RE: VPN Progress - One Question

Hi Glenn,
 
No no no no, no no no! You do NOT need to manually create an IPSec
policy to create an L2TP/IPSec VPN connection. The L2TP/IPSec policy is
automatically created for you, and the IPSec Policy Agent is
automatically installed and started. No special certificate is required,
just install a machine certificate, as described in my my articles on
the gateway to gateway L2TP/IPSec config over at
www.isaserver.org/shinder and in ISA Server and Beyond. 
 
RE: Local and remote Wizards. The Local Wizard is run at the main office
and that is where .vpc file is created. The remote Wizard is run at the
remote office. Make sure to never select the option for bidirectional
dialup. Only all the remote office to dial up the local office.
 
Have fun! You're learning a lot about ISA and VPN. If you get really
interested in Win2k RRAS VPNs, check out the great resources on it over
at www.microsoft.com/vpn
 
HTH,
Tom
 
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>  
ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1>

Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp> 

 
 

        -----Original Message-----
        From: Glenn Maks [mailto:gmaks@xxxxxxxxx] 
        Sent: Thursday, March 06, 2003 7:30 AM
        To: [ISAserver.org Discussion List]
        Subject: [isalist] RE: VPN Progress - One Question
        
        
        http://www.ISAserver.org
        
        
        Good Morning Tom, My external interface has only 1 IP address
assignment, I will verify the fragment filtering and yes, the cert is a
machine certificate. I started playing with L2TP implementation a week
ago when I started the evaluation of ISA and RRAS, in the process I have
found more useful published Microsoft documents that address these
specific issues, I found them by doing a Google search on the event
error I was receiving, "Error 20111" after reading even more
publications I decided to start over again and I am happy to say, I
think I am finally gaining some ground on this project regarding L2TP
implementation. I discovered that I had to define a IPSec policy and
enable it for both ISA servers, in addition, create the right kind of
certificate. I installed the Certification service on the
        ROOT ISA server, the ISA server that runs the Local Wizard to
create the vpc file. Then requesting the right kind of certificate and
defining and enabling a IPSec policy. I am getting closer and today
should be the day for success, "I hope"  Tom, thank you for your valued
input and your patience with all my VPN questions.
         
        Glenn
         
         

                -----Original Message-----
                From: Thomas W Shinder
[mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
                Sent: Wednesday, March 05, 2003 8:17 PM
                To: [ISAserver.org Discussion List]
                Subject: [isalist] RE: VPN Progress - One Question
                
                
                http://www.ISAserver.org
                
                
                Hi Glenn,
                 
                How many IP addresses are bound to the external
interface?
                 
                Is fragment filtering disabled?
                 
                Have you confimed that the machine has a machine
certificate? If so, how did you carry out the confirmation procedure?
                 
                Thanks!
                Tom

                Thomas W Shinder 
                www.isaserver.org/shinder 
                ISA Server and Beyond: http://tinyurl.com/1jq1 
                Configuring ISA Server: http://tinyurl.com/1llp 

                        -----Original Message-----
                        From: Glenn Maks [mailto:gmaks@xxxxxxxxx] 
                        Sent: Wednesday, March 05, 2003 7:38 AM
                        To: [ISAserver.org Discussion List]
                        Subject: [isalist] VPN Progress - One Question
                        Importance: High
                        
                        
                        http://www.ISAserver.org
                        
                        
                          
                        In the process of evaluating ISA I built 2 test
servers to look at the VPN support ISA offers with RRAS as the
underlying service.
                        I successfully created a PPTP tunnel between
them which allowed me to request and install a Certificate on both ISA
servers from
                        a internal private Cert server, this all went
well. I then defined a L2TP tunnel using the Local and Remote wizards
and definition file
                        it created, verified the setting in RRAS and it
all looks good, watching the RRAS service I can see a connection attempt
but I get this
                        error from the Remote ISA server.
                         
                        Error Message:
                        An Error occurred during the connection of the
Interface.
                        The L2TP connection attempt failed because
security negotiation timed out.
                         
                        I searched every where but found nothing that
would help understand this error. Apologies for posting what seems to be
one VPN question after another, but I have received valuable assistance
from helpful individuals in this discussion forum and I do appreciate
                        all the positive input.
                         
                        Thank you very much
                        Glenn
                         
                         
                         
        
------------------------------------------------------
                        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
                        ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
                        ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
        
------------------------------------------------------
                        Exchange Server Resource Site:
http://www.msexchange.org/
                        Windows Security Resource Site:
http://www.windowsecurity.com/
                        Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
        
------------------------------------------------------
                        You are currently subscribed to this
ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx
                        To unsubscribe send a blank email to
$subst('Email.Unsub') 

                ------------------------------------------------------
                List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
                ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
                ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
                ------------------------------------------------------
                Exchange Server Resource Site:
http://www.msexchange.org/
                Windows Security Resource Site:
http://www.windowsecurity.com/
                Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
                ------------------------------------------------------
                You are currently subscribed to this ISAserver.org
Discussion List as: gmaks@xxxxxxxxx
                To unsubscribe send a blank email to
$subst('Email.Unsub') 

        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
        ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
        ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Exchange Server Resource Site: http://www.msexchange.org/
        Windows Security Resource Site: http://www.windowsecurity.com/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
        To unsubscribe send a blank email to
$subst('Email.Unsub') 

Other related posts: