D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: weweird on February 22, 2010, 09:19:35 AM

Title: [IPSEC] L2TP site-to-site with Microsoft ISA
Post by: weweird on February 22, 2010, 09:19:35 AM

Hello.
I have an ISA Server 2006 at main office and a DFL-210 at Branch office.
I need to connect branch office to main office by site-to-site sheme.
But i have one small nuance: at branch office i cant get public IP address.
So i cant use IPSEC tunneling mode.

But i cant find any solution or step-by-step instruction or how-to use L2TP over IPSEC CLIENT in DFL-210.

What I've already done:created site-to-site network on ISA,
on DFL-210 created IPSEC in transport mode
(http://xmages.net/upload/4dd5fca2.png)(http://xmages.net/upload/9f07be5c.png)
 and L2TP client
(http://xmages.net/upload/84f20a8a.png)
tic "Automatically add a route for this interface using the given remote network."
and   "Add route for remote network"


SA successfully established but only when i ping from DFL-210 to udp port 1701 of ISA,

L2TP client stay in state

Type :   Single client tunnel
Sessions :   1
Tunnel status :   Connecting
Session status :   Establishing

And in ISA Monitoring - there is no connecting to port 1701 (except udp ping).


I need help because i dont know where to look now...
And sorry for my bad english.

Title: Re: [IPSEC] L2TP site-to-site with Microsoft ISA
Post by: Fatman on February 22, 2010, 10:09:43 AM

You don't need an SA per port, lease it at the default.

I have never personally set up this config (it is kind of backwards to how most people use this device) so while I see nothing (else) immediately wrong I would take a careful look at your logs and make sure you use all the clues your devices are going to give you.

Title: Re: [IPSEC] L2TP site-to-site with Microsoft ISA
Post by: weweird on February 22, 2010, 11:36:49 AM

Hi Fatman.
If i set SA "Per net" or "Per host" i get Quick Mode failed

2010-02-22 21:53:28: IkeSnoop: Received IKE packet from xxx.xxx.xxx.xxx:500
Exchange type  : Informational
ISAKMP Version : 1.0
Flags          : E (encryption)
Cookies        : 0xcd41f1c17c942c60 -> 0xb3c791fbba607238
Message ID     : 0xf6a4a00a
Packet length  : 64 bytes
# payloads     : 2
Payloads:
  HASH (Hash)
    Payload data length : 16 bytes
  N (Notification)
    Payload data length : 12 bytes
    Protocol ID  : ESP
    Notification : Invalid ID information

Don't you know, is L2TP-over-IPSEC is generally possible ?

Title: Re: [IPSEC] L2TP site-to-site with Microsoft ISA
Post by: Fatman on February 22, 2010, 12:38:09 PM

No reason it shouldn't be, but as I said this is the first time I have seen it used in this direction.

Does either side use custom IPsec IDs?  Have you tried custom IPsec IDs?

Title: Re: [IPSEC] L2TP site-to-site with Microsoft ISA
Post by: weweird on February 22, 2010, 01:07:02 PM

Yes i tried - no luck.
in ISA's Quick Mode policy filters
there is filter,that allow only port "any" to "1701". So i think "per port" SA is the only way to make it works...

Title: Re: [IPSEC] L2TP site-to-site with Microsoft ISA
Post by: Fatman on February 22, 2010, 03:39:06 PM

That should not be what that means.