private IP
    10.0.76.x 255.255.252.0.
    The Other end of the Tunnel is a CISCO Router with PIX firewall going to a
    UNIX server(NetB) with internal address of 10.0.0.x
    I created the IPSec policy, created a NetA to NetB (private addresses using
    the Network selection using 10.0.76.0 255.255.255.0 to 10.0.0.0
    255.255.255.0) and NetB to NetA setting the end point to be my external NIC
    card for NetA to NetB and the CISCO Router IP for the end point of NetB to
    NetA. The security set is MD5/3DES with medium2 , no PFS. The Key is
    preshared as well.

    The outside client can connect through stage 1, but stage 2 fails. It
    appears to be a problem with RRAS, so I created a static route in the table
    directing the 10.0.0.x to be reouted to the public IP address of the Cisco
    router. But, since IPSec is looking at port 500, and the internal UNIX
    server is the one being "negotiated" I think the traffic coming in on 500 is
    passing authentication, but the SBS box doesn't know where to send it.

    Sorry if this sounds confusing...but I'm not sure how to proceed.
     
    lmiller, Sep 29, 2005
    #1
    1. Advertisements

  2. lmiller

    Crina Li Guest

    Hi Lmiller,

    Thank you for posting in SBS newsgroup.

    From the description, it seems that you have configured the UNIX server as
    the VPN server on SBS internal side. If so, we need to configure RRAS on
    SBS to forward the corresponding traffic to the UNIX server as following:

    1. Bring up the "Routing and Remote Access" console, and then expand to
    "Server name" -> "IP Routing" -> "NAT/Basic Firewall."

    2. In the right pane, right-click "Network Connection" to choose
    Properties.

    3. Switch to the "Services and Ports" tab, and then Add the desired service.

    For example: you can configure RRAS to forward IPSec traffic on 500 to
    10.0.76.x 255.255.252.0.

    However, we also recommend you using the SBS server as the VPN server. If
    the problem still persists, Due to the complexity of this issue, we are
    unable to assist with this request in the newsgroups. You may need to
    contact CSS for better support.

    A suggestion would be to contact Microsoft Product Support Services via
    telephone so that a dedicated Support Professional can assist with your
    request. Please be advised that contacting phone support will be a charged
    call. However, if you are simply requesting a hotfix be sent to you and no
    other support then charges are usually refunded or waived.

    To obtain the phone numbers for specific technology request please take a
    look at the web site listed below.

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

    If you are outside the US please see http://support.microsoft.com for
    regional support phone numbers.

    Thanks for your understanding and I look forward to your reply.

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Thread-Topic: VPN IPSec Tunneling Configuration
    | | From: "=?Utf-8?B?bG1pbGxlcg==?=" <>
    | Subject: VPN IPSec Tunneling Configuration
    | Date: Wed, 28 Sep 2005 18:35:02 -0700
    | | Newsgroups: microsoft.public.windows.server.sbs
    ||
    | I could use some advice here...
    | I am trying to setup a IPSec VPN Tunnel to a remote site. Here are the
    | details.
    | I followed the Microsoft article 816514 "How to Configue IPSec Tunneling
    in
    | Windows 2003 Server"
    |
    | SBS 2003 Standard Server with 2 NIC's, one to the router and one to
    internal
    | LAN. The Inside Client (NetA) is a UNIX Server with an internal Private
    IP
    | 10.0.76.x 255.255.252.0.
    | The Other end of the Tunnel is a CISCO Router with PIX firewall going to
    a
    | UNIX server(NetB) with internal address of 10.0.0.x
    | I created the IPSec policy, created a NetA to NetB (private addresses
    using
    | the Network selection using 10.0.76.0 255.255.255.0 to 10.0.0.0
    | 255.255.255.0) and NetB to NetA setting the end point to be my external
    NIC
    | card for NetA to NetB and the CISCO Router IP for the end point of NetB
    to
    | NetA. The security set is MD5/3DES with medium2 , no PFS. The Key is
    | preshared as well.
    |
    | The outside client can connect through stage 1, but stage 2 fails. It
    | appears to be a problem with RRAS, so I created a static route in the
    table
    | directing the 10.0.0.x to be reouted to the public IP address of the
    Cisco
    | router. But, since IPSec is looking at port 500, and the internal UNIX
    | server is the one being "negotiated" I think the traffic coming in on 500
    is
    | passing authentication, but the SBS box doesn't know where to send it.
    |
    | Sorry if this sounds confusing...but I'm not sure how to proceed.
    |
     
    Crina Li, Sep 30, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.