No announcement yet.

VPN Issue

  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN Issue

    This is maddening! LoL

    Client has a VLan configuration with 12 Vnodes numbering from 10.1.1 to 10.1.12. This client needs to setup a VPN that creates a tunnel between their SOHO3 on site to a SW Pro 1260 at the central office.

    In the "perfect" solution - I would have a WAN IP handed off via a switch on the T-1 side and I would negotiate the VPN directly. But this client has me going through their ISA server, which is handling 4 other VPNs, and login designates which pre-designated VPN you are granted by the IIS servers ISA assignments. The problem that is created is that the Pro or the SOHO can "not" login since they are a point to point VPN creation and no logging can be configured.

    The other issue is that ALL VPNs use port 500 and 4500 respectively with protocol 17 setting up 50/51 to act as the negotiating incoming and outgoing.

    WE have tried setting up the IIS server to accept the VPN request and included the internal "WAN" IP to respond as appropriate - but because of the hops the IKE is timing out on authentication. We moved the WAN IP down the chain so that the SOHO was in the first VPN assignments of 10.1.1 but the timing is still an issue. We have release ALL restrictions thinking that the firewall settings were interfering with the authentication exchange.

    We have forwarded requests from the Destination to the source assigned wan - no go. We are looking at scripting to see if that will setup the VPN.

    We attempted to have the IP addressing in the forwarding to accept the incoming destination packet to forward to the internal WAN assignment as well as having the outgoing request hop to the external with internal WAN included in the packet sends.

    So far nothing is working - which is in main part "I think" because of the additional vpn configurations that are used to login to the appropriate internal links.

    The thing is, that I can login and have immediate access to my router - but the hardware association doesn't allow for a logging in options.
    Using 3DES/SHA1 with shared key authentication. No certificate is being handed off (although that would be done if I was using a GVPN).

    I think what is the real issue here is that the shared client is using 3 other VPNs that are login associated. I don't have that luxury. Authentication on my equipment is using a IKE with a preshared key. Phase 1 is the 3DES/Sha1 and Phase 2 is Strong Encryption and Authentication (ESP, 3DES, HMAC, SHA1).

    The consensus is that if the other VPNs were done away with and just a straight through handshake was needed - there would be no issue. Unfortunately, I have to deal with the opposing VPNs!

    Can anyone here help us out with this issue?
    Last edited by Spawn; 4th August 2006, 16:03.
    Dell Registered Partner
    Acronis Fulfillment Partner
    Netgear Powershift Partner
    GFi Authorized Reseller
    Check Point Partner