- ISA2004 with SP3
- Internal NIC: 10.0.0.1/24
- External NIC: 172.16.10.18/24
- ISA2006 with SP1
- Internal NIC: 192.168.10.1/24
- External NIC: 172.16.10.19/24
The goal is to establish a site-to-site VPN between both firewalls for testing purposes.
Configuring VPN on ISA 2006
The protocol we will use to create this VPN is L2TP/IPSec. Let´s start by configuring the VPN on ISA 2006 using the nice VPN wizard.
Expand you ISA server node and click on Virtual Private Networks (VPN) node and choose Remote Sites tab. On the right panel click Tasks tab and click Create VPN Site-to-Site Connection.
Choose the name for the remote Network. In our case, the name of remote Network will be ISA2004. Click Next.
As said before, the protocol we will use for the VPN connection will be Layer Two Tunneling Procotol over IPSec (L2TP/IPSec). I always recommend you to use this protocol together with certificates for most security.
When you click Next, a warning massage will appear for you:
Microsoft Internet Security and Acceleration Server 2006
To enable connectivity, a user account matching the network name must be available.
To access the local site, the remote site needs a user account with dial-in permissions recognized by the local site. The user account must have the same name as the network you are creating with this wizard. If the user account already exists, the network name you specified must match the user account name. Click Help for details.
When creating a VPN using ISA firewall, you´ll have to create an account on the remote site with the same name of VPN Network and allow Dial-in permission. In our case the remote account name will be ISA2004.
After that, specify the remote site VPN server address or IP address. I prefer to use IP address, so it will be 172.16.10.18.
The next step is to choose if this VPN server will initiate connections or not. This time ISA 2006 will initiate connections.
On the L2TP/IPSec Outgoing Authentication page, we will use Pre-shared key authentication, since this is a lab and security is not much a concern here.
Next step is to configure the remote network address range, for our example is 10.0.0.0-10.0.0.255.
Accept the defaults for Site-to-Site Network Rule page.
Select All outbound traffic for Site-to-Site Network Access Rule page. It worth to mention again that security is not a concern here and for the real world, you should allow only the required protocols.
Review the VPN Site-to-Site Network Wizard summary and click Finish.
Configuring VPN on ISA 2004
Okay! Our ISA firewall 2006 is configured to establish a tunnel with our ISA 2004. But, before we have also to configure ISA 2004 to establish a tunnel with ISA 2006.
The steps are basic the same for ISA 2004 version. So, I won´t reproduce step-by-step.
Choose the name for the remote Network. In our case, the name of remote Network will be ISA2006. Click Next.
Once you get at the Remote Authentication page of the VPN Site-to-Site wizard, we will have to choose if the ISA 2004 VPN server will initiate connection. Well, one of the VPN servers must initiate the tunnel connection and we configured ISA 2006 to initiate it.
In this case, the ISA 2006 will be the reponsible to start the VPN tunnel.
Provide the information needed and follow the next steps until you complete the wizard.
For ISA 2004, you have to complete two more steps before restart the server. Configure Network Rules and Access Rules. On ISA 2006, this is included in the VPN wizard.
Test the solution
Now we´re ready to connect both servers. To start the VPN tunnel send a PING request, for example, to ISA 2004 remote network.
When I did that, the connection could not be established because of the following error:
Description: The user username, attempting to connect on port, was disconnected because of the following reason:
A Remote Access Client attempted to connect over a port that was reserved for Routers only.
Wow! What´s that?? Now you start to double-check all the settings and see that everything is fine.
What if you set the ISA 2004 to start the VPN tunnel instead of ISA 2006? The VPN can connect now!!
What´s wrong with ISA 2004 firewall? Well, the solution for this problem it is covered on Microsoft KB262357.
This KB is intended to Microsoft Routing and Remote Access. But, we are using ISA firewall, and, ISA overwrite the RRAS configurations from time-to-time. We have to use ISA MMC for enable this setting. How?
ISA firewall 2004 treats the connecting VPN server as if it was a remote access client. By default, ISA 2004 and ISA 2006 is configured to enable only the PPTP protocol for remote access client VPN.
The solution here is to enable L2TP/IPSec for remote access client on destination VPN server, ISA 2004.
Follow this steps to enable it: Expand you ISA server node and click on Virtual Private Networks (VPN) node, choose VPN Clients tab. On the right panel click on Tasks and Configure VPN Client Access.
On the VPN Clients Properties, click on the Protocols tab and select Enable L2TP/IPSec.
Today we learn how to configure a VPN Site-to-Site connection between ISA 2004 and ISA 2006, setting the ISA 2006 firewall as the connection initiator. We also checked that ISA 2004 treats the VPN server as a normal VPN remote access client and it is also needed to enable the remote access protocol used for VPN site-to-site connections.