A few weeks ago I had to setup my first IPSec tunnel between ISA 2004 and a non-Windows device, in this case a Draytek Vigor 2800, to create a site-to-site VPN. I had a few things that I hit on the Draytek which stumped me for a little bit (although probably could've been resolved much more quickly had I been more familiar with a Draytek Vigor I fear).
First thing I did was to head into the ISA console and setup an IPSec tunnel, using almost all of the defaults (this is important as the settings for the Draytek must match the ISA/Windows defaults). If you're not familiar with ISA, then the process is roughly as follows;
The Vigor then needs to be configured, to match the ISA server;
Set the Profile Name to anything you like, its just a name - I used the same name that I gave the network in ISA. Tick “Enable this profile” and select both for Call Direction.Dial-Out Settings
Select IPSec tunnel, set the “Server IP/Host Name for VPN” to the external IP of your ISA server (or whatever you selected in your IPSec tunnel setup in ISA). Set the IKE Pre-Shared Key to the same as in ISA, or if you used a certificate set the Digital Signature. Under IPSec Security Method set “High (ESP) 3DES with Authentication”. Click advanced to open a new window and check “Main mode”, set IKE phase 1 proposal to 3DES_SHA1_G2, IKE phase 2 proposal to 3DES_SHA1/DES_MD5, IKE phase 1 key lifetime to 28800, IKE phase 2 key lifetime to 3600 and enable PFS and click ok.TCP/IP Network Settings
Set the WAN IP and the Remote Gateway IP to 0.0.0.0. Set the Remote Network IP to your internal subnet host address, and the Remote Network Mask to your internal subnet mask (by internal I mean the subnet protected by ISA). Disable RIP (unless you want to use it), and set the NAT operation to Private IP. We didn't need to set this as the default route, this is obviously your own design decision.
You should now be good to go, and your Vigor and ISA box will negotiate and encrypt all traffic that travels between the 2 subnets, as it should. To check on the Vigor you can head to connection management and check out whether or not the tunnel is currently up, and that it's encrypted.
There are various reasons for opting for an IPSec tunnel, however the major one is that it's one of the easier tunnels that can be created, and are secure. You could of course opt for a site-to-site PPTP, or L2TP/IPSec, VPN. However these come with their own complications and security issues.
If the Vigor 2800 is anything to go by, I'd say that the Draytek routers are a nice bit of kit which work well for SOHO deployments, although there are a number of things in the GUI which really started to cheese me off after a while. There's no denying that they're not as flexible as other solutions, but they're no where near as simple as other routers which you could use. I'm still not entirely convinced that they're the perfect solution, although Chris has fallen in love with them, but at the end of the day for this sort of job you're rarely going to be touching them once they're up and working, so the cost savings over an equivilent Cisco box may pay off at the end of the day.