Hi, thanks for your help. I followed your instructions and by manually setting it up it does work one way. However you still can't VPN into the ISA server that had the error message. -----Original Message----- From: Friese, Casey [mailto:cfriese@xxxxxxxxxxxxx] Sent: 19 December 2002 15:07 To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN.... http://www.ISAserver.org Let's do this the long way.... Open RRAS on the ISA server and create a new dial-on demand interface. Name the interface whatever you want...I'll use ISA1_ISA2 - we're configuring ISA1 at the moment. Type the IP address of ISA2 as the destination Set up the connection as Persistant (OPTIONAL) Set the security under Advanced Settings to MS CHAP and MS CHAP ver. 2 and require encryption - disconnect if server declines. (OPTIONAL - just make sure it matches on both servers) On ISA2 do the same steps, only put the IP address of ISA1 as the destination. Now, click on Remote Access Policies and create a new policy named "Allow access if dial-in permission is enabled" or whatever you want. Set Grant Remote Access permissions. Specify day and time restrictions for use but leave everything allowed. Do this on both servers. Now, still in RRAS on both ISA's, click Static Routers under IP Routing and create a new static router for each "Local" segment behind the ISA's - Network behind ISA 2 is 10.168.0.0 so in RRAS of ISA1 I will create a static route for 10.168.0.0 mask 255.255.0.0 and set the interface to be ISA1_ISA2 and check the box to "Use this route to initate...." Do the reverse for ISA2 in RRAS. Now, Open the ISA management console on ISA1 and click IP Pack Filters under Access Policy. We're going to create 2 packet filters: 1. Allow PPTP protocol packets (client) for VPN Connection: ISA1_ISA2 (Name of Filter) For Filter type, set to Predefined PPTP Call, For local computer, set to the IP address of the ext. interface of ISA1. For remote computer, set to the IP address of the ext. interface of ISA2 2. Allow PPTP protocol packets (server) for VPN Connection: ISA1_ISA2 (Name of Filter) For Filter type, set to Predefined PPTP Receive, For local computer, set to the IP address of the ext. interface of ISA1. For remote computer, set to the IP address of the ext. interface of ISA2 This will get you setup with PPTP, if you want IPSec, we'll go down that road after you get this working. Hope I didn't miss anything. -----Original Message----- From: Ian Roberts [mailto:Ian@xxxxxxxxxxxxxx] Sent: Thursday, December 19, 2002 9:31 AM To: [ISAserver.org Discussion List] Subject: RE: [isalist] RE: VPN.... In RRAS it's set to grant remote access permission. Are there any other settings I should check ? Many thanks for your help. -----Original Message----- From: Friese, Casey [mailto:cfriese@xxxxxxxxxxxxx] Sent: Thu 19/12/2002 14:11 To: [ISAserver.org Discussion List] Cc: Subject: [isalist] RE: VPN.... http://www.ISAserver.org This has nothing to do with the ISA piece of the equation but rather it has to do with how you have RRAS configured. Check your RRAS dial-in policies on the machine that is to accept the connection and also verify that the account used by the dialing machine has dial-in permissions on the box that is accepting the connection. -----Original Message----- From: Ian Roberts [mailto:ian@xxxxxxxxxxxxxx] Sent: Thursday, December 19, 2002 7:57 AM To: [ISAserver.org Discussion List] Subject: [isalist] VPN.... http://www.ISAserver.org I'm trying to create a VPN connection between 2 ISA servers. On one it goes through okay but on the other one I get the message:- "The wizard cannot create the virtual private network (VPN) connection. An action to allow dial-in permissions failed." Nothing on technet for the error message. The ISA server with the message has a ISDN connection to the internet. Many thanks. List Sponsored by Aspelle Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and the Internet to quickly and cost-effectively manage and deliver secure, client-less access to all corporate applications (Web, Unix, Windows and legacy systems), for all users. More info at http://www.aspelle.com/info ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cfriese@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') List Sponsored by Aspelle Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and the Internet to quickly and cost-effectively manage and deliver secure, client-less access to all corporate applications (Web, Unix, Windows and legacy systems), for all users. More info at http://www.aspelle.com/info ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ian@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') List Sponsored by Aspelle Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and the Internet to quickly and cost-effectively manage and deliver secure, client-less access to all corporate applications (Web, Unix, Windows and legacy systems), for all users. More info at http://www.aspelle.com/info ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ian@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')