Hi David, I like the pure IPSec tunnel approach. It just has two drawbacks that prevent me from implementing it more often: --Each Gateway must have a static IP address --The tunnel does not appear in the RRAS console and so monitoring it is a bit awkward Otherwise, I think its definitely the way to go! Thanks! Tom www.isaserver.org/shinder Thomas W Shinder, M.D., MCSE, MCT -----Original Message----- From: David Haam [mailto:DavidH@xxxxxxxxxxxx] Sent: Tuesday, August 28, 2001 12:09 PM To: [ISAserver.org Discussion List] Subject: RE: [isalist] RE: IPSEC/L2TP VPN on ISA Server Just a couple of things to keep in mind for your scenario. * with a "site-to-site" VPN, you might want to use straight IPSec without L2TP (L2TP buys you advantages in ease of implementation/configuration if you have client-to-site VPNs). * NAT is not supported on the ends of the IPSec tunnel. However, as long as you're terminating the tunnel (e.g. ISA server at each each with real IP's), you'll be fine. * the PKI (Certs) side of encryption is probably the toughest part of IPSec, you can do a shared-key IPSec tunnel, but I would only suggest that for testing/short-term until your PKI is in place. -----Original Message----- From: Thomas W. Shinder Sent: Tue 8/28/2001 9:58 AM To: [ISAserver.org Discussion List] Cc: Subject: [isalist] RE: IPSEC/L2TP VPN on ISA Server http://www.ISAserver.org Hi Nick, We didn't go into the intricacies of VPN, because that's for a future book :-) L2TP/IPSec tunnels are another ballgame completely. PPTP is plug and play. L2TP/IPSec requires some planning. However, check out Q240262 if you don't want to break your brain on Certificate Server :-) HTH, Tom www.isaserver.org/shinder Thomas W Shinder, M.D., MCSE, MCT -----Original Message----- From: Nicholas Palmer [mailto:NICK@xxxxxxxxxxx] Sent: Tuesday, August 28, 2001 11:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] IPSEC/L2TP VPN on ISA Server http://www.ISAserver.org Hi all, I've got a question about setting up a Server to Server VPN. I followed the example in the back of Tom's book to set up a VPN between to different Servers(both with ISA), and everything seems to work OK. Well it works OK when I use PPTP as the Authentication protocol. If I try to use IPSEC it fails to Authenticate. I've read somewhere in Tom's book about an IPSEC driver that needs to be installed, but I've also seen that you can't do IPSEC if you are doing NAT, which ISA does right? So what is the answer here. Thanks in advance, Nick. ____________________ Nicholas Palmer KCI Computing, Inc. (nick@xxxxxxxxxxx) ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: davidh@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') Thomas W Shinder, M.D., MCSE, MCT