SBS 2003 to ISA 2006 pptp site to site vpn connection

Hi..



I'm trying to create a site to site VPN connection between a machine with
ISA 2006 and a machine with SBS2003 SP2



So I created a remote site in ISA with the details o fthe remote location,
and created the user with the same name as the network.. The network has the
same name on both servers, so I don't think the username will be a issue...



In SBS I enabled RRAS, and created a new demand dial interface with ISA 2006
Public IP address as destination server.. I also added the username and pass
information..



Now the strange thing is once I setup everything, I try to connect from the
SBS2003 site to the ISA site, but not a single packet with ISA2006's IP is
sent.. I tested with wireshark.. and I have no firewalls in this server.. at
least when I try to ping the ISA2006 server I can see the outgoing packets,
but nothing when trying to enable the site to site VPN connection I just
setup...



any ideas??

Does the DoD interface in RRAS actually connect? Error out? what?

You need to differenciate between the Tunnel not "going up" -vs- traffic
simply not flowing through the Tunnel after it is up. They are two different
things.

Traffic not goint through the existing Tunnle I can probably figure out.
The Tunnel not "going up" at all I might have trouble with.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

"averied" <(E-Mail Removed)> wrote in message
news:0D6832F2-AFCC-477D-9295-(E-Mail Removed)...
> Hi..
>
>
>
> I'm trying to create a site to site VPN connection between a machine with
> ISA 2006 and a machine with SBS2003 SP2
>
>
>
> So I created a remote site in ISA with the details o fthe remote location,
> and created the user with the same name as the network.. The network has
> the
> same name on both servers, so I don't think the username will be a
> issue...
>
>
>
> In SBS I enabled RRAS, and created a new demand dial interface with ISA
> 2006
> Public IP address as destination server.. I also added the username and
> pass
> information..
>
>
>
> Now the strange thing is once I setup everything, I try to connect from
> the
> SBS2003 site to the ISA site, but not a single packet with ISA2006's IP is
> sent.. I tested with wireshark.. and I have no firewalls in this server..
> at
> least when I try to ping the ISA2006 server I can see the outgoing
> packets,
> but nothing when trying to enable the site to site VPN connection I just
> setup...
>
>
>
> any ideas??
>

I agree with Philip. This is tricky to set up. If you are using RRAS at
both ends, you have to configure both servers manually and you know where
you are. If you are using ISA at both ends the wizard gives you the config
for the second server. If you use the ISA set up at one end, how do you know
what to configure at the RRAS end?

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Does the DoD interface in RRAS actually connect? Error out? what?
>
> You need to differenciate between the Tunnel not "going up" -vs- traffic
> simply not flowing through the Tunnel after it is up. They are two
> different things.
>
> Traffic not goint through the existing Tunnle I can probably figure out.
> The Tunnel not "going up" at all I might have trouble with.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>
> "averied" <(E-Mail Removed)> wrote in message
> news:0D6832F2-AFCC-477D-9295-(E-Mail Removed)...
>> Hi..
>>
>>
>>
>> I'm trying to create a site to site VPN connection between a machine with
>> ISA 2006 and a machine with SBS2003 SP2
>>
>>
>>
>> So I created a remote site in ISA with the details o fthe remote
>> location,
>> and created the user with the same name as the network.. The network has
>> the
>> same name on both servers, so I don't think the username will be a
>> issue...
>>
>>
>>
>> In SBS I enabled RRAS, and created a new demand dial interface with ISA
>> 2006
>> Public IP address as destination server.. I also added the username and
>> pass
>> information..
>>
>>
>>
>> Now the strange thing is once I setup everything, I try to connect from
>> the
>> SBS2003 site to the ISA site, but not a single packet with ISA2006's IP
>> is
>> sent.. I tested with wireshark.. and I have no firewalls in this server..
>> at
>> least when I try to ping the ISA2006 server I can see the outgoing
>> packets,
>> but nothing when trying to enable the site to site VPN connection I just
>> setup...
>>
>>
>>
>> any ideas??
>>
>
>

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> I agree with Philip. This is tricky to set up. If you are using RRAS at
> both ends, you have to configure both servers manually and you know where
> you are. If you are using ISA at both ends the wizard gives you the config
> for the second server. If you use the ISA set up at one end, how do you
> know what to configure at the RRAS end?

I think ISA still does it similar "under the hood" so on the RRAS box you
just treat the situation as if the ISA was really an RRAS box. ISA2000 and
2004 actually used RRAS to perform that task. ISA2006 has the abilities
built into itself but I think it follows the same principles underneath
everything.

After my last post I tried to set up a "model" of what he is doing using an
ISA2004 on one end and an ISA2006 on the other end. I could not get it to
work [yet],...it's embarrassing,..so don't tell anyone :-) The hard part is
figuring out what component or at what level along the way it "doesn't work"
whenever it "doesn't work". Maybe I'll mess with it more this after noon or
at home tonight. That's pretty bad when a former ISA-MVP can't get the S2S
VPN up, so we'll have to keep that quiet :-)

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:%23%23$(E-Mail Removed)...
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
>> I agree with Philip. This is tricky to set up. If you are using RRAS at
>> both ends, you have to configure both servers manually and you know where
>> you are. If you are using ISA at both ends the wizard gives you the
>> config for the second server. If you use the ISA set up at one end, how
>> do you know what to configure at the RRAS end?
>
> I think ISA still does it similar "under the hood" so on the RRAS box you
> just treat the situation as if the ISA was really an RRAS box. ISA2000
> and 2004 actually used RRAS to perform that task. ISA2006 has the
> abilities built into itself but I think it follows the same principles
> underneath everything.
>
> After my last post I tried to set up a "model" of what he is doing using
> an ISA2004 on one end and an ISA2006 on the other end. I could not get it
> to work [yet],...it's embarrassing,..so don't tell anyone :-) The hard
> part is figuring out what component or at what level along the way it
> "doesn't work" whenever it "doesn't work". Maybe I'll mess with it more
> this after noon or at home tonight. That's pretty bad when a former
> ISA-MVP can't get the S2S VPN up, so we'll have to keep that quiet :-)
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>
>

I think the tricky part setting up the RRAS side would be to figure out
what name to use to initiate the connection. You can configure the
demand-dial interface at the RRAS end assign the necessary static route so
that traffic for the "other" site will go through the VPN when it is up.
(You link the route to the dd interface through the new static route wizard
in RRAS). But all of that is useless if it doesn't connect to the correct
interface at the other end.

In a RRAS to RRAS connection you actually use the name of the
demand-dial interface on the answering router as the username to initiate
the connection. That ensures that the connection binds to the correct dd
interface and that the static route back to the calling router's subnet is
activated. If you use a password which doesn't match the dd interface name
you just connect as a dialup type client and the routing doesn't work
(because you only get a host route back to the calling machine, not a subnet
route for the machines behind the calling router).