RE: VPN router-to-router drop every ~3 minutes
- From: "Steve Moffat" <steve@xxxxxxxxxxxxxxx>
- To: "Isa List" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 19 Feb 2003 15:44:37 -0000
Here's a snippit from the doc
There are numerous important components to defining these site-to-site links.
It is imperative to recognize that only one of the VPN peers initiates the VPN
connection. The remote VPN peer simply recognizes the connection, and
initiates the appropriate initialization of the local interface when the peer
supplies a username (under login credentials) that matches the name of the
local interface.
ACTIVE VPN:
Router Name: SEA_to_ORD
Remote IP Address: 205.178.180.125
Dial-Out Credentials (Username): SEA_to_ORD
Dial-Out Credentials (Password): <anything - preferably complex>
Dial-Out Credentials (Domain): SEATTLEVPN
Dial-In Credentials: <blank!>
During the creation of the interface, Windows 2000 will prompt for dial-in
credentials. Since this interface is the active dialer, these credentials are
not needed. Instead, dial-out credentials should be specified. Once this
interface is configured, select the properties of the interface. Change the
type of interface to persistent, and set the redial attempts to 10000.
PASSIVE VPN:
Router Name: SEA_to_ORD
Remote IP Address: <blank!>
Dial-In Credentials (Username): SEA_to_ORD
Dial-Out Credentials (Domain): <blank!> ( enter anything at this
point, because you won't finish the wizard until you do. Then right click the
connector and select credentials and clear them.
During the creation of this passive interface, dial-in credentials must be
established. This may be performed by selecting the add account so remote
router can dial in option during configuration. After the interface is
configured, select the properties of the interface. Change the interface to
demand-dial, and set the disconnection time to never.
When the ACTIVE VPN is initialized, a connection to the remote VPN is
established. Upon connection, the dial-out credentials are presented to the
remote machine. Upon receiving the credentials, the PASSIVE VPN recognizes
that the name of the local RRAS interface matches the username of the
credentials. Thus, it immediately associates the VPN interface to the
connection - and routes packets appropriately.
Add static routes at both ends, or use rip.
Cheers
Steve
-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Wednesday, February 19, 2003 11:14 AM
To: Isa List
Subject: [isalist] VPN router-to-router drop every ~3 minutes
http://www.ISAserver.org
Hi folks!
I have two ISA servers that are connected this way:
Internal Network--ISA---DSL router----Internet----DSL router---ISA-Internal
Network
Both DSL routers are set to forward all inbound traffic to the ISA Server´s
public NIC. BTW, they are both Alcatel Speed Touch Pro modems.
Well, here's what happens when I establish a router-to-router PPTP VPN between
these two ISA's: I created the connections on RRAS, created credentials on both
sides and I also created the static routes from one network to another.
Everything works fine, traffic is routed, it's really fast, but.... it drops
for no reason every 3 minutes or less.
Here's the event that RRAS generates:
The user SOFTSELL\itatiaia connected on port VPN3-126 on 02/17/2003 at 05:30pm
and disconnected on 02/17/2003 at 05:31pm. The user was active for 1 minutes
36 seconds. 0 bytes were sent and 0 bytes were received. The port speed was
10000000. The reason for disconnecting was user request.
Note that this happens even if I have traffic on the tunnel.
Both servers have SP3 and ISA SP1 applied. I couldn't find any remote access
policy that disconnects someone for any reason... everything is unset. Could it
be inheriting these policies from somewhere else? I tried to use that wizard
from ISA server to create VPN´s, but the public address is not bound to my
public NIC, so it won´t work If I import the settings on the other edge.
Any ideas?
Tiago de Aviz
---------------------
www.softsell.com.br
tiago@xxxxxxxxxxxxxxx
------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows Security
Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')
This E-Mail is confidential. It is not intended to be read, copied, disclosed
or used by any person other than isalist@xxxxxxxxxxxxxx
Unauthorised use, disclosure, or copying is strictly prohibited and may be
unlawful. Optimum Computer Solutions disclaims any liability for any action
taken in connection of this E-Mail. The comments or statements expressed in
this E-Mail are not necessarily those of Optimum Computer Solutions or its
subsidiaries or affiliates.
usermanager@xxxxxxxxxxxxxxx
Other related posts:
