[isalist] Re: Error establishing a VPN to the ISA server
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 Jun 2006 12:19:11 -0700
Because it doesn¹t matter what the VPN subnet is. You could have a million
VPN¹s with a million different subnets and it won¹t make a bit of difference
if the destination IP is the same subnet as the local interface. You would
have to dual-home your entire network with 2 different VPN¹s to avoid this.
In a ³single box² solution that Tom outlined, having multiple VPN¹s with
multiple subnets and multiple matching IP¹s bound to the single interface
would work, but only for that one box, and only for one ³fake² IP at a time
unless you created multiple boxes with multiple VPN endpoints.
t
On 6/28/06 11:20 AM, "D PIETRUSZKA USWRN INTERLINK INFRA"
<DPietruszka@xxxxxx> spoketh to all:
> Why not just create two VPN¹s, one with 1 subnet and the other one with
> another subnet, you won¹t have this problem again no matter on which hotel
> your customer stay.
> For us OWA/RPC HTTP don¹t work because we use RSA to authenticate user on OWA.
>
>
> Regards
> Diego R. Pietruszka
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Wednesday, June 28, 2006 1:57 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>
> Until the one you switch to is on a 10. network and all the work Tom did with
> the internal IP stuff is all for naught. ;)
>
> I¹m telling ya... This is becoming way more and more common. I¹m surprised to
> see this dude¹s hotel on 192.168.110 (I really am) but it¹s actually becoming
> more common for some of my people to be on conflicting nets, particularly when
> they give you a 10.0.0.0 address on a 255.0.0.0 subnet. Hence the need for a
> localized NAT solution? OWA/RCPoHTTP is fine when all you need is email stuff,
> but when you¹ve got to be RDP¹ing into multiple servers, accessing SQL boxes,
> hitting VoIP equipment, etc., publishing scenarios just don¹t cut it...
>
> I¹ve tried lots of different things at varying degrees of complexity (like a
> virtual pc install, Kerio routing tricks, KY jelly, etc) but I¹ve found that
> keeping things limited to the ³plug THIS into THAT, then plug THAT into the
> OTHER THING² mentality is the best.
>
> That¹s really why most of my mobile people have the high speed EVDO solutions
> (we use verizon) so that we don¹t really have to worry about it. Hotel
> connections are usually way faster, but EVDO works all the time (most of the
> time, anyway).
>
> I can actually envision a market for a little USB device that NAT¹s the
> connection all the time for the true ³road warrior² that spends a lot of time
> on other people¹s networks.
>
> t
>
>
> On 6/28/06 7:51 AM, "Jonathon J. Howey" <Jonathon@xxxxxxxx> spoketh to all:
> A non-technical solution: Wouldn't it of been easier to tell the Directory to
> switch hotels? :p
>
> But then that wouldn't be any fun for you guys...
>
> Jonathon J. Howey
> MENSE Inc.
> P 780.409.5620
> F 780.409.5621
> D 780.409.5628
> C 780.965.8363
> Jonathon@xxxxxxxx
>
> Defining the Future of Transportation
> www.MENSE.ca <http://www.mense.ca/>
>
>
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thomas W Shinder
> Sent: June 28, 2006 8:31 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>
> Nice tip!
> Thanks!
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, June 28, 2006 9:19 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>
>
> You¹ll still hit it. The router will be given the local IP just like a lappy
> would, and you¹ll hit it via the NAT¹d connection. Do it all the time.
>
> t
>
>
> On 6/28/06 6:51 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
> all:
>
>
> What if that broadband router has to interact with a log on page?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
>
>
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Glenn P. JOHNSTON
> Sent: Tuesday, June 27, 2006 11:18 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: RE: [isalist] Re: Error establishing a VPN to the ISA server
>
>
>
> Plan is, I am going to take;
>
>
>
> 1.
> 2. A linksys 4 port BB router, to plug in between the hotels BB, and his
> notebook, which I think will do the trick nicely.
> 3.
> 4.
> 5. A wireless broadband card, just in case.
> 6.
> 7.
> 8. A second notebook with the companys SOE on it, also just in case.
