Creating IPSec Tunnel Mode Site to Site VPNs with ISA Server 2004 Firewalls

Creating IPSec Tunnel Mode Site to Site VPNs with ISA Server 2004 Firewalls

By Thomas W Shinder M.D.

One of the things that drove many of us crazy about ISA Server 2000 firewalls was the lack of support for IPSec tunnel mode site to site VPN links. This was a major problem for many ISA firewall administrators and would-be ISA firewall administrators who wanted to bring ISA into the corporate network by placing one at a branch office. These firewall admins figured if they could bring the ISA firewall into the branch office, they would be able to show off its strong application layer filtering and user/group based authentication, and then they’d be able to bring the ISA firewalls into the Main office.

Lack of support for IPSec tunnel mode VPN site to site link support prevented branch office ISA firewalls from connecting to most third party VPN servers (sometimes referred to “concentrators”). While ISA Server 2000 supported industry standard PPTP and L2TP/IPSec site to site VPN connections, third party VPN server and gateway vendors capitalized on Microsoft’s support for industry standards and created their own proprietary IPSec site to site VPN networking schemes. Unfortunately, this locked Microsoft out of many shops that could have otherwise benefited from ISA firewalls at the branch office.

The good news is that ISA Server 2004 corrects this problem and fully supports site to site links using IPSec tunnel mode with third party firewalls. Microsoft has tested this functionality with multiple popular firewall vendors. This is good news to ISA firewall fans, as it means you can easily bring the ISA Server 2004 firewall into the branch office and demonstrate its superior firewall features and functionality. You can later bring the ISA Server 2004 firewall and VPN server into the main office and use a higher security VPN site to site protocol, such as L2TP/IPSec with EAP/TLS authentication.

You heard that right. IPSec tunnel mode is not a high security solution – it’s a compatibility solution. The third party IPSec tunnel mode site to site VPN methods are not as secure as industry standard L2TP/IPsec site to site links. That’s why you want to get that ISA Server 2004 firewall into the branch office, and then after its proven itself, introduce ISA Server 2004 firewall/VPN gateways into the main office to bolster security for your site to site links.

IPSec tunnel mode is susceptible to man in the middle attacks. IPSec wasn’t designed to handle PPP-like functions which are part of the virtual network connection establishment process. In order to handle Point to Point Protocol (PPP) functions, such as log on credential confirmation and encrypted session management, IPSec tunnels use IKE aggressive mode and functions like XAUTH/MODCFG which are susceptible to well-known man in the middle attacks.

Another problem with IPSec tunnel mode is that it isn’t represented as a logical networking interface over which packets can be routed; routes cannot be assigned to use the IPSec tunnel mode link and routing protocols do not operate over IPSec tunnels. Instead, cryptic and difficult to manage and audit IPSec policies are used for route decisions. These significant limitations provide compelling reasons why you should use IPSec tunnel mode only for downlevel compatibility with third-party VPN servers and gateways.

Now that I’ve weaned you away from IPSec tunnel mode site to site links, I’m going to show you how to configure two ISA Server 2004 firewalls as VPN gateways using IPSec tunnel mode for the site to site link. This is for demonstration purposes only. If you have the pleasure of using ISA Server 2004 firewalls at the main and branch offices, you should always use L2TP/IPSec as your VPN protocol joining the networks.

The figure below shows the topology of the network we’re working with in this example discussed today.

We will cover over in detail the following procedures required to create the IPSec tunnel mode site to site link that connections to networks using ISA Server 2004 firewalls on each side:

Create the Remote Site Network at the Main Office

The first step is to create a Remote Site Network representing the network at the Branch office. The Main office ISA Server 2004 firewall will use the Branch office Remote Site Network in routing and Access Rules.

Perform the following steps to create the Remote Site Network at the Main office:

1. At the Main office ISA Server 2004 firewall machine, open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Virtual Private Networks (VPN) node.
   
2. In the Details pane, click the Remote Sites tab. Click the Tasks tab in the Task Pane. Click the Add Remote Site Network link.

3. On the Welcome to the New Network Wizard page, enter a name for the Remote Site Network in the Network name text box. In this example, we will call the Remote Site Network Branch. Click Next.
   
4. On the VPN Protocol page, select the IP Security protocol (IPSec) tunnel mode option and click Next.

5. On the Connection Settings page, enter the IP address of the Remote Site VPN gateway in the Remote VPN gateway IP address text box. In this example, the Remote Site VPN gateway address is 192.168.1.71, so we will enter that value into the text box. Select the IP address on the external interface of the Main office ISA firewall in the Local VPN gateway IP address list. In this example, the external address is 192.168.1.70, so we will select that option. Click Next.

6. On the IPSec Authentication page, select the Use pre-shared key for authentication option. Enter a pre-shared key in the text box. This should be a complex value with mixed-case letter, numbers and non-alphanumeric characters. Note that you also have the option to use a computer certificate. We will cover that option in a future article, but I figure that most people will use a pre-shared key to simplify deployment. Note that pre-shared keys are a low security option; that is why L2TP/IPSec is always preferred to IPSec tunnel mode. In this example we’ll enter 123 for the pre-shared key for demonstration purposes only. Click Next.

7. On the Network Addresses page, click the Add button. Enter the range of addresses included at the Remote Site Network. In this example, the Branch office uses IP addresses 10.0.1.0-10.0.1.255, so we will enter those values into the Starting address and Ending address text boxes on the IP Address Range Properties dialog box and click OK. In addition, we will enter the IP address on the external interface of the Remote Site Network’s firewall so that Web Proxy clients will be able to access the network. In this example, the IP address of the Remote Site Network is 192.168.1.71, so we will enter that value in the Starting address and Ending address text boxes on the IP Address Range Properties dialog box and click OK. Click Next.

8. Click Finish on the Completing the New Network Wizard page.

Create the Network Rule at the Main Office

The ISA Server 2004 firewall needs to know the routing relationship you want to use between the Main and Remote office sites. You can choose either a route or a NAT relationship. In general, the NAT relationship is considered more secure while the route relationship is considered more accessible. The route relationship is more accessible because not all network applications work properly when using a route relationship.

Perform the following steps to create the Network Rule that determines the routing relationship between the Main and Branch offices:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click on the Networks node.
   
2. In the Details pane, click the Network Rules tab. In the Task Pane, click the Tasks tab. Click the Create a New Network Rule link.

3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example we will call the rule MainBranch. Click Next.
   
4. On the Network Traffic Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click the Internal network. Click Close. Click Next on the Network Traffic Sources page.
   
5. On the Network Traffic Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click on the Branch network. Click Close. Click Next on the Network Traffic Destinations page.
   
6. On the Network Relationship page, select the Route option. Click Next.

7. Click Finish on the Completing the New Network Rule Wizard page.

Create the Access Rules at the Main Office

The Access Rules control what traffic moves between the Main and Branch office sites. If there are no Access Rules, then no traffic will move between the sites, regardless of the fact that you have created a Remote Site Network and Network Rule. In this current example, we will allow all traffic to move from the Main office to the Branch office, and all traffic to move from the Branch office to the Main office. In a production network you would lock down the traffic that can move between the sites and institute strong user/group based access controls. I’ll cover how you can user user/group based access control in later article on site to site VPN networking.

Note that this strong user/group based access control is not available with other popular firewalls that are currently considered industry leaders!

Perform the following steps to create the Access Rules allowing traffic between the Main office and the Branch office:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click on the Firewall Policy node in the left pane. Click the Tasks tab in the Task Pane and then click the Create New Access Rule link.

3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will name the rule Main to Branch. Click Next.
   
4. On the Rule Action page, select the Allow option and click Next.
   
5. On the Protocols page, select the All outbound protocols option in the This rule applies to list and click Next.

6. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the Networks folder and then double click on the Internal network. Click Close. Click Next on the Access Rule Sources page.
   
7. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click the Networks folder and then double click on the Branch network. Click Close. Click Next on the Access Rule Destinations page.
   
8. On the User Sets page, use the default selection, All Users, and click Next.
   
9. Click Finish on the Completing the New Access Rule Wizard page.

We need to create another rule that allows traffic from the Remote Site Network (the branch office in this example) to the Main office. Instead of going through the New Access Rule Wizard again, I’ll show you a trick that can speed up creating a new Access Rule:

1. Right click the Main to Branch rule and click Copy. Right click the rule again and click Paste.
   
2. Right click the Main to Branch (1) rule and click Properties.

3. In the Main to Branch (1) Properties dialog box, click the General tab and enter the name Branch to Main in the Name text box.
   
4. Click the From tab. Click the Internal network and click Remove. Click Add. In the Add Network Entities dialog box, click the Networks folder and double click Branch. Click Close.

5. Click the To tab. Click the Branch network and click Remove. Click Add. In the Add Network Entities dialog box, click the Networks folder and double click Internal. Click Close.

6. Click Apply and then click OK.
   
7. Click Apply to save the changes and update the firewall policy.

Create the Remote Site Network at the Branch Office

We now need to mirror the settings we created at the Main office. All the procedures are the same, except we reverse the settings to support communications from the Branch office to the Main office.

Perform the following steps to create the Remote Site Network at the Branch office:

1. At the Branch office ISA Server 2004 firewall machine, open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Virtual Private Networks (VPN) node.
   
