Dear Shiner-sama, Unfortunately, by adjusting MTU value does not work for L2TP connection. Result is the same: - IPsec SA is established - L2TP remote end (PPPOE) does not anwer the call Can you help me to have a test at your side to verify this problem. It is not complicated, no need to host two ISA server for test i.e.: - setup the ISA Sever connected internet by direct PPPoE dial-up - config ISA server as VPN server to accept L2TP client - setup a VPN client dial-up interface in internal client either physical or virtual - from that client to call to ISA server's eiter Lan or Wan IP You can see the result which is the same as site to site, please! Thanks, Roy Tsao ----- Original Message ----- From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, April 12, 2005 8:06 PM Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by Pre-shared Key > http://www.ISAserver.org > > > Dear Tom, > > Thanks for your hint. Yup, there is possiblity of MTU to break IPsec, > let me adjust MTU and try to see if it could resolve the problem, > I hope it brings me a success tonight... > > To put a router is the last option before I enter into a dead corner, > I would like to host a goog connetion with ADSL router unless it > is enterprise one (of course very costy) > > Thanks, > > Roy > > > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Tuesday, April 12, 2005 6:54 PM > Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by > Pre-shared Key > > > http://www.ISAserver.org > > Hi Roy, > > Maybe a MTU issue? How about putting a DSL router in front of the ISA > firewall in the VM and let it do the PPPoE? That gets around the MTU > problem. > > HTH, > > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > -----Original Message----- > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > Sent: Tuesday, April 12, 2005 5:44 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by > Pre-shared Key > > http://www.ISAserver.org > > Dear Tom, > > I did a good site to site L2TP/IPSec VPN through VMware with PPPOE. > > Again, my problem is to setup such a connection through ISA2K4 Box > as guest OS inside VM to remote physical ISA2K4 Box, that virual > ISA2K4's Internet connection is PPPoE through bridged NIC connected > to ADSL Modem! > The PPTP connection works find for site to site, and IPSec Monitor shows > a good SA for L2TP connection. I am just wonder PPTP use TCP protocol > while L2TP use UDP, the bridged NIC interupts UDP communication for > L2TP!? > > Any idea, please? > > Thanks, > > Roy > > > > > > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Tuesday, April 12, 2005 6:01 PM > Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by > Pre-shared Key > > > http://www.ISAserver.org > > Hi Roy, > > I can't say about the PPPoE issue in the VM, but I've used VMware VMs > for years with L2TP/IPSec connection using the Vmware bridged NIC with > no problems. Can you setup an L2TP/IPSec site to site VPN between two > ISA firewalls without using PPPoE in your Vmware lab? > > Thanks! > > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > -----Original Message----- > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > Sent: Tuesday, April 12, 2005 12:35 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by > Pre-shared Key > > http://www.ISAserver.org > > > > > Dear Shiner-San, Harrison-sama, > > Following the below discussion thread, I would say that I forgot to tell > one thing which might be key for the captioned issue. The ISA2K4 box is > installed in the guest machines of VMware host, it host a internet > connection through PPPoE by Virtual NIC bridged to host's NIC > (this NIC connect to ADSL modem physically). > As I reported ealier, I could setup PPTP site to site VPN between this > ISA2K4 box and the other one, but failed in L2TP, I started to suspect > whether or not the UDP connection was interrupted between host physical > NIC and virtual NIC though host physical NIC's TCP/IP protocol is > diabled. > If it is really so, can I have your advise how to resolve this problem! > > Many thanks for your advise in advance. > > Roy Tsao > > > > > > > > > > > > > > Dear Shinder-Sama, > > I got your point. Finally, I could be aware why I can't creat site to > site > VPN by either pre-shared key or certificate, and problem comes from one > end's ISA2K4 Wan connection is through ADSL by PPOE (Dial-up). When I > check the event log at this ISA2K4 Box, it indicateds that PPoe-4 port > can't be opened, it has been opened up already, I presume that's the > reason why VPN port under Routing and Remote Access are all closed and > can't accept any in/out call. > There is some article saying site to site L2TP VPN connection even both > ends are ADSL connection, while the writter shows a sample procress > under > virtual server enviornments, that is not exact site to site VPN through > ADSL connection. > For your reference, the NIC connected to ADSL modem is disabled even > TCP/IP setting, and only PPOE works for dial-up. > I can create a L2TP VPN client inside Lan and connect to remote site of > ISK2K4 VPN server. When I tried to mannual activate VPN connection under > route and remote access service at ISA2K4 server, the IPSec SA is > esbalished, and no answer from remote side after 40 seconds, this means > L2TP can't find his own session! > > Anybody here have any solution for this????!!!!!! > > > > > > > > > > > Hi Roy, > > I thought it was Shinder-san? I get confused about those things :) > > Anyhow, are you trying to implement an L2TP/IPSec site to site VPN using > a pre-shared key or computer certificates? You can't do both. So, if you > want to use a pre-shared key, don't install computer certs. If you want > to use computer certificates, then don't configure a pre-shared key on > the VPN gateway endpoints. > > HTH, > > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > -----Original Message----- > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > Sent: Thursday, March 31, 2005 10:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: Site to Site VPN Connection Using L2TP/IPSec by > Pre-shared Key > > http://www.ISAserver.org > > Dear Tom-san, > > Can I have your any kind suggestion! > > Thanks, > > Roy Tsao > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > roy_tsao@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > roy_tsao@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > roy_tsao@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx >