VPN Interoperability
SonicOS 3.1 Enhanced and Microsoft ISA Server 2004
Introduction
This Tech Note details the steps required to create a working IKE IPSec VPN tunnel between SonicWALL SonicOS Enhanced 3.1 and Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition.
Recommended Versions
SonicWALL security appliance running SonicOS Enhanced 3.1.0.4 Microsoft ISA Server 2004 Standard Edition with ISA Server 2004 SP1 Microsoft Windows Server 2003 with SP1
Caveats
Both the Microsoft ISA Server 2004 and the underlying Microsoft Windows 2003 Server have had all service packs applied.
Sample Network Diagram
�Configuration Tasklist
On the SonicWALL security appliance: Create new network objects and groups Create new VPN Policy for the MS ISA server 2004 Specify Destination Network, IKE Phase 1 and Phase 2 properties On the MS ISA server 2004: Create VPN site to site network Configure IPSec settings Create Access Rules Create Network Rules Testing: • • • • Verify that traffic flows through the tunnel Verify that applications function properly through the tunnel Verify that the tunnel can reestablish if either side is disconnected Verify that the network map and documentation match the running configuration
Before You Begin
If you have not already done so, set up a management system connecting to the SonicWALL security appliance’s internal LAN interface. The SonicWALL security appliance should already be configured for Internet access; if not, do this before completing any further steps. The Microsoft ISA Server 2004 server is also assumed to be properly configured for Internet access.
SonicWALL Setup
Log into the SonicWALL security appliance’s Management GUI using a current Web browser.
�The address objects will be created first, and then a group will be created to contain the address objects. From the left-navigation bar, click on ‘Network’ and then ‘Address Objects’, this will bring up the ‘Network > Address Objects’ page. In the ‘Address Objects’ section, click on ‘Add’ to create the address objects for the networks connected to the Microsoft ISA Server 2004 Standard Edition and the SonicWALL security appliance. The first address object is for the LAN behind the Microsoft ISA Server 2004 Standard Edition.
The ‘Name:’ is “ISA_LAN” The ‘Zone Assignment:’ is “VPN” The ‘Type:’ is “Network” The ‘Network:’ is “192.168.50.0”. The ‘Netmask:’ is “255.255.255.0”
Click ‘OK’ to finish.
�From the navigation bar on the left, click on ‘VPN’, this will bring up the ‘VPN > Settings’ page. In the ‘VPN Global Settings’ section, make sure the ‘Enable VPN’ radio button is selected. In the ‘VPN Policies’ section, click on ‘Add’ to create the new VPN policy for the MS ISA Server 2004.
The ‘VPN Policy’ window will then appear. On the ‘General’ tab page: Select “IKE using Preshared Secret” from the ‘IPSec Keying Mode:’ dropdown box. Enter a ‘Name:’ for the VPN policy. In this example, “MS ISA 2004” Then enter the IP address of the MS ISA 2004 Server in the ‘IPSec Primary Gateway Name or Address:’ field. In this example, “10.0.0.1” Then enter the preshared secret in the ‘Shared Secret:’ field. In this example, “hardtoguess”. Next select the ‘Network’ tab.
�In the ‘Local Networks’ section, select the radio button next to ‘Choose local network from list’ and select “LAN Primary Subnet” from the drop-down box.
In the ‘Destination Networks’ section, select the radio button next to ‘Choose destination network from list’ and select “ISA_LAN” from the dropdown box.
Next select the ‘Proposals’ tab. The default values should be used. For the ‘IKE (Phase 1) Proposal’ section: ‘Exchange:’ is “Main Mode” ‘DH Group’ is “Group 2” ‘Encryption’ is “3DES” ‘Authentication’ is “SHA1” ‘Life Time (seconds)’ is “28800” For the ‘Ipsec (Phase 2) Proposal’ section: ‘Protocol’ is “ESP” ‘Encryption’ is “3DES” ‘Authentication’ is “SHA1” ‘DH Group’ is “Group 2” ‘Life Time (seconds)’ is “28800” Do not enable Perfect Forward Security. Click ‘OK’ to finish.
�This completes the setup on the SonicWALL security appliance.
�Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition Setup
This Tech Note assumes that the Microsoft ISA Server 2004 is already installed and functional. From the ISA Server Management Console, select Virtual Private Networks (VPN). Under Remote Site Tasks, select Add Remote Site Network.
This will bring up the New Site-to-Site Network Wizard. Under Network name, enter the Network name, in this example, snwl. Then click Next >.
For the Network Type, select VPN Site-To-Site Network. Then click Next >.
�For the VPN Protocol, select IP Security protocol (IPSec) tunnel mode. Then click Next >.
For the Remote VPN gateway IP Address, enter 10.0.0.2. And for the Local VPN gateway IP address, select 10.0.0.1 (External) from the pull down menu. Then click Next >.
�For IPSec Authentication, select Use pre-shared key for authentication and enter hardtoguess for the secret. Then click Next >.
�In the Network Addresses section, click the Add button. Then specify the network behind the SonicWALL security appliance.
Enter the network behind the SonicWALL security appliance in the IP Address Range Properties dialog box. Enter 192.168.168.0 for the Starting address and 192.168.168.255 for the Ending address. Click OK to continue.
�Now, verify the address range in the Network Addresses section, click the Next > button to continue.
This completes the New Network Wizard. Click Finish to go on to the next step.
�On the Remote Sites tab of the Virtual Private Networks (VPN) section of the management console, right click on the newly created network, snwl. This will bring up the snwl properties page. Click on the IPSec Settings button to modify the IPSec Settings.
On the IPSec configuration page, verify the Phase I properties and then select the Phase II tab. De-select the Use Perfect Forward Security, and then click OK to continue.
�Now that the VPN Policy has been created, create the Access Rules to allow traffic to and from the snwl vpn network. This is done in the Firewall Policy section. From the ISA Server Management Console, select Firewall Policy.
In the Firewall Policy Tasks section, select Create New Access Rule.
This brings up the New Access Rule Wizard. Enter the Access Rule name, for this example, to snwl. Then click Next > to continue.
�On the Rule Action page, select Allow and click Next > to continue.
On the Protocols page, select All outbound traffic and click Next > to continue.
On the Access Rule Sources page, click Add to select the source network. On the Add Network Entities page, select Internal and click Add, then Close. This will bring you back to the Access Rule Sources page.
�On the Access Rule Sources page, verify the Internal network has been selected. Click Next > to continue.
On the Access Rule Destinations page, click Add to select the source network. On the Add Network Entities page, select snwl and click Add, then Close. This will bring you back to the Access Rule Destinations page.
On the Access Rule Destinations page, verify the snwl network has been selected. Click Next > to continue.
�On the User Sets page, verify All Users is selected. Click Next > to finish the New Access Rule Wizard.
This completes the New Access Rule Wizard. Click Finish to go on to the next step.
Now we must create another access rule for the VPN traffic from the snwl network. To do this we will repeat the New Access Rule Wizard. Enter the Access Rule name, for this example, from snwl. Then click Next > to continue
�On the Rule Action page, select Allow and click Next > to continue.
On the Protocols page, select All outbound traffic and click Next > to continue.
On the Access Rule Sources page, click Add to select the source network. On the Add Network Entities page, select snwl and click Add, then Close. This will bring you back to the Access Rule Sources page.
�On the Access Rule Sources page, verify the snwl network has been selected. Click Next > to continue.
On the Access Rule Destinations page, click Add to select the source network. On the Add Network Entities page, select Internal and click Add, then Close. This will bring you back to the Access Rule Destinations page.
On the Access Rule Destinations page, verify the Internal network has been selected. Click Next > to continue.
�On the User Sets page, verify All Users is selected. Click Next > to finish the New Access Rule Wizard.
This completes the New Access Rule Wizard. Access rules now exist for traffic to and from the snwl network. Click Finish to go on to the next step.
After each change, the configuration must be updated on the server. This is accomplished with the Apply button.
�Now that the VPN Policy and the Access Rules have been created, only one step is remaining. The Network Routes must now be created. To create the network routes, go to the Networks section of the ISA Management console.
From the Networks section of the ISA Management console, select the Create New Network Rule.
�This brings up the New Network Rule Wizard. Enter the Network Rule name, for this example, to snwl. Then click Next > to continue.
On the Network Traffic Sources page, click Add to select the source network. On the Add Network Entities page, select Internal and click Add, then Close. This will bring you back to the Network Traffic Sources page.
On the Network Traffic Sources page, verify the Internal network has been selected. Click Next > to continue.
�On the Network Traffic Destinations page, click Add to select the destination network. On the Add Network Entities page, select snwl and click Add, then Close. This will bring you back to the Network Traffic Destinations page.
On the Network Traffic Destinations page, verify the snwl network has been selected. Click Next > to continue.
On the Network Relationship page, select Route. Click Next > to continue.
�This completes the New Network Rule Wizard. Click Finish to go on to the next step.
Now we must create another route rule for the VPN traffic from the snwl network. To do this we will repeat the New Network Rule Wizard. Enter the Network Rule name, for this example, from snwl. Then click Next > to continue
On the Network Traffic Sources page, click Add to select the source network. On the Add Network Entities page, select snwl and click Add, then Close. This will bring you back to the Network Traffic Sources page.
�On the Network Traffic Sources page, verify the snwl network has been selected. Click Next > to continue
On the Network Traffic Destinations page, click Add to select the destination network. On the Add Network Entities page, select internal and click Add, then Close. This will bring you back to the Network Traffic Destinations page.
On the Network Traffic Destinations page, verify the internal network has been selected. Click Next > to continue.
�On the Network Relationship page, select Route. Click Next > to continue.
This completes the New Network Rule Wizard. Routes now exist for traffic to and from the snwl network.
The configuration must be updated on the server. This is accomplished with the Apply button.
This completes the setup on the Microsoft ISA 2004 server.
�Testing
• • • From the management consoles of both the SonicWALL security appliance and MS ISA Server 2004 verify the active VPN Tunnels. Pass traffic between all subnets to verify tunnel operation. Optional, if the environment allows downtime, reboot both the SonicWALL security appliance and MS ISA Server 2004 and verify that the tunnels reestablish; verify again that traffic is again flowing.
Troubleshooting
• Create a diagram of the network. Include all network information and security association parameters. Include desired traffic flows. Be as specific as possible. When the diagram is complete, compare it with the configuration of each device. Verify that the configuration of each device is consistent with the diagram. This exercise should rule out most common configuration errors. The diagram is also good for documentation. Verify all IPSec Security Association parameters match. Verify the Security policy parameters match. Verify that the VPN destination network parameters match. Verify the objects created match. This may sound repetitive, but one error can cause the configuration to not work. Verify the network routes. Verify the ARP tables on each device are correct. Verify that the new policy has been applied on the MS ISA Server 2004 Check the log files on both the SonicWALL security appliance and MS ISA Server 2004. Verify the logging services are set to log all events. Most errors can be caught with a careful inspection of both log files. If the log files are large it can be difficult to find the pertinent information, in this situation it can be helpful to clear the log file and repeat the testing. If in a production network, backup the log files first.
• • • •
Created: May 12, 2005 Updated: May 16, 2005 Version 1.2
