Lets us assume that you
have three different locations, LocationA,
LocationB and LocationC. LocationA,
LocationB and LocationC are protected using
ISA 2006 Firewalls Standard Edition. Each
location has one Internet connection.
You
would like to connect all the locations
togheter.
So you think on using site-to-site
VPN connections. You have opted for L2TP/IPsec
connections.
There is a site-to-site VPN
connection between LocationA and
LocationB.
There is a site-to-site
VPN connection between LocationA and
LocationC.
There is a site-to-site
VPN connection between LocationB and
LocationC.
So every location has two
site-to-site VPN connections.
Bellow is the
network diagram.
SiteA IP address
range: 192.168.10.0/24
SiteB IP
address range: 192.168.40.0/24
SiteC
IP address range: 192.168.50.0/24
It is not a
full mesh topology because if, say, the
site-to-site VPN connection between
LocationA and LocationB is
down, traffic will not be directed from
LocationA to LocationB through
LocationC. But since you have only one
Internet connection, there is no
redundant path if your Internet connections goes
down. Also if the site-to-site VPN connection
between LocationA and
LocationB is down and there is an ISA
problem then, very likely that the other
site-to-site VPN connection between
LocationA and LocationC will
be down too. If you really want redundancy then
you need multiple machines and Internet
connections to achieve it.
Figure1: The Network Diagram
So let’s proceed.
First the ISA
machine from LocationA.
As said
before we need to create two site-to-site VPN
connections using L2TP/IPsec.
ISA can play
the role of the Calling Gateway or the Answering
Gateway. Suppose that a client from
SiteB wants to connect to a computer
from SiteA. Since the tunnel is not up
yet, when ISAB at the SiteB
will receive the client request will try to
initiate the connection. In this way
ISAB is acting as the Calling Gateway.
Obviuosly ISAA(domain member) will be
the Answering Gateway. Remember that L2TP/IPsec
requires two level of authentication:
machine(through IKE) and user(PPP
authentication). So we need to configure
ISAB with a user name and password that
are available at the ISAA location,
user which has “Dial-in” permissions
set to allowed. Even more, the user name must
match the remote site name from
ISAA.
Using the site-to-site wizard
we are going to create on ISAA the
connection to ISAB, We'll name it
Branch.
Figure2:
Site-to-site wizard on ISAA adding the
connection to
ISAB
Choose
L2TP/IPsec:
Figure3: Choosing
L2TP/IPsec
We receive the user
warning that I have told you about:
Figure4: User account warning
Enter the remote site address(it
can be an IP address or a FQDN):
Figure5: The Remote site VPN
server
You can configure
ISAA to act as the Calling Gateway for
this connection(at least one side must be
configured to do so). We’ll name the user Main.
If you want that only ISAB to initiate
the connection to ISAA uncheck the
checkbox:
Figure6: Allow
ISAA to act as the Calling Gateway
Next we need to specify the
outgoing authentication method for IKE when
ISAA is acting as the Calling Gateway.
Make sure you use certificates and not
pre-shared key in a production environment.
Right now I’m going to use a pre-shared
key.
Figure7: IKE
authentication when ISAA acts as the
Calling Gateway
If you did
not enable “VPN Client Access” and
there specified for example a pre-shared key you
will be prompted by ISA to define an
authentication method for incoming
connections.
Figure8: Enable VPN Client
Access
Figure9: Incoming
connections Authentication method
If ISAA is the Answering
Gateway and you are using pre-shared keys make
sure you add a pre-shared key.
I know is
weird, but actually the Calling Gateway is
"acting" like a "VPN client" and therefore if
you use pre-shared keys on the Answering Gateway
for VPN clients too, then everybody(Calling
Gateways and VPN clients) will use the same
pre-shared key. Keep in mind that there are
separate System Policies enabled for you by
ISA(when you click “Enable VPN Client
Access” or define a site-to-site VPN) for
VPN clients and site-to-site connections so you
do not need to create any access rules or
whatever.
Figure10: System Policy
VPN client access enabled(PPTP and
L2TP/IPsec)
Figure11: System Policy
VPN site-to-site enabled
Add
the remote site IP address range:
Figure12: Remote
site IP address range
Next create a network rule
between the new remote site and your Internal
Network(a route relationship):
Figure13: The network
relationship
And the access
rules for allowing communications between Branch
and Internal and vice-versa. Right now I have
defined an allow all rule.
Figure14: The access
rule
And then click
“Finish”.
So by now you should have
the System Policies enabled, the access rules
and the network relationship(route)
defined:
Figure15: Access rule
between Branch and Internal and vice-versa
Figure16: Network rule
between Branch and Internal
Now
head onto RRAS and make sure you uncheck the
“Register this connection’s addresses in DNS” on
the “Branch” interface:
Figure17: Uncheck the
“Register this connection’s addresses in
DNS”
If you have on
ISAA another network, say, a DMZ on a
ISA DMZ interface and you want to allow the
remote site users to access this network too
then you need to define a network rule between
the DMZ and the remote site, have the proper
access rules and make sure that when you create
the site-to-site connection on ISAB to
specify the IP addresses ranges of this DMZ
network into the remote site IP address ranges
too.
Now we will repeat the above steps for
creating the site-to-site connection to
ISAC.
We’ll name it Branch2:
Figure18: The
site-to-site connection from ISAA to
ISAC
Choose again
L2TP/IPsec and enter the server address:
Figure19: The Remote site VPN
server
For avoiding confusion
let’s call the user Main1.
Figure20: User name
when ISAA is acting as the Calling
Gateway for
ISAC
Configure the
outgoing authentication method for IKE(I have
used the pre-shared key 12345qwert).
Define the remote site range: 192.168.50.0/24,
the access rules and network rule(route
relationship).
Figure21: Branch2 remote site on
ISAA
Don’t forget
about the RRAS setting and uncheck the
“Register this connection’s addresses in
DNS” for “Branch2”
interface.
And we need to define two users
Branch(matching ISAB remote site name
from ISAA) and Branch2(matching
ISAC remote site name from
ISAA) in order to enable ISAA
to act as the Answering Gateway for the two
site-to-site connections. As said before they
will be used by ISAB and ISAC.
Since ISAA is a domain member we are
going to define the users in Active
Directory.
Figure22: The users
Don’t forget to set their
“Dial-in” permission(you can use
“Control access through Remote Access
Policy” but let’s keep it simple right
now):
Figure23: Branch user
“Dial-in” permission
Figure24: Branch2 user
“Dial-in” permission
And we are done with
ISAA.
Let’s move to ISAB
now.
First we define the site-to-site
connection with ISAA.
We'll name it
Main(the user name we defined on ISAA
in the wizard):
Figure25: Main remote site on
ISAB
Choose L2TP/IPsec.
Enter ISAA address:
Figure26: The Remote
site VPN server
The user name
will be Branch since this is how on
ISAA is named the remote site.
Figure27: The user on
ISAB required for ISAB to act
as the Calling Gateway
Next,
if ISAA is configured to accept
incoming connections using pre-shared keys for
IKE authentication make sure you fill the
correct pre-shared key on ISAB(outgoing
authentication):
Figure28: Outgoing
Authentication on
ISAB
And probably you
will be prompted for authentication for incoming
connections(use the pre-shared key with which
ISAA is configured to initialize
connections):
Figure29: Incoming
Authentication
OK. I will use
everywhere the same pre-shared key. Remember if
ISAA acts as the Answering Gateway and
ISAB and ISAC as the Calling
Gateways, ISAB and ISAC will
use the same pre-shared key for outgoing
authentication.
The IP address range is
192.168.10.0/24. Create the network rule(route
relationship) and access rules.
Figure30: Remote site Main on
ISAB
Figure31: Access
rules
Figure32: Network
rule
Don’t
forget about the RRAS setting and uncheck the
“Register this connection’s addresses in DNS”
for the “Main” interface.
Since
ISAB is not yet joined to the domain(it
will be after the site-to-site connection is up)
we will define two local users called Main and,
say, ToBranch2 with their “Dial-in”
permissions set to allowed.
Figure33: ISAB local
users
And now we are going to
create the site-to-site VPN connection from
ISAB to ISAC. Well call it
ToBranch2.
