RE: VPN....
- From: "Ian Roberts" <Ian@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 19 Dec 2002 19:51:24 -0000
Hi, thanks for your help. I followed your instructions and by manually
setting
it up it does work one way. However you still can't VPN into the ISA
server
that had the error message.
-----Original Message-----
From: Friese, Casey [mailto:cfriese@xxxxxxxxxxxxx]
Sent: 19 December 2002 15:07
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN....
http://www.ISAserver.org
Let's do this the long way....
Open RRAS on the ISA server and create a new dial-on demand
interface. Name the interface whatever you want...I'll use ISA1_ISA2 -
we're configuring ISA1 at the moment.
Type the IP address of ISA2 as the destination
Set up the connection as Persistant (OPTIONAL)
Set the security under Advanced Settings to MS CHAP and MS CHAP
ver. 2 and require encryption - disconnect if server declines.
(OPTIONAL - just make sure it matches on both servers)
On ISA2 do the same steps, only put the IP address of ISA1 as
the destination.
Now, click on Remote Access Policies and create a new policy
named "Allow access if dial-in permission is enabled" or whatever you
want. Set Grant Remote Access permissions. Specify day and time
restrictions for use but leave everything allowed. Do this on both
servers.
Now, still in RRAS on both ISA's, click Static Routers under IP
Routing and create a new static router for each "Local" segment behind
the ISA's - Network behind ISA 2 is 10.168.0.0 so in RRAS of ISA1 I will
create a static route for 10.168.0.0 mask 255.255.0.0 and set the
interface to be ISA1_ISA2 and check the box to "Use this route to
initate...." Do the reverse for ISA2 in RRAS.
Now, Open the ISA management console on ISA1 and click IP Pack
Filters under Access Policy. We're going to create 2 packet filters:
1. Allow PPTP protocol packets (client) for VPN Connection:
ISA1_ISA2 (Name of Filter)
For Filter type, set to Predefined PPTP Call, For local
computer, set to the IP address of the ext. interface of ISA1. For
remote computer, set to the IP address of the ext. interface of ISA2
2. Allow PPTP protocol packets (server) for VPN Connection:
ISA1_ISA2 (Name of Filter)
For Filter type, set to Predefined PPTP Receive, For local
computer, set to the IP address of the ext. interface of ISA1. For
remote computer, set to the IP address of the ext. interface of ISA2
This will get you setup with PPTP, if you want IPSec, we'll go
down that road after you get this working. Hope I didn't miss anything.
-----Original Message-----
From: Ian Roberts [mailto:Ian@xxxxxxxxxxxxxx]
Sent: Thursday, December 19, 2002 9:31 AM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: VPN....
In RRAS it's set to grant remote access permission. Are
there
any other settings I should check ? Many thanks for your
help.
-----Original Message-----
From: Friese, Casey
[mailto:cfriese@xxxxxxxxxxxxx]
Sent: Thu 19/12/2002 14:11
To: [ISAserver.org Discussion List]
Cc:
Subject: [isalist] RE: VPN....
http://www.ISAserver.org
This has nothing to do with the ISA piece of the
equation but rather it
has to do with how you have RRAS configured.
Check your RRAS dial-in
policies on the machine that is to accept the
connection and also verify
that the account used by the dialing machine has
dial-in permissions on
the box that is accepting the connection.
-----Original Message-----
From: Ian Roberts [mailto:ian@xxxxxxxxxxxxxx]
Sent: Thursday, December 19, 2002 7:57 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN....
http://www.ISAserver.org
I'm trying to create a VPN connection between 2
ISA servers. On one it
goes through okay but on the other one I get the
message:-
"The wizard cannot create the virtual private
network (VPN) connection.
An action to allow dial-in permissions failed."
Nothing on technet for the error message. The
ISA server with the
message has a ISDN connection to the internet.
Many thanks.
List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere,
leverages ISA server
and the Internet to quickly and cost-effectively
manage and deliver
secure, client-less access to all corporate
applications (Web, Unix,
Windows and legacy systems), for all users. More
info at
http://www.aspelle.com/info
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site:
http://www.msexchange.org/ Windows
Security Resource Site:
http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this
ISAserver.org Discussion List as:
cfriese@xxxxxxxxxxxxx To unsubscribe send a
blank email to
$subst('Email.Unsub')
List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere,
leverages ISA server and the Internet to quickly and cost-effectively
manage and deliver secure, client-less access to all corporate
applications (Web, Unix, Windows and legacy systems), for all users.
More info at http://www.aspelle.com/info
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site:
http://www.msexchange.org/
Windows Security Resource Site:
http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this
ISAserver.org Discussion List as: ian@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA
server and the Internet to quickly and cost-effectively manage and
deliver secure, client-less access to all corporate applications (Web,
Unix, Windows and legacy systems), for all users.
More info at http://www.aspelle.com/info
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: ian@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
