Outbound VPN SBS ISA

[vkode78]

My network Setup :

SBC DSL - Linksys Router - SBS external Nic - SBS Internal NIc

ISA Firewall
INBOUND PPTP VPN works fine.

I want to let local XP computer connect using Netscreen Remote VPN client to a remote VPN server. Netscreen client is IPSec based.

I have setup protocol definitions in ISA firewall for UDP 500 and UDP 4500 outbound. And created a rule that allows these two protocols.

But no VPN connection. The Administrator on the other end does not see any connection from my side in his logs. I dnt see anything in my logs either. So I am guessing it has something to do with ISA setup - in particular I have to set up that XP workstation as SecureNAT client.

How do I do this?
Here is my IPConfig /all on the server and the XP workstation:

SBS server
Ethernet adapter Server Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetX
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2

Ethernet adapter Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetX
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
NetBIOS over Tcpip. . . . . . . . : Disabled


XP workstation:

Network Connecti
on
Physical Address. . . . . . . . . :
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.16.23
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.16.2
DHCP Server . . . . . . . . . . . : 192.168.16.2
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2
Lease Obtained. . . . . . . . . . : Thursday, March 31, 2005 5:04:33 PM
Lease Expires . . . . . . . . . . : Friday, April 08, 2005 5:04:33 PM

What should the Gateway be for the XP to make it a Secure NAT client - 192.168.16.2 or 192.168.1.100 ?
Also do I need to make any changes in ISA to make this a SecureNAT client

Thanks
Kode

 

[vkode78]

My Local Network
DSL -> Linksys BEFSR41 - SBS 2003 External Nic - SBS 2003 Internal Nic ( does DHCP for LAN) - Win XP workstation
I use ISA as Firewall

Remote VPN Server
Netscreen x25

My XP workstation is using Netscreen Remote to connect to the Netscreen X25 . It is IPSec based.

Here is the Log:
14:35:48.218 Interface added: 192.168.16.23/255.255.255.0 on LAN "Intel(R) PRO/100 VE Network Connection".
14:41:31.718
14:41:32.859 RequestLocalAddress failure: C24BF02
14:41:32.859 My Connections\company - Initiating IKE Phase 1 (IP ADDR=12.36.191.2)
14:41:32.875 My Connections\company - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID)
14:41:32.953 My Connections\company - Received message from wrong IP Address = c0a81002
14:41:36.953 My Connections\company - RECEIVED>>> ISAKMP OAK AG *(HASH, NAT-D, NAT-D, NOTIFY:STATUS_INITIAL_CONTACT)
14:41:36.984 My Connections\company - Established IKE SA
14:41:36.984 MY COOKIE b2 1d 72 d4 f5 f2 2d 7b
14:41:36.984 HIS COOKIE d4 15 80 df 2 3f 1a d1
14:41:37.000 My Connections\company - Initiating IKE Phase 2 with Client IDs (message id: BA73E63A)
14:41:37.000 Initiator = IP ADDR=192.168.16.23, prot = 0 port = 0
14:41:37.000 Responder = IP SUBNET/MASK=10.10.1.0/255.255.255.0, prot = 0 port = 0
14:41:37.000 My Connections\company - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID, ID)
14:41:37.062 My Connections\company - RECEIVED>>> ISAKMP OAK QM *(HASH)
14:41:37.078 My Connections\company - Loading IPSec SA (Message ID = BA73E63A OUTBOUND SPI = D2961D8E INBOUND SPI = 7CA77B9B)
14:41:37.078
14:41:37.109 My Connections\company - RECEIVED ISAKMP OAK INFO *(HASH, DEL)

So, it looks like the tunnel is established. But I can not ping the remote network clients or access the SQL server that I want to connect to.

Looks like I am connected But NO traffic.
I looked in the Linksys router logs
It has outbound logs for UDP 500 and nothing else.
I have enabled IPsec Pass Through on the server.

Do anyone of you know if Netscreen is NAT-T ? Because I would think I should see Traffic on UDP port 4500 ( encapsulating ESP IP 50 over UDP ports)

I am stumped as to why there is no traffic. That is what the Admin on the remote site, he sees the Tunnel established but no traffic.

1) Could it be that the Router is not really doing IPsec Pass Through?

2)Even if the router doesnt do IP pass Through, I would think if the VPN router and VPN client both support NAT-T, that should be fine right ? Then I should see UDP traffic on port 4500?

I would appreciat it if someone would post any suggestions on how to troubleshoot this. I could try to take the Linksys router out and connect the External NIC of SBS to DSL Modem directly but its a pain to change the settings back and forth, and I want to do it only if that will solve the issue.

Thanks for your help
KOde