A few weeks ago I had to setup my first IPSec tunnel between ISA 2004 and a non-Windows device, in this case a Draytek Vigor 2800, to create a site-to-site VPN. I had a few things that I hit on the Draytek which stumped me for a little bit (although probably could’ve been resolved much more quickly had I been more familiar with a Draytek Vigor I fear).
First thing I did was to head into the ISA console and setup an IPSec tunnel, using almost all of the defaults (this is important as the settings for the Draytek must match the ISA/Windows defaults). If you’re not familiar with ISA, then the process is roughly as follows;
- Under VPN and then Remote Sites, hit "Add a remote site network" under tasks.
- Select IPSec tunnel, bung in the external IP of the draytek for the "Remote VPN gateway IP address" and selected the external IP for the local gateway (what you'd probably refer to as the end points if you were doing this in anything else), add the authentication (either PSK or cert. - in this example I'll use a PSK, although you might want to think about using a certificate once you've tested it with a PSK), added the remote address subnet and then pretty much followed the defaults.
- Apply this and then head to Configuration > Networks, Network Rules. Create a new Network Rule from our internal subnet into the remote network to route, not NAT.
- Apply this, and then head to the Firewall Policy and created a couple of rules to allow the traffic we wanted the remote subnet and the internal to send and receive. Apply again and you're done.
The Vigor then needs to be configured, to match the ISA server;
- Head to VPN and Remote Access > Remote Access Control, and enabled the IPSec VPN Service (this is what had caught me out - some how I'd managed to miss this completely!).
- Under IPSec General Setup, untick Medium (AH), tick all the items next to High (ESP).
- Next go to VPN and Remote Access > LAN to LAN. Select the first free profile (probably 1) and set it up as follows:
- Common Settings Set the Profile Name to anything you like, its just a name - I used the same name that I gave the network in ISA. Tick "Enable this profile" and select both for Call Direction.
- Dial-Out Settings Select IPSec tunnel, set the "Server IP/Host Name for VPN" to the external IP of your ISA server (or whatever you selected in your IPSec tunnel setup in ISA). Set the IKE Pre-Shared Key to the same as in ISA, or if you used a certificate set the Digital Signature. Under IPSec Security Method set "High (ESP) 3DES with Authentication". Click advanced to open a new window and check "Main mode", set IKE phase 1 proposal to 3DES_SHA1_G2, IKE phase 2 proposal to 3DES_SHA1/DES_MD5, IKE phase 1 key lifetime to 28800, IKE phase 2 key lifetime to 3600 and enable PFS and click ok.
- TCP/IP Network Settings Set the WAN IP and the Remote Gateway IP to 0.0.0.0. Set the Remote Network IP to your internal subnet host address, and the Remote Network Mask to your internal subnet mask (by internal I mean the subnet protected by ISA). Disable RIP (unless you want to use it), and set the NAT operation to Private IP. We didn't need to set this as the default route, this is obviously your own design decision.
You should now be good to go, and your Vigor and ISA box will negotiate and encrypt all traffic that travels between the 2 subnets, as it should. To check on the Vigor you can head to connection management and check out whether or not the tunnel is currently up, and that it’s encrypted.
There are various reasons for opting for an IPSec tunnel, however the major one is that it’s one of the easier tunnels that can be created, and are secure. You could of course opt for a site-to-site PPTP, or L2TP/IPSec, VPN. However these come with their own complications and security issues.
If the Vigor 2800 is anything to go by, I’d say that the Draytek routers are a nice bit of kit which work well for SOHO deployments, although there are a number of things in the GUI which really started to cheese me off after a while. There’s no denying that they’re not as flexible as other solutions, but they’re no where near as simple as other routers which you could use. I’m still not entirely convinced that they’re the perfect solution, although Chris has fallen in love with them, but at the end of the day for this sort of job you’re rarely going to be touching them once they’re up and working, so the cost savings over an equivilent Cisco box may pay off at the end of the day.