Figure34: The
site-to-site VPN connection from ISAB
to ISAC
Choose
L2TP/IPsec. The ISAC address,
192.168.22.241.
The username, say,
ToBranch.
Figure35: The user
used by ISAB when acting as the Calling
Gateway to ISAC
The
outgoing authentication. Both ISAA and
ISAB use the same pre-shared key when
acting as the Calling Gateway to
ISAC.
Figure36: The outgoing
authentication to ISAC
The IP address range 192.168.50.0/24, then
the network rule(route relationship) and the
access rules.
Don’t forget about the RRAS
setting and uncheck the “Register this
connection’s addresses in DNS” for
“ToBranch2” interface.
And
ISAB is good to go.
Let’s try to get
the tunnel up from ISAB to
ISAA. We are going to use a computer
from ISAB Internal Network, so
ISAB will act as the Calling Gateway
and ISAA as the Answering Gateway. So
ping from 192.168.40.2 to 192.168.10.2(a
computer from ISAA’s Internal
Network):
Oops!
My tunnel was already
up!
Anyway you should see the replies coming.
If not, make sure you have followed the steps
correctly.
Figure37: LocationA and
LocationB connected
Moving to
ISAC now.
The site-to-site
connection to ISAA. We’ll name it Main1
as the user define on ISAA in the
wizard.
Figure38: The
site-to-site VPN connection from ISAC
to ISAA
Select the
L2TP/IPsec connection. The remote server address
is 192.168.22.234.
The user name is Branch2,
like the remote site defined on
ISAA.
Figure39: The user used
by ISAC to act as the Calling Gateway
against ISAA
The
outgoing authentication.
Figure40: The outgoing
authentication
If you are
prompted for incoming authentication you must
match it with one configured on ISAA(for
outgoing):
Figure41: The incoming
authentication
The IP address
range is 192.168.10.0/24. Configure the network
rule(route relationship) and the access
rules.
Don’t forget about the RRAS setting
and uncheck the “Register this connection’s
addresses in DNS” for “Main1”
interface.
Figure42: Main1 remote
site
Next, the site-to-site VPN
from ISAC to ISAB.
We’ll
name it ToBranch(like the user define on
ISAB in the wizard).
Figure43: ToBranch
remote site on
ISAC
Choose L2TP/IPsec.
The remote server address is
192.168.22.240.
The username is ToBranch2
like the remote site name on
ISAB.
Figure44: The user used
by ISAC when acting as the Calling
Gateway to ISAB
The
outgoing authentication method. Both
ISAA and ISAC use the same
pre-shared key when acting as the Calling
Gateway to ISAB.
Figure45: The outgoing
authentication
The address
range is192.168.40.0/24. Configure the network
rule(route relationship) and the access
rules.
Figure46: ToBranch remote
site on ISAC
Don’t forget
about the RRAS setting and uncheck the
“Register this connection’s addresses in
DNS” for “ToBranch” interface.
And let’s
add two local users(ISAC is not a
domain member yet), Main1 and ToBranch with the
“Dial-in” permission set to allow.
Figure47: ISAC
local users
Now let’s bring up
the tunnel from ISAB to ISAC. Run a ping command
from 192.168.40.2 to 192.168.50.10(a host
located on ISAC Internal Network)
Figure48: LocationB and
LocationC connected
And the
tunnel from ISAC to ISAA. Another ping from
192.168.50.10 to 192.168.10.2.
Figure49: LocationC and
Location A connected
And now we
have connected all three locations through a
partial mesh.
And
another quick test from 192.168.10.2 to
192.168.40.2 and 192.168.50.10:
Figure50:LocationA
connected to LocationB and LocationC
You
can now proceed and join ISAB and
ISAC to the domain if you want.
Actually if you could, it was better to prepare
ISAB and ISAC on LocationA.
Install additional domain controllers on
LocationB and LocationC and so on.
Remember to use
certificates for IKE authentication. Use
pre-shared keys only for testing. You can go and
configure EAP-TLS for user authentication
instead of ms-chapv2.
That’s it!
If
you want a related article to ISA Enterprise
Edition please refer to the below article:
http://www.microsoft.com/technet/isa/2004/plan/vpn_deployment_ee.mspx
