OK gurus here is one that is DRIVING me crazy.

Client has a VLan configuration with 12 Vnodes numbering from 10.1.1 to 10.1.12. MY CLIENT needs to setup a VPN that creates a tunnel between their SOHO3 on site to a SW Pro 1260 at the central office.

In the "perfect" solution - I would have a WAN ip handed off via a switch on the T-1 side and I would negotiate the VPN directly. But this client has me going through their ISA server which is handling 4 other vpns and login designates which pre-designated vpn you are granted by the IIS servers ISA assignments. The problem that is created is that the Pro or the SOHO can "not" login since they are a point to point vpn creation and no logging is able to be configured.

The other issue is that ALL vpns use port 500 and 4500 repectively with protocol 17 setting up 50/51 to act as the negotiating incoming and outgoing.

WE have tried setting up the IIS server to accept the vpn request and included the internal "WAN" ip to respond as appropriate - but because of the hops the IKE is timing out on authentication. We moved the WAN ip down the chain so that the SOHO was in the first vpn assignments of 10.1.1 but the timing is still an issue. We have release ALL restrictions thinking that the firewall settings were interferring with the authentication exchange.

We have forwarded requests from the Destination to the source assigned wan - no go. We are looking at scripting to see if that will setup the vpn.

So what are the consensus out there to get a hardware vpn to cooperate within an IIS / ISA firewall? ? ? ?

Dan,

Per PT, I have looked at your post, but it is beyond my KB.

Fred

We have release ALL restrictions thinking that the firewall settings were interferring with the authentication exchange.

So what are the consensus out there to get a hardware vpn to cooperate within an IIS / ISA firewall? ? ? ?
Hello Dan

You stated that you have released ALL restrictions concerning the firewall.

Have you tweaked or tried a different configuration in the Packet Inspection Firewall?

That may be the issue!

Hope It Helps!!! :cool:

Vince

Hello Dan

You stated that you have released ALL restrictions concerning the firewall.

Have you tweaked or tried a different configuration in the Packet Inspection Firewall?

That may be the issue!

Hope It Helps!!! :cool:

Vince

Yes we did. And we attempted to have the ip addressing in the forwarding to accept the incoming destination packet to forward to the internal WAN assignment as well as having the outgoing request hop to the external with internal WAN included in the packet sends.

So far nothing is working - which is in main part "I think" because of the additional vpn configurations that are used to login to the appropriate internal links.

The thing is, that I can login and have immediate access to my router - but the hardware association doesn't allow for a logging in options.

I think IF this is resolved it is going to be one for the Would You Believe! :confused:

Ok! LoL

One more thing I can suggest.

Check the Authentication protocols on the SOHO.

To clarify: the SOHO may be configured for 3DES/MD5 and not 3DES/SHA1. That is a potential if configured incorrectly... :)

I'll continue to contemplate along with you!!! LoL

By the way, what type of authentication is being used?

Basic/Digest/WDigest/Integrated Windows Auth.
Password Form
Passcode Form
Passcode/Password Form
Please be patient, I'm learning as I go with ISA; however, my top test scores are on permissions! LoL :)

Ok! LoL

To clarify: the SOHO may be configured for 3DES/MD5 and not 3DES/SHA1. That is a potential if configured incorrectly... :)

By the way, what type of authentication is being used?

Basic/Digest/WDigest/Integrated Windows Auth.
Password Form
Passcode Form
Passcode/Password Form
Using 3DES/SHA1 with shared key authentication. No certificate is being handed off (although that would be done if I was using a GVPN).

I think what is the real issue here is that the shared client is using 3 other vpns that are login associated. I don't have that luxury. Authentication on my equipment is using a IKE with a preshared key. Phase 1 is the 3DES/Sha1 and Phase 2 is Strong Encrption and Authentication (ESP, 3DES, HMAC, SHA1).

The consensus is that if the other vpn's were done away with and just a straight through handshake was needed - there would be no issue. Unfortunately, I have to deal with the opposing vpns! :confused:

Well apparently there is a HUGE bug in Windows IIS ISA servers!

The "joint" client is up to level FIVE at Microsoft and they are clueless as to what has happened.

As expected, my resources said this should have been a simple installation and the hardware allowed rights would have avoided any hops through the IIS server.

The IT department rep contacted M$, they billed them and now are refunding the costs because this "bug" could effect very MAJOR clients of Microsoft around the globe!

I will keep you guys posted - and it just shows again that I don't have EASY solutions to my problems. They are always above Tech Support level 2!

(hey RichM, can you hear me patting myself on the back AGAIN ;) )