Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IPSec Tunnel VPN up & running but no traffic.

486 views
Skip to first unread message

Dennis Mutsaers

unread,
Nov 27, 2004, 10:29:01 AM11/27/04
to
Hi,

I've created an IPSec VPN between a Draytek Vigor and ISA 2004.
The tunnel seems to be allright, but I cant get traffic from subnet A to
subnet B
I can ping the remote gateway.

Here's the setup.

Main site: (ISA2004)
public ip: 212.83.245.14/255.255.255.248
lan ip: 192.168.20.252/255.255.255.0

Branch site: (Draytek Vigor)
public ip: 212.83.244.111/255.255.255.255
lan ip: 192.168.200.1/255.255.255.0

IPSec tunnel between 2 sites.

I am able to ping 192.168.200.1 from the ISA2004 server, but can't ping any
other device in the 192.168.200.x/255.255.255.0 subnet.

What am I doing wrong?

Best regards,
Dennis.


Robert L [MS-MVP]

unread,
Nov 27, 2004, 11:10:31 AM11/27/04
to
it seems to me that the ISA blocks the ping or traffic. I would check the
firewall policy first.

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN%20process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.
"Dennis Mutsaers" <dmutsaer...@hccnet.nl> wrote in message
news:131qd.2349$wQ2...@fe16.usenetserver.com...

Dennis Mutsaers

unread,
Nov 27, 2004, 1:16:22 PM11/27/04
to
I've created an 'Allow all outbound traffic' from subnet A to subnet B and
the other way around. (But no traffic)

Best regards,
Dennis.

"Robert L [MS-MVP]" <nor...@hotmail.com> schreef in bericht
news:%23aIjhuJ...@TK2MSFTNGP14.phx.gbl...

Hugh Carnduff

unread,
Nov 29, 2004, 11:42:21 AM11/29/04
to
Hi Dennis,

I've recently setup a number of VPN's between DrayTek Vigor's and ISA
2004 using IPSec Tunnel, LT2P/IPSec and PPTP. I'm pleased to say they
all work although they do have their gotchas!

Your overall config looks ok. I appreciate I may be reiterating but
have you:

1) created Network Rules to "route" from the VPN to the internal
network
2) created the appropriate routes on the internal network to find
your branch site? (should work automatically if ISA is the default
gateway - otherwise requires static routes).
3) set the VPN definition on the DrayTek as "change default route to
this VPN tunnel"
4) set the branch workstations to use 192.168.200.1 as their default
gateway

I've found the best testing rule is Allow, Ping, from:All Protected
Networks, to:All Protected Networks.

Hope that helps.

Cheers,

Hugh

Hugh Carnduff

unread,
Nov 29, 2004, 2:43:53 PM11/29/04
to
Hi Dennis,

OK. Using LT2P/IPSec with the DrayTek and ISA2004 is a little more
complicated as IPCP on the DrayTek doesn't negotiate correctly with
the ISA 2004 / RRAS without manually setting the "Remote Gateway IP"
on the DrayTek. (took me while to work that one out!). If you want
to use LT2P/IPSec, set the Remote Gateway IP to "192.168.200.2" (if I
read your info correctly). Hopefully that will fix it if you've
already been through the loop.


Having said that, IPSec Tunnel is by far the simplest and is at least
preferential over PPTP. My advice would be to bottom out all the
configuration and testing using IPSec Tunnel and move to L2TP/IPSec
once you have all the ISA routing / firewall policies in place.

Some notes on this (if you need them)...

If you follow the defaults on ISA to create an IPSec tunnel you should
be fine. Here's a template config for the DrayTek side of the
Site-To-Site using an IPSec Tunnel.


