An interesting article by Adrian Dimcev about some limitations to IPsec tunnel mode support for site to site VPNs using IPsec tunnel mode with ISA 2006 firewalls and VPN gateways. Adrian points out several issues with IPsec tunnel mode integration and connectivity to third party VPN gateways:
- Lack of support for Diffie-Hellman MODP Group 5 (we support the strong Group 14)
- Lack of support for AES (will be included with the TMG)
- A limitation in how networks are configured that make certain scenarios difficult to support (such as a single IP address defining the Local Site Network)
- Certificate checks limited to confirming the issuing CA of the certificate
- ISA IPsec tunnel mode does not support compression
- Overlapping subnets in site to site VPN scenarios
Check out Adrian’s full explanations of these issues over at:
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)