Hi Tiago, One thing about networking, *nothing is easy* :-) While the fact that one end is PPPoE and other is PPPoA shouldn't be an issue, the fact that other sides are dial up is an issue, because one side definitley needs a dedicated address, IIRC. Check out www.microsoft.com/vpn and delve into the White Paper on gateway to gateway VPNs and also grab all the information you can get on demand dial connections. HTH, Tom Thomas W Shinder www.isaserver.org/shinder -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Friday, February 21, 2003 8:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] RES: RE: RES: RE: VPN router-to-router drop every ~3 minutes http://www.ISAserver.org Hmmm... Could be an idea! As far as I know, I can do PPTP with these routers, but they must be configured using VPI, VCI and that stuff. I can't establish tunnels directly to an IP address. The only problem is that one router acts as a bridge (must be dialed, PPPoE), and the other is a router (PPPoA). I don't know if PPTP can be configured on these routers in this scenario. Anyway, I'll try the Active/Passive VPN configuration before anything else. Thanks a lot! Tiago de Aviz ----------------------- tiago@xxxxxxxxxxxxxxx www.softsell.com.br ----------------------- -----Mensagem original----- De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Enviada em: quinta-feira, 20 de fevereiro de 2003 22:58 Para: [ISAserver.org Discussion List] Assunto: [isalist] RE: RES: RE: VPN router-to-router drop every ~3 minutes http://www.ISAserver.org Hi Tiago, Hmmm. It would be hard to blame the DSL lines if you don't see the same phenomenum between Win2k RRAS servers (without ISA Server on either end). I don't think it's the fragment filtering, as that shouldn't be an issue with PPTP links. The L2TP/IPSec won't work if the ISA Server external interface is behind a NAT. The passive/active is exactly what Steve was referring to. If you have both of the sites connected via NAT routers, how about creating VPN gateways between the NAT routers and then create a VPN gateway link between the ISA Servers inside the tunnel created between the routers. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Thursday, February 20, 2003 7:08 AM To: [ISAserver.org Discussion List] Subject: [isalist] RES: RE: VPN router-to-router drop every ~3 minutes http://www.ISAserver.org Thomas, Well, "dirty" DSL lines are a possibility around here. However, this only happens between ISA Servers. For an instance: if I establish a VPN with two RRAS servers without ISA server on one end, it stays up indefinitely. Could it be those IP fragment/options filters enabled? About L2TP: would it work over these NAT that my DSL routers are doing? The Passive/Active router is that thing that Steve Moffat explained on his e-mail? Thanks for the help! Tiago de Aviz ----------------------- tiago@xxxxxxxxxxxxxxx www.softsell.com.br ----------------------- -----Mensagem original----- De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Enviada em: quarta-feira, 19 de fevereiro de 2003 22:16 Para: [ISAserver.org Discussion List] Assunto: [isalist] RE: VPN router-to-router drop every ~3 minutes http://www.ISAserver.org Hi Tiago, I've heard about this sort of thing from many people. Some possibilities: 1. Your DSL lines are "dirty" so that PPTP control channel somehow gets "corrupted" (not very scientific, but this is an hypothesis) 2. There's a problem with PPTP with gateway to gateway connections. The fix is to use L2TP/IPSec 3. When one of the routers loosing its DSL link, both of them try to call each other at the same time. Fix is to create a passive and an active router HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Wednesday, February 19, 2003 9:14 AM To: [ISAserver.org Discussion List] Subject: [isalist] VPN router-to-router drop every ~3 minutes http://www.ISAserver.org Hi folks! I have two ISA servers that are connected this way: Internal Network--ISA---DSL router----Internet----DSL router---ISA-Internal Network Both DSL routers are set to forward all inbound traffic to the ISA Server´s public NIC. BTW, they are both Alcatel Speed Touch Pro modems. Well, here's what happens when I establish a router-to-router PPTP VPN between these two ISA's: I created the connections on RRAS, created credentials on both sides and I also created the static routes from one network to another. Everything works fine, traffic is routed, it's really fast, but.... it drops for no reason every 3 minutes or less. Here's the event that RRAS generates: The user SOFTSELL\itatiaia connected on port VPN3-126 on 02/17/2003 at 05:30pm and disconnected on 02/17/2003 at 05:31pm. The user was active for 1 minutes 36 seconds. 0 bytes were sent and 0 bytes were received. The port speed was 10000000. The reason for disconnecting was user request. Note that this happens even if I have traffic on the tunnel. Both servers have SP3 and ISA SP1 applied. I couldn't find any remote access policy that disconnects someone for any reason... everything is unset. Could it be inheriting these policies from somewhere else? I tried to use that wizard from ISA server to create VPN´s, but the public address is not bound to my public NIC, so it won´t work If I import the settings on the other edge. Any ideas? Tiago de Aviz --------------------- www.softsell.com.br tiago@xxxxxxxxxxxxxxx ------------------------ ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')