2. In the Details pane, click the Remote Sites tab. Click the Tasks tab in the Task Pane. Click the Add Remote Site Network link.

3. On the Welcome to the New Network Wizard page, enter a name for the Remote Site Network in the Network name text box. In this example, we will call the Remote Site Network Main. Click Next.
   
4. On the VPN Protocol page, select the IP Security protocol (IPSec) tunnel mode option and click Next.

5. On the Connection Settings page, enter the IP address of the Remote Site VPN gateway in the Remote VPN gateway IP address text box. In this example, the Remote Site VPN gateway address is 192.168.1.70, so we will enter that value into the text box. Select the IP address on the external interface of the Main office ISA firewall in the Local VPN gateway IP address list. In this example, the external address is 192.168.1.71, so we will select that option. Click Next.

6. On the IPSec Authentication page, select the Use pre-shared key for authentication option. Enter a pre-shared key in the text box. This should be a complex value with mixed-case letter, numbers and non-alphanumeric characters. Note that you also have the option to use a computer certificate. We will cover that option in a future article, but I figure that most people will use a pre-shared key to simplify deployment. Note that pre-shared keys are a low security option; that is why L2TP/IPSec is always preferred to IPSec tunnel mode. In this example we’ll enter 123 for the pre-shared key for demonstration purposes only. Click Next.

7. On the Network Addresses page, click the Add button. Enter the range of addresses included at the Remote Site Network. In this example, the Main office uses IP addresses 10.0.0.0-10.0.0.255, so we will enter those values into the Starting address and Ending address text boxes on the IP Address Range Properties dialog box and click OK. In addition, we will enter the IP address on the external interface of the Remote Site Network’s firewall so that Web Proxy clients will be able to access the network. In this example, the IP address of the Remote Site Network is 192.168.1.70, so we will enter that value in the Starting address and Ending address text boxes on the IP Address Range Properties dialog box and click OK. Click Next.

8. Click Finish on the Completing the New Network Wizard page.

Create the Network Rule at the Branch Office

Perform the following steps to create the Network Rule that determines the routing relationship between the Main and Branch offices:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click on the Networks node.
   
2. In the Details pane, click the Network Rules tab. In the Task Pane, click the Tasks tab. Click the Create a New Network Rule link.

3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example we will call the rule BranchMain. Click Next.
   
4. On the Network Traffic Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click the Internal network. Click Close. Click Next on the Network Traffic Sources page.
   
5. On the Network Traffic Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click on the Main network. Click Close. Click Next on the Network Traffic Destinations page.
   
6. On the Network Relationship page, select the Route option. Click Next.

7. Click Finish on the Completing the New Network Rule Wizard page.

Create the Access Rules at the Branch Office

Perform the following steps to create the Access Rules controlling traffic between the branch office and the main office:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click on the Firewall Policy node in the left pane. Click the Tasks tab in the Task Pane and then click the Create New Access Rule link.

2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will name the rule Branch to Main. Click Next.
   
3. On the Rule Action page, select the Allow option and click Next.
   
4. On the Protocols page, select the All outbound protocols option in the This rule applies to list and click Next.

5. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the Networks folder and then double click on the Internal network. Click Close. Click Next on the Access Rule Sources page.
   
6. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click the Networks folder and then double click on the Main network. Click Close. Click Next on the Access Rule Destinations page.
   
7. On the User Sets page, use the default selection, All Users, and click Next.
   
8. Click Finish on the Completing the New Access Rule Wizard page.

We need to create another rule that allows traffic from the Remote Site Network (the Main office in this example) to the Branch office. Perform the following steps to create the rule:

1. Right click the Branch to Main rule and click Copy. Right click the rule again and click Paste.
   
2. Right click the Branch to Main (1) rule and click Properties.

3. In the Branch to Main (1) Properties dialog box, click the General tab and enter the name Main to Branch in the Name text box.
   
4. Click the From tab. Click the Internal network and click Remove. Click Add. In the Add Network Entities dialog box, click the Networks folder and double click Main. Click Close.

5. Click the To tab. Click the Main network and click Remove. Click Add. In the Add Network Entities dialog box, click the Networks folder and double click Internal. Click Close.

6. Click Apply and then click OK.
   
7. Click Apply to save the changes and update the firewall policy.

Summary

In this article we went over the procedures required to create a site to site VPN link between two ISA Server 2004 firewalls using IPSec tunnel mode. We also discussed the security issues with IPSec tunnel mode and why you should never use IPSec tunnel mode connections for site to site links unless you must do so in order to connect to third party VPN servers. In future articles we’ll discuss procedures required for configuring site to site links using IPSec tunnel mode with third party vendor firewalls and how to use strong user/group based access control to limit what users can access over the link.