Re: Site to Site VPN Connection Using L2TP/IPSec by Pre-shared Key
- From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 13 Apr 2005 02:47:26 -0600
Dear Shiner-sama,
Unfortunately, by adjusting MTU value does not work for L2TP connection.
Result is the same:
- IPsec SA is established
- L2TP remote end (PPPOE) does not anwer the call
Can you help me to have a test at your side to verify this problem.
It is not complicated, no need to host two ISA server for test i.e.:
- setup the ISA Sever connected internet by direct PPPoE dial-up
- config ISA server as VPN server to accept L2TP client
- setup a VPN client dial-up interface in internal client
either physical or virtual
- from that client to call to ISA server's eiter Lan or Wan IP
You can see the result which is the same as site to site, please!
Thanks,
Roy Tsao
----- Original Message -----
From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, April 12, 2005 8:06 PM
Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by
Pre-shared Key
> http://www.ISAserver.org
>
>
> Dear Tom,
>
> Thanks for your hint. Yup, there is possiblity of MTU to break IPsec,
> let me adjust MTU and try to see if it could resolve the problem,
> I hope it brings me a success tonight...
>
> To put a router is the last option before I enter into a dead corner,
> I would like to host a goog connetion with ADSL router unless it
> is enterprise one (of course very costy)
>
> Thanks,
>
> Roy
>
>
>
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, April 12, 2005 6:54 PM
> Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by
> Pre-shared Key
>
>
> http://www.ISAserver.org
>
> Hi Roy,
>
> Maybe a MTU issue? How about putting a DSL router in front of the ISA
> firewall in the VM and let it do the PPPoE? That gets around the MTU
> problem.
>
> HTH,
>
>
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> Sent: Tuesday, April 12, 2005 5:44 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by
> Pre-shared Key
>
> http://www.ISAserver.org
>
> Dear Tom,
>
> I did a good site to site L2TP/IPSec VPN through VMware with PPPOE.
>
> Again, my problem is to setup such a connection through ISA2K4 Box
> as guest OS inside VM to remote physical ISA2K4 Box, that virual
> ISA2K4's Internet connection is PPPoE through bridged NIC connected
> to ADSL Modem!
> The PPTP connection works find for site to site, and IPSec Monitor shows
> a good SA for L2TP connection. I am just wonder PPTP use TCP protocol
> while L2TP use UDP, the bridged NIC interupts UDP communication for
> L2TP!?
>
> Any idea, please?
>
> Thanks,
>
> Roy
>
>
>
>
>
>
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, April 12, 2005 6:01 PM
> Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by
> Pre-shared Key
>
>
> http://www.ISAserver.org
>
> Hi Roy,
>
> I can't say about the PPPoE issue in the VM, but I've used VMware VMs
> for years with L2TP/IPSec connection using the Vmware bridged NIC with
> no problems. Can you setup an L2TP/IPSec site to site VPN between two
> ISA firewalls without using PPPoE in your Vmware lab?
>
> Thanks!
>
>
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> Sent: Tuesday, April 12, 2005 12:35 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by
> Pre-shared Key
>
> http://www.ISAserver.org
>
>
>
>
> Dear Shiner-San, Harrison-sama,
>
> Following the below discussion thread, I would say that I forgot to tell
> one thing which might be key for the captioned issue. The ISA2K4 box is
> installed in the guest machines of VMware host, it host a internet
> connection through PPPoE by Virtual NIC bridged to host's NIC
> (this NIC connect to ADSL modem physically).
> As I reported ealier, I could setup PPTP site to site VPN between this
> ISA2K4 box and the other one, but failed in L2TP, I started to suspect
> whether or not the UDP connection was interrupted between host physical
> NIC and virtual NIC though host physical NIC's TCP/IP protocol is
> diabled.
> If it is really so, can I have your advise how to resolve this problem!
>
> Many thanks for your advise in advance.
>
> Roy Tsao
>
>
>
>
>
>
>
>
>
>
>
>
>
> Dear Shinder-Sama,
>
> I got your point. Finally, I could be aware why I can't creat site to
> site
> VPN by either pre-shared key or certificate, and problem comes from one
> end's ISA2K4 Wan connection is through ADSL by PPOE (Dial-up). When I
> check the event log at this ISA2K4 Box, it indicateds that PPoe-4 port
> can't be opened, it has been opened up already, I presume that's the
> reason why VPN port under Routing and Remote Access are all closed and
> can't accept any in/out call.
> There is some article saying site to site L2TP VPN connection even both
> ends are ADSL connection, while the writter shows a sample procress
> under
> virtual server enviornments, that is not exact site to site VPN through
> ADSL connection.
> For your reference, the NIC connected to ADSL modem is disabled even
> TCP/IP setting, and only PPOE works for dial-up.
> I can create a L2TP VPN client inside Lan and connect to remote site of
> ISK2K4 VPN server. When I tried to mannual activate VPN connection under
> route and remote access service at ISA2K4 server, the IPSec SA is
> esbalished, and no answer from remote side after 40 seconds, this means
> L2TP can't find his own session!
>
> Anybody here have any solution for this????!!!!!!
>
>
>
>
>
>
>
>
>
>
> Hi Roy,
>
> I thought it was Shinder-san? I get confused about those things :)
>
> Anyhow, are you trying to implement an L2TP/IPSec site to site VPN using
> a pre-shared key or computer certificates? You can't do both. So, if you
> want to use a pre-shared key, don't install computer certs. If you want
> to use computer certificates, then don't configure a pre-shared key on
> the VPN gateway endpoints.
>
> HTH,
>
>
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> Sent: Thursday, March 31, 2005 10:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by
> Pre-shared Key
>
> http://www.ISAserver.org
>
> Dear Tom-san,
>
> Can I have your any kind suggestion!
>
> Thanks,
>
> Roy Tsao
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> roy_tsao@xxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> roy_tsao@xxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> roy_tsao@xxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
Other related posts:
