• February 24, 2025, 01:35:38 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: [IPSEC] L2TP site-to-site with Microsoft ISA  (Read 8822 times)

weweird

  • Level 1 Member
  • *
  • Posts: 3
[IPSEC] L2TP site-to-site with Microsoft ISA
« on: February 22, 2010, 09:19:35 AM »
Hello.
I have an ISA Server 2006 at main office and a DFL-210 at Branch office.
I need to connect branch office to main office by site-to-site sheme.
But i have one small nuance: at branch office i cant get public IP address.
So i cant use IPSEC tunneling mode.

But i cant find any solution or step-by-step instruction or how-to use L2TP over IPSEC CLIENT in DFL-210.

What I've already done:created site-to-site network on ISA,
on DFL-210 created IPSEC in transport mode

 and L2TP client

tic "Automatically add a route for this interface using the given remote network."
and   "Add route for remote network"


SA successfully established but only when i ping from DFL-210 to udp port 1701 of ISA,

L2TP client stay in state

Type :   Single client tunnel
Sessions :   1
Tunnel status :   Connecting
Session status :   Establishing

And in ISA Monitoring - there is no connecting to port 1701 (except udp ping).


I need help because i dont know where to look now...
And sorry for my bad english.

Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: [IPSEC] L2TP site-to-site with Microsoft ISA
« Reply #1 on: February 22, 2010, 10:09:43 AM »
You don't need an SA per port, lease it at the default.

I have never personally set up this config (it is kind of backwards to how most people use this device) so while I see nothing (else) immediately wrong I would take a careful look at your logs and make sure you use all the clues your devices are going to give you.
Logged
non progredi est regredi

weweird

  • Level 1 Member
  • *
  • Posts: 3
Re: [IPSEC] L2TP site-to-site with Microsoft ISA
« Reply #2 on: February 22, 2010, 11:36:49 AM »
Hi Fatman.
If i set SA "Per net" or "Per host" i get Quick Mode failed

2010-02-22 21:53:28: IkeSnoop: Received IKE packet from xxx.xxx.xxx.xxx:500
Exchange type  : Informational
ISAKMP Version : 1.0
Flags          : E (encryption)
Cookies        : 0xcd41f1c17c942c60 -> 0xb3c791fbba607238
Message ID     : 0xf6a4a00a
Packet length  : 64 bytes
# payloads     : 2
Payloads:
  HASH (Hash)
    Payload data length : 16 bytes
  N (Notification)
    Payload data length : 12 bytes
    Protocol ID  : ESP
    Notification : Invalid ID information

Don't you know, is L2TP-over-IPSEC is generally possible ?
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: [IPSEC] L2TP site-to-site with Microsoft ISA
« Reply #3 on: February 22, 2010, 12:38:09 PM »
No reason it shouldn't be, but as I said this is the first time I have seen it used in this direction.

Does either side use custom IPsec IDs?  Have you tried custom IPsec IDs?
Logged
non progredi est regredi

weweird

  • Level 1 Member
  • *
  • Posts: 3
Re: [IPSEC] L2TP site-to-site with Microsoft ISA
« Reply #4 on: February 22, 2010, 01:07:02 PM »
Yes i tried - no luck.
in ISA's Quick Mode policy filters
there is filter,that allow only port "any" to "1701". So i think "per port" SA is the only way to make it works...
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: [IPSEC] L2TP site-to-site with Microsoft ISA
« Reply #5 on: February 22, 2010, 03:39:06 PM »
That should not be what that means.
Logged
non progredi est regredi