> 9.
> 10.
> 11. My Wife, it will be a nice little day or two away for us.
>
>
>
>
>
>
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
> Sent: Wed 28/Jun/2006 14:06
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>
>
>
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> You gonna add a new IP to the server, bring a little NAT router, or both?
> ;)
>
> t
>
>
> On 6/27/06 9:00 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> spoketh
> to all:
>
>> > I don't believe it.
>> >
>> > I've just been offered a return first class plane ticket, a nights
>> > accomodation, 2 nights if need be, all expenses + how ever many hours it
>> takes
>> > at my normal hourly rate to go see the director in person and fix this
>> for him
>> > so he can get his e-mail !
>> >
>> > "Well I'll loose a whole day on this", "Fine, then charge us for every
>> hour
>> > your away, just get it fixed !"
>> >
>> >
>> >
>> > ________________________________
>> >
>> > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
>> > Sent: Wed 28/Jun/2006 13:45
>> > To: isalist@xxxxxxxxxxxxx
>> > Subject: [isalist] Re: Error establishing a VPN to the ISA server
>> >
>> >
>> >
>> > http://www.ISAserver.org
>> > -------------------------------------------------------
>> >
>> > OWA would be a great "backup" solution in the rare case where the local
>> > Ethernet LAN is the same logical subnet as their own offices, even if he
>> > couldn't sync. But, in your case of having a jackass for a client,
>> you're
>> > kind of stuck.
>> >
>> > An easier thing to do would be to get a little Linksys NAT router to
>> stick
>> > in between. Plug the hotel ethernet to the "Internet" port, and plug >>
the
>> > laptop into a "LAN" port. That way he'll get a local 192.168.1 address
>> and
>> > have no problems. Plus, there is no configuration needed at all. The
>> > defaults will work just fine. Just plug it in and go.
>> >
>> > t
>> >
>> >
>> > On 6/27/06 8:29 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>> spoketh
>> > to all:
>> >
>>> >> I'm told he refuses to use OWA as he can't sync his mail with the OST
>>> on his
>>> >> notebook. There is just no helping some people, no matter how hard you
>>> try to
>>> >> be helpful and solve their problem, they just refuse all help on
>>> principle !
>>> >>
>>> >> Also they passed on to me, that in his yelling and screaming his
>>> demanding to
>>> >> know 'Why someone did not realise this would happen, and get it fixed
>>> before
>>> >> hand, so I can get my e-mail"
>>> >>
>>> >> I really feel sorry for the IT guy at the site, his early 20's,
>>> finished a
>>> >> development oriented IT degree last year, is quite bright really, but
is
>>> >> still
>>> >> just learning the finer points of the winserver environment, supporting
XP
>>> >> etc, and it working toward his MCSE, having passed the first 2 exams in
>>> the
>>> >> last couple of months. He reports to this Director, and from what I can
>>> see,
>>> >> gets one hell of a serve from him as soon as anything a little bit odd
>>> >> occurs.
>>> >>
>>> >> I can't see a away around this, without the Director having to do
>>> something
>>> >> out of the ordinary, which apparently, is just not an option, and have
>>> just
>>> >> told them that.
>>> >>
>>> >> I've suggested the only possibly way, I can see, is to go out and
>>> purchase a
>>> >> wireless broadband card from someone local, get it on the net, set up
a
>>> >> notebook with it and his e-mail, and get it express couriered to him.
>>> He'd
>>> >> have it early eveing or first thing in the morning.
>>> >>
>>> >> There was a chocking sound on the other end of the phone, "but then
>>> he'd have
>>> >> to carry 2 notebooks back ! " and "What do I do if he gets it and it
>>> does not
>>> >> work ?" ..................................
>>> >>
>>> >> Find another job came to mind..
>>> >>
>>> >> ________________________________
>>> >>
>>> >> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
>>> >> Sent: Wed 28/Jun/2006 12:49
>>> >> To: isalist@xxxxxxxxxxxxx
>>> >> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>> >>
>>> >>
>>> >>
>>> >> http://www.ISAserver.org
>>> >> -------------------------------------------------------
>>> >>
>>> >> Well, it would have worked other than the gw on the hotel being the
>>> same as
>>> >> the SBS box... Bad luck there. But, I've had to do this several times
>>> for
>>> >> the exact same scenario with my people. Seems the Marriott and I
>>> thought
>>> >> alike in our IP schemes ;)
>>> >>
>>> >> You could always just add another IP address to the SBS box (well, you
>>> could
>>> >> if it were a "regular" server install-- I don't know what you'd have to
go
>>> >> through on SBS to do that.) That would work, though.
>>> >>
>>> >> Not much we can do about a guy who wants to scream more than get the
>>> job
>>> >> done, though. I'd tell him that if he wanted his email to STFU and do
>>> what
>>> >> was needed. It's not like it is anyone's "fault." There are other
>>> options
>>> >> you have, but they would all require him doing *something*.
>>> >>
>>> >> I'm assuming that OWA is not an option for some reason?
>>> >>
>>> >> t
>>> >>
>>> >>
>>> >> On 6/27/06 7:37 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>>> spoketh
>>> >> to all:
>>> >>
>>>> >>> The internal IP of the SBS server is 192.168.110.2, G/W on the hotel
BB
>>>> >>> service is also 192.168.110.2 unfortunately !
>>>> >>>
>>>> >>> I tried the static route on my home ADSL service by changing the
>>>> internal
>>>> >>> private IP to match the Hotel's to play with, and everything else
>>>> works, I
>>>> >>> can
>>>> >>> get to the internet and other clients networks fine, but I can not
>>>> get to
>>>> >>> anything on the remote network after the tunnel is connected, of the
>>>> client
>>>> >>> with the problem.
>>>> >>>
>>>> >>> Putting the static route in I doubt will work anyway, the fellow will
>>>> >>> probably
>>>> >>> just yell and scream as soon as he is asked to do anything remotely
>>>> >>> technical,
>>>> >>> expecting it to be magically fixed from this end.
>>>> >>>
>>>> >>> ________________________________
>>>> >>>
>>>> >>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
>>>> >>> Sent: Wed 28/Jun/2006 12:27
>>>> >>> To: isalist@xxxxxxxxxxxxx
>>>> >>> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>> http://www.ISAserver.org
>>>> >>> -------------------------------------------------------
>>>> >>>
>>>> >>> All he has to do is set a static route for the SBS box's IP to the
>>>> gateway
>>>> >>> address of the VPN endpoint.
>>>> >>>
>>>> >>> IOW, if the SBS box is 192.168.110.101, and his PPP VPN interface got
>>>> >>> assigned something like 192.168.110.11 from the RRAS server (do an
>>>> IP config
>>>> >>> to see what ip his PPP adapter is, or look at the RRAS properties of
the
>>>> >>> connection) then you would have him do a:
>>>> >>>
>>>> >>> ROUTE -p add 192.168.110.101 mask 255.255.255.255 192.168.110.11
>>>> >>>
>>>> >>> That way, when he attempts to access the SBS server, the request will
>>>> route
>>>> >>> down the VPN rather than broadcasting on the "local" 192.168.110.x
>>>> network.
>>>> >>>
>>>> >>> t
>>>> >>>
>>>> >>>
>>>> >>> On 6/27/06 7:13 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>>>> spoketh
>>>> >>> to all:
>>>> >>>
>>>>> >>>> http://www.ISAserver.org
>>>>> >>>> -------------------------------------------------------
>>>>> >>>>
>>>>> >>>> Hi,
>>>>> >>>>
>>>>> >>>> Maybe, maybe not directly and ISA question, and I've posted this in
>>>>> an SBS
>>>>> >>>> forum as well, but you people are pretty bright & I thought you
>>>>> might have
>>>>> >>>> some worth while input on this.
>>>>> >>>>
>>>>> >>>> One of my clients has an issue with VPN tunnel. This has been
>>>>> inplace since
>>>>> >>>> Sunday afternoon, but they only rang me this morning.
>>>>> >>>>
>>>>> >>>> One of their directors is at a week long conference, and the Hotel
>>>>> where he
>>>>> >>>> is
>>>>> >>>> staying, has provides an in room broadband service.