On DrayTek:

Select "LAN-to-LAN Profile Setup"
Select "1" (or your profile number)
; Common Settings
Set Profile Name: "HQ"
Select "Enable this profile"
Select "Always On" (selects "Dial-Out" only)

; Dial-Out Settings
Select "IPSec Tunnel"
Set Server IP/Host Name for VPN: "212.83.245.14" (I
assume...)
Set IKE Pre-Shared Key:
"sa64E5dFkjhf12skWgdwfdJGFqrwl6udhfjh" (anything you like - match at
ISA 2004 end)
Select "High (ESP)"
Select "3DES with Authentication"
Select "Advance"
Select "Main Mode"
Select "3DES_SHA1_G2"
Set IKE phase 1 key lifetime: "28800" (default
for ISA 2004)
Set IKE phase 2 key lifetime: "3600" (default
for ISA 2004)
Select Perfect Forward Secret "Enable"
(default for ISA 2004)
Select "OK"

; TCP/IP Network Settings
Set My WAN IP: "0.0.0.0" (default)
Set Remote Gateway IP: "0.0.0.0" (default)
Set Remote Network IP: "192.168.20.0" (your ISA LAN)
Set Remote Network Mask: "255.255.255.0"
Select RIP Direction: "Disable"" (default)
Select for NAT operation, treat remote sub-net as
"Private IP"
Select "Change default route to this VPN tunnel"
Select "OK"


I have tested this on various Vigor 2600's. Also be sure to "Select
"Enable IPSec VPN Service" in the "Remote Access Control" setup
screen.

I've even tested the DHCP Relay on the DrayTek to issue local IP
addresses to the branch site from a DHCP server & scope located at the
main site.

All good stuff. Hope that helps.

Hugh.

PS: DrayTek tip... Install the DrayTek SysLog utility on your
workstation and point your DrayTek's syslog settings at it. This is
an invaluable tool when working with Vigors.


On Mon, 29 Nov 2004 19:19:32 +0100, "Dennis Mutsaers"
<dmutsaer...@hccnet.nl> wrote:

>Great to here you got it working with the Draytek Vigor router. Maybe you
>can help me out. I've tried IPSec, L2TP/IPSec and couldn't get them to work
>with ISA 2004. Could you tell me how you set up your Draytek Vigor. (I'm
>using Vigor 2500/2600/2900)
>My prefered method of connecting would be L2TP/IPSec.
>
>To answer your questions:
>
>1) Yes
>2) Yes (Isa is default gateway)
>3) No
>4) Yes
>
>"Hugh Carnduff" <Hugh.C...@nospam.onev.co.uk> schreef in bericht
>news:79kmq05i2k385n3sm...@4ax.com...

Dennis Mutsaers

unread,
Nov 29, 2004, 1:19:32 PM11/29/04
to
Great to here you got it working with the Draytek Vigor router. Maybe you
can help me out. I've tried IPSec, L2TP/IPSec and couldn't get them to work
with ISA 2004. Could you tell me how you set up your Draytek Vigor. (I'm
using Vigor 2500/2600/2900)
My prefered method of connecting would be L2TP/IPSec.

To answer your questions:

1) Yes
2) Yes (Isa is default gateway)
3) No
4) Yes

"Hugh Carnduff" <Hugh.C...@nospam.onev.co.uk> schreef in bericht
news:79kmq05i2k385n3sm...@4ax.com...

Dennis Mutsaers

unread,
Nov 29, 2004, 3:13:20 PM11/29/04
to
I will try your suggestions tomorrow. The 'Remote Gateway IP' appears
strange to me. I always thought you should put your remote gateway ip, in my
case ISA 2004, 212.83.245.14. here. As you put it here it looks more like
the ip address the remote gateway needs to use as gateway address to the
draytek. (I assume 192.168.200.2 would be the l2tp interface on the
draytek)

I hope your info solves my problem with the draytek.


Best regards,

Dennis.

"Hugh Carnduff" <Hugh.C...@nospam.onev.co.uk> schreef in bericht

news:p5umq0d4n129rhlfi...@4ax.com...

Dennis Mutsaers

unread,
Nov 29, 2004, 4:40:30 PM11/29/04
to

> Great to here you got it working with the Draytek Vigor router.

Wow, that's a stupid error. That should be hear, of course.

Best regards,
Dennis.


Dennis Mutsaers

unread,
Nov 30, 2004, 4:30:19 AM11/30/04
to
Well,

I was trying to get an IPSec tunnel between ISA2004 & a Draytek Vigor 2500.
I've been trying to create a working set-up for the last four days. Today I
downloaded a new firmware release for the Draytek 2500 (R 2.53) Guess what.
It works now.

"Hugh Carnduff" <Hugh.C...@nospam.onev.co.uk> schreef in bericht

news:p5umq0d4n129rhlfi...@4ax.com...

Hugh Carnduff

unread,
Nov 30, 2004, 9:35:26 AM11/30/04
to
Hi Dennis,

That's excellent news. It sounds like they've sorted the IPCP problem
on that release. I'm still waiting for a similar fix to the 2600
firmware. For now, I'm still using the workaround.

Cheers,

Hugh

Dennis Mutsaers

unread,
Nov 30, 2004, 6:01:53 PM11/30/04
to
Hugh,

What do you mean by the IPCP problem? (What is IPCP?) And what's the
workaround for the 2600? Are there problems with the 2600?

Regards,
Dennis.

"Hugh Carnduff" <Hugh.C...@nospam.onev.co.uk> schreef in bericht

news:a81pq0psoc5cf4k8j...@4ax.com...

Hugh Carnduff

unread,
Dec 2, 2004, 9:50:44 AM12/2/04
to
Hi Dennis,

IPCP is the PPP Internet Protocol Control Protocol. (see RFC1332 for
further information)

The IPCP phase is started immediately after the security associations
are established. Basically, this negotiates and configures IP for
both sides of the link. Usually this is automatic and transparent -
as with the new firmware version of the DrayTek 2500. The current
release of the DrayTek 2600 V/VGI (2.5.5 RC5) does not seem to
auto-negotiate successfully with ISA 2004.

What follows is based on observation and debug logs and is not based
on official comment from DrayTek or Microsoft... Using the default
config, the DrayTek offers it's local LAN IP address to ISA during
IPCP as the remote IP address. This does not make sense as the ISA
cannot use this IP address itself. ISA then offers an address which
it gets from local DHCP scope. This isn't accepted either. After
trying all its IP addresses, the IPCP negotiation fails. The
workaround I discovered was to manually set the "Remote Gateway IP" to
a unique IP not used on the local DrayTek LAN. I.e. if your DrayTek
was 192.168.1.1, then use 192.168.1.2. ISA then creates a local PPP
interface with this IP address to which it routes traffic for the VPN.
Once that's done, it works just fine.

Cheers,

Hugh

On Wed, 1 Dec 2004 00:01:53 +0100, "Dennis Mutsaers"

Dennis Mutsaers

unread,
Dec 3, 2004, 9:06:59 AM12/3/04
to
How did you get the DHCP relay working? I used 192.168.20.252 (the ISA
server internal address) as the dhcp relay agent on the Draytek. I created a
scope for the 192.168.200.x range on the dhcp server and installed the dhcp
relay agent on the ISA server. (added the 'internal' interface) However, I'm
not getting a DHCP lease from the DHCP server at the main site.

Best regards,
Dennis.


"Hugh Carnduff" <Hugh.C...@nospam.onev.co.uk> schreef in bericht

news:p5umq0d4n129rhlfi...@4ax.com...

Hugh Carnduff

unread,
Dec 6, 2004, 11:09:48 AM12/6/04
to
Hi Dennis,

You've got the DHCP relay on the DrayTek pointing to the wrong
location. You're attempting a double-relay here. The DHCP Relay
Agent field on the DrayTek should point directly to the destination
DHCP server. You do not need a DHCP relay agent on the ISA server.
You will also need policies on the ISA to allow "DHCP Request" from
the IPSec VPN and "DHCP Reply" back from the DHCP server network
(Internal?).

Cheers,

Hugh

Dennis Mutsaers

unread,
Dec 6, 2004, 1:59:06 PM12/6/04
to
Hugh,

First of all, thanks for your help.

I just found out that the default gateway on my dhcp server wasn't pointing
to the ISA server. However, I do believe my DHCP Relay agent setup is the
correct setup. I have 2 dhcp servers on the lan, so if one fails the other
still can reply to dhcp requests. You can't accomplish this without the
relay agent on the ISA server, I believe. With this setup I have DHCP
failover for remote subnets. It's working with the DHCP Relay Agent.
You DO need the DHCP Relay Agent on the ISA server for VPN clients, if I'm
right. (Windows L2TP/PPTP clients)

Once again, thanks for your help with setting this up.

Best regards,

Dennis.

"Hugh Carnduff" <Hugh.C...@nospam.onev.co.uk> schreef in bericht

news:b119r05ackmc755ru...@4ax.com...

0 new messages