RE: L2TP with IPSec Tunnels
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 13 Mar 2003 19:25:52 -0600
Hi Glenn,
Great! It'll be very interesting to see what the problem was. Its
probably something very simple and we'll slap our collective foreheads
when you share the answer :-)
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Thursday, March 13, 2003 7:30 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: L2TP with IPSec Tunnels
http://www.ISAserver.org
thank you Tom, I am in a unique position at my company in that I
have a MSDN agreement, so I decided to burn a call and log a ticket with
the ISA support group from Microsoft. I plan on posting my findings to
the discussion group so other people building a L2TP tunnel
wont go through the pain that I have been dealing with.
Regarding your question, I have only one IP address on my external NIC.
Glenn
-----Original Message-----
From: Thomas W Shinder
[mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, March 12, 2003 8:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: L2TP with IPSec Tunnels
http://www.ISAserver.org
Hi Glenn,
It might be that you have multiple IP addresses bound to
the external interface and the packet filters aren't applied to the
right IP addresses. Might be time to break out Network Monitor to
determine what the problem is.
You do NOT need to enable any IPSec policies.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Wednesday, March 12, 2003 9:15 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: L2TP with IPSec Tunnels
http://www.ISAserver.org
Fair enough and I do believe you Tom, I can see
the three policies available using the IPSec snap in, according to what
I read, the documentation suggests to use the "Server Security" policy,
I have two questions, do I need to ENABLE this policy? or is it used
automatically behind the scenes? and Second,
could you provide any input as to the nature of the event error that is
logged and I
am receiving? event 20111 that states the
negotiation time out when the calling server attempts a connect? I see
no activity when I use the IPSec Monitor? I know I must be close in
getting this to work but I need to resolve this last remaining issue
that seems to prevent
a successful connection.
Thank you hugely for all your advise and
assistance Tom, for what it is worth, you have proven to be a invaluable
resource.
-----Original Message-----
From: Thomas W Shinder
[mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, March 12, 2003 9:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: L2TP with IPSec
Tunnels
http://www.ISAserver.org
Hi Glenn,
The number of L2TP/IPsec tunnels
(gateway to gateway and VPN Server) are TNTC (TNTC is a term we used in
urinalysis "too numerous to count").
You don't need to create an IPSec
policy.
http://support.microsoft.com/?kbid=248750
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
<http://www.isaserver.org/shinder>
ISA Server and Beyond:
http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1>
Configuring ISA Server:
http://tinyurl.com/1llp <http://tinyurl.com/1llp>
-----Original Message-----
From: Glenn Maks
[mailto:gmaks@xxxxxxxxx]
Sent: Wednesday, March 12, 2003 7:32 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] L2TP with IPSec
Tunnels
Importance: High
http://www.ISAserver.org
Another L2TP tunnel question that I
would like to post for feedback. The last few weeks I have been
evaluating ISA and RRAS service
on the topic of VPN tunnels, it seems
straight forward and easy to establish a PPTP tunnel but L2TP seems a
bit more changeling.
The perquisites and requirements are in
place, I have successfully issued the correct Machine Certificate but
the calling server times out
or at least it seems. Using diagnostics
tools like policy auditing and Netdiag I can see that everything seems
to be in order, but the tunnel just wont connect.Interesting enough when
I use IPSec Security Monitor I see virtually no activity? in addition, I
noticed that even though the IPSec security policy is defined, "Secure
Server" I still have to manually enable it? I thought perhaps the ISA
tunnel wizards would do this? The event that is logged is as follows:
"A demand dial connection on the remote
interface was successfully initiated but failed to complete successfully
because of the following,
The L2TP connection attempted failed
because of security negotiation timed out" the actual event code is
20111"
Has anyone successfully established a
L2TP tunnel using Microsoft RRAS and the ISA tunnel wizards? I welcome
any feedback and suggestions.
Thank you all for your valued input
Glenn
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site:
http://www.msexchange.org/
Windows Security Resource Site:
http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this
ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site:
http://www.msexchange.org/
Windows Security Resource Site:
http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this
ISAserver.org Discussion List as: gmaks@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site:
http://www.msexchange.org/
Windows Security Resource Site:
http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this
ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site:
http://www.msexchange.org/
Windows Security Resource Site:
http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: gmaks@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
