RE: VPN Progress - One Question
- From: Glenn Maks <gmaks@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 6 Mar 2003 09:39:33 -0500
Thanks Tom, I will have a whack at it and if I am successful will post my
findings ...
Cheers
Glenn
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, March 06, 2003 8:37 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Progress - One Question
http://www.ISAserver.org
Hi Glenn,
No no no no, no no no! You do NOT need to manually create an IPSec policy to
create an L2TP/IPSec VPN connection. The L2TP/IPSec policy is automatically
created for you, and the IPSec Policy Agent is automatically installed and
started. No special certificate is required, just install a machine
certificate, as described in my my articles on the gateway to gateway
L2TP/IPSec config over at www.isaserver.org/shinder
<http://www.isaserver.org/shinder> and in ISA Server and Beyond.
RE: Local and remote Wizards. The Local Wizard is run at the main office and
that is where .vpc file is created. The remote Wizard is run at the remote
office. Make sure to never select the option for bidirectional dialup. Only
all the remote office to dial up the local office.
Have fun! You're learning a lot about ISA and VPN. If you get really
interested in Win2k RRAS VPNs, check out the great resources on it over at
www.microsoft.com/vpn <http://www.microsoft.com/vpn>
HTH,
Tom
Thomas W Shinder
<http://www.isaserver.org/shinder> www.isaserver.org/shinder
ISA Server and Beyond: <http://tinyurl.com/1jq1> http://tinyurl.com/1jq1
Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Thursday, March 06, 2003 7:30 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Progress - One Question
http://www.ISAserver.org
Good Morning Tom, My external interface has only 1 IP address assignment, I
will verify the fragment filtering and yes, the cert is a machine
certificate. I started playing with L2TP implementation a week ago when I
started the evaluation of ISA and RRAS, in the process I have found more
useful published Microsoft documents that address these specific issues, I
found them by doing a Google search on the event error I was receiving,
"Error 20111" after reading even more publications I decided to start over
again and I am happy to say, I think I am finally gaining some ground on
this project regarding L2TP implementation. I discovered that I had to
define a IPSec policy and enable it for both ISA servers, in addition,
create the right kind of certificate. I installed the Certification service
on the
ROOT ISA server, the ISA server that runs the Local Wizard to create the vpc
file. Then requesting the right kind of certificate and defining and
enabling a IPSec policy. I am getting closer and today should be the day for
success, "I hope" Tom, thank you for your valued input and your patience
with all my VPN questions.
Glenn
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, March 05, 2003 8:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Progress - One Question
http://www.ISAserver.org
Hi Glenn,
How many IP addresses are bound to the external interface?
Is fragment filtering disabled?
Have you confimed that the machine has a machine certificate? If so, how did
you carry out the confirmation procedure?
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1>
Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp>
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Wednesday, March 05, 2003 7:38 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN Progress - One Question
Importance: High
http://www.ISAserver.org
In the process of evaluating ISA I built 2 test servers to look at the VPN
support ISA offers with RRAS as the underlying service.
I successfully created a PPTP tunnel between them which allowed me to
request and install a Certificate on both ISA servers from
a internal private Cert server, this all went well. I then defined a L2TP
tunnel using the Local and Remote wizards and definition file
it created, verified the setting in RRAS and it all looks good, watching the
RRAS service I can see a connection attempt but I get this
error from the Remote ISA server.
Error Message:
An Error occurred during the connection of the Interface.
The L2TP connection attempt failed because security negotiation timed out.
I searched every where but found nothing that would help understand this
error. Apologies for posting what seems to be one VPN question after
another, but I have received valuable assistance from helpful individuals in
this discussion forum and I do appreciate
all the positive input.
Thank you very much
Glenn
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
