Dear Tom, Thanks for your hint. Yup, there is possiblity of MTU to break IPsec, let me adjust MTU and try to see if it could resolve the problem, I hope it brings me a success tonight... To put a router is the last option before I enter into a dead corner, I would like to host a goog connetion with ADSL router unless it is enterprise one (of course very costy) Thanks, Roy ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, April 12, 2005 6:54 PM Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by Pre-shared Key http://www.ISAserver.org Hi Roy, Maybe a MTU issue? How about putting a DSL router in front of the ISA firewall in the VM and let it do the PPPoE? That gets around the MTU problem. HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Tuesday, April 12, 2005 5:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by Pre-shared Key http://www.ISAserver.org Dear Tom, I did a good site to site L2TP/IPSec VPN through VMware with PPPOE. Again, my problem is to setup such a connection through ISA2K4 Box as guest OS inside VM to remote physical ISA2K4 Box, that virual ISA2K4's Internet connection is PPPoE through bridged NIC connected to ADSL Modem! The PPTP connection works find for site to site, and IPSec Monitor shows a good SA for L2TP connection. I am just wonder PPTP use TCP protocol while L2TP use UDP, the bridged NIC interupts UDP communication for L2TP!? Any idea, please? Thanks, Roy ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, April 12, 2005 6:01 PM Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by Pre-shared Key http://www.ISAserver.org Hi Roy, I can't say about the PPPoE issue in the VM, but I've used VMware VMs for years with L2TP/IPSec connection using the Vmware bridged NIC with no problems. Can you setup an L2TP/IPSec site to site VPN between two ISA firewalls without using PPPoE in your Vmware lab? Thanks! Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Tuesday, April 12, 2005 12:35 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by Pre-shared Key http://www.ISAserver.org Dear Shiner-San, Harrison-sama, Following the below discussion thread, I would say that I forgot to tell one thing which might be key for the captioned issue. The ISA2K4 box is installed in the guest machines of VMware host, it host a internet connection through PPPoE by Virtual NIC bridged to host's NIC (this NIC connect to ADSL modem physically). As I reported ealier, I could setup PPTP site to site VPN between this ISA2K4 box and the other one, but failed in L2TP, I started to suspect whether or not the UDP connection was interrupted between host physical NIC and virtual NIC though host physical NIC's TCP/IP protocol is diabled. If it is really so, can I have your advise how to resolve this problem! Many thanks for your advise in advance. Roy Tsao Dear Shinder-Sama, I got your point. Finally, I could be aware why I can't creat site to site VPN by either pre-shared key or certificate, and problem comes from one end's ISA2K4 Wan connection is through ADSL by PPOE (Dial-up). When I check the event log at this ISA2K4 Box, it indicateds that PPoe-4 port can't be opened, it has been opened up already, I presume that's the reason why VPN port under Routing and Remote Access are all closed and can't accept any in/out call. There is some article saying site to site L2TP VPN connection even both ends are ADSL connection, while the writter shows a sample procress under virtual server enviornments, that is not exact site to site VPN through ADSL connection. For your reference, the NIC connected to ADSL modem is disabled even TCP/IP setting, and only PPOE works for dial-up. I can create a L2TP VPN client inside Lan and connect to remote site of ISK2K4 VPN server. When I tried to mannual activate VPN connection under route and remote access service at ISA2K4 server, the IPSec SA is esbalished, and no answer from remote side after 40 seconds, this means L2TP can't find his own session! Anybody here have any solution for this????!!!!!! Hi Roy, I thought it was Shinder-san? I get confused about those things :) Anyhow, are you trying to implement an L2TP/IPSec site to site VPN using a pre-shared key or computer certificates? You can't do both. So, if you want to use a pre-shared key, don't install computer certs. If you want to use computer certificates, then don't configure a pre-shared key on the VPN gateway endpoints. HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Thursday, March 31, 2005 10:08 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by Pre-shared Key http://www.ISAserver.org Dear Tom-san, Can I have your any kind suggestion! Thanks, Roy Tsao ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx