Thanks Tom, I will have a whack at it and if I am successful will post my findings ... Cheers Glenn -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, March 06, 2003 8:37 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Progress - One Question http://www.ISAserver.org Hi Glenn, No no no no, no no no! You do NOT need to manually create an IPSec policy to create an L2TP/IPSec VPN connection. The L2TP/IPSec policy is automatically created for you, and the IPSec Policy Agent is automatically installed and started. No special certificate is required, just install a machine certificate, as described in my my articles on the gateway to gateway L2TP/IPSec config over at www.isaserver.org/shinder <http://www.isaserver.org/shinder> and in ISA Server and Beyond. RE: Local and remote Wizards. The Local Wizard is run at the main office and that is where .vpc file is created. The remote Wizard is run at the remote office. Make sure to never select the option for bidirectional dialup. Only all the remote office to dial up the local office. Have fun! You're learning a lot about ISA and VPN. If you get really interested in Win2k RRAS VPNs, check out the great resources on it over at www.microsoft.com/vpn <http://www.microsoft.com/vpn> HTH, Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: <http://tinyurl.com/1jq1> http://tinyurl.com/1jq1 Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Thursday, March 06, 2003 7:30 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Progress - One Question http://www.ISAserver.org Good Morning Tom, My external interface has only 1 IP address assignment, I will verify the fragment filtering and yes, the cert is a machine certificate. I started playing with L2TP implementation a week ago when I started the evaluation of ISA and RRAS, in the process I have found more useful published Microsoft documents that address these specific issues, I found them by doing a Google search on the event error I was receiving, "Error 20111" after reading even more publications I decided to start over again and I am happy to say, I think I am finally gaining some ground on this project regarding L2TP implementation. I discovered that I had to define a IPSec policy and enable it for both ISA servers, in addition, create the right kind of certificate. I installed the Certification service on the ROOT ISA server, the ISA server that runs the Local Wizard to create the vpc file. Then requesting the right kind of certificate and defining and enabling a IPSec policy. I am getting closer and today should be the day for success, "I hope" Tom, thank you for your valued input and your patience with all my VPN questions. Glenn -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, March 05, 2003 8:17 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Progress - One Question http://www.ISAserver.org Hi Glenn, How many IP addresses are bound to the external interface? Is fragment filtering disabled? Have you confimed that the machine has a machine certificate? If so, how did you carry out the confirmation procedure? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Wednesday, March 05, 2003 7:38 AM To: [ISAserver.org Discussion List] Subject: [isalist] VPN Progress - One Question Importance: High http://www.ISAserver.org In the process of evaluating ISA I built 2 test servers to look at the VPN support ISA offers with RRAS as the underlying service. I successfully created a PPTP tunnel between them which allowed me to request and install a Certificate on both ISA servers from a internal private Cert server, this all went well. I then defined a L2TP tunnel using the Local and Remote wizards and definition file it created, verified the setting in RRAS and it all looks good, watching the RRAS service I can see a connection attempt but I get this error from the Remote ISA server. Error Message: An Error occurred during the connection of the Interface. The L2TP connection attempt failed because security negotiation timed out. I searched every where but found nothing that would help understand this error. Apologies for posting what seems to be one VPN question after another, but I have received valuable assistance from helpful individuals in this discussion forum and I do appreciate all the positive input. Thank you very much Glenn ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')