>>>>> >>>> The BroadBand in the hotel is using a 192.168.110.0/24 address
>>>>> range, the
>>>>> >>>> internal address of the clients network at the office is also a
>>>>> >>>> 192.168.110.0/24 range.
>>>>> >>>>
>>>>> >>>> The VPN tunnel establishes fine, and the VPN connector on his
>>>>> notebook get
>>>>> >>>> an
>>>>> >>>> address, of course, in the 192.168.110.100 to 192.168.110.199 range
>>>>> of the
>>>>> >>>> DHCP server on the SBS server.
>>>>> >>>>
>>>>> >>>> Once the tunnel is established, he can acess nothing on the SBS.
>>>>> This is to
>>>>> >>>> be
>>>>> >>>> expected as the address ranges are the same, does anyone have any
>>>>> bright
>>>>> >>>> idea's on how to get around this. The Director is yelling and
>>>>> screaming
>>>>> >>>> about
>>>>> >>>> not being able to get his e-mail.
>>>>> >>>>
>>>>> >>>> Unfortunately he is out out direct reach in another state, and has
very
>>>>> >>>> little
>>>>> >>>> tolerance for such problems.
>>>>> >>>>
>>>>> >>>> Regards
>>>>> >>>> Glenn
>>>>> >>>> ------------------------------------------------------
>>>>> >>>> List Archives: //www.freelists.org/archives/isalist/
>>>>> >>>> ISA Server Newsletter:
>>>>> http://www.isaserver.org/pages/newsletter.asp
>>>>> >>>> ISA Server Articles and Tutorials:
>>>>> >>>> http://www.isaserver.org/articles_tutorials/
>>>>> >>>> ISA Server Blogs: http://blogs.isaserver.org/
>>>>> >>>> ------------------------------------------------------
>>>>> >>>> Visit TechGenix.com for more information about our other sites:
>>>>> >>>> http://www.techgenix.com
>>>>> >>>> ------------------------------------------------------
>>>>> >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>> >>>> Report abuse to listadmin@xxxxxxxxxxxxx
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>> >>>
>>>> >>>
>>>> >>> ------------------------------------------------------
>>>> >>> List Archives: //www.freelists.org/archives/isalist/
>>>> >>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>>> >>> ISA Server Articles and Tutorials:
>>>> >>> http://www.isaserver.org/articles_tutorials/
>>>> >>> ISA Server Blogs: http://blogs.isaserver.org/
>>>> >>> ------------------------------------------------------
>>>> >>> Visit TechGenix.com for more information about our other sites:
>>>> >>> http://www.techgenix.com
>>>> >>> ------------------------------------------------------
>>>> >>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>> >>> Report abuse to listadmin@xxxxxxxxxxxxx
>>>> >>>
>>>> >>>
>>>> >>>
>>> >>
>>> >>
>>> >> ------------------------------------------------------
>>> >> List Archives: //www.freelists.org/archives/isalist/
>>> >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>> >> ISA Server Articles and Tutorials:
>>> >> http://www.isaserver.org/articles_tutorials/
>>> >> ISA Server Blogs: http://blogs.isaserver.org/
>>> >> ------------------------------------------------------
>>> >> Visit TechGenix.com for more information about our other sites:
>>> >> http://www.techgenix.com
>>> >> ------------------------------------------------------
>>> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>> >> Report abuse to listadmin@xxxxxxxxxxxxx
>>> >>
>>> >>
>>> >>
>> >
>> >
>> > ------------------------------------------------------
>> > List Archives: //www.freelists.org/archives/isalist/
>> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> > ISA Server Articles and Tutorials:
>> > http://www.isaserver.org/articles_tutorials/
>> > ISA Server Blogs: http://blogs.isaserver.org/
>> > ------------------------------------------------------
>> > Visit TechGenix.com for more information about our other sites:
>> > http://www.techgenix.com
>> > ------------------------------------------------------
>> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>> > Report abuse to listadmin@xxxxxxxxxxxxx
>> >
>> >
>> >
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
Other related posts:
