Establishing an IPSec site-to-site tunnel between an ISA 2004 Firewall and a D-Link DI-804HV IPSec VPN Router
Well, I worked this weekend with a D-Link DI-804HV VPN router to connect branch offices with an ISA firewall thru IPSec site-to-site tunnels. This D-Link router is a very cheap equipment to put on your remote locations, and very easy to configure as well. It can also function as a poor man’s firewall and it also allows inbound PPTP and L2TP/IPSec remote access VPN connections if you want to access your remote office from the comfort of your home!
Here’s our scenario:
The ISA Part:
First of all, you have to make sure your Internal network address set includes the whole network. This is important because IPSec policies must match on both sides or else the tunnel won’t be established.
Get your Internal network’s properties and check if it matches with the screenshot below:
The Internal network range must span your whole subnet.
Now the rest is really easy!
Create a new Remote site Network:
Name your rule…
Select IPSec Tunnel mode…
Now put the External IP that the D-Link router will have, and select which External IP address you want to use for this IPSec tunnel on your ISA firewall.
We’ll have to use pre-shared keys because the D-Link only offers us this 😉
Only use IPSec tunnel mode when you require backwards compatibility with third party VPN devices that require it for site to site VPNs. When available, always use L2TP/IPSec for site to site VPN connections. --Tom
On the next screen, add this address range:
So it stays like this:
And we’re set here!
Now we have to create a new network rule:
Supply the name for this rule…
Add the Branch Office network as the source of the traffic, so it stays like this…
Now add the internal network object as the destination of this traffic, so it stays like this…
And now, set it to route the traffic that is coming from your Branch Office network to your Internal Network.
And finish the wizard. Now we have to create an Access Policy allowing the Branch Office to send traffic down here 😉
Supply a name for your access rule…
Let’s allow it to come…
Yeah, I’m allowing all traffic for now. You may want to filter specific protocols so it doesn’t occupy your precious VPN bandwidth.
Add your Branch Office network as the source of the traffic, so it stays like this…
And now add your internal network as the source of the traffic, so it stays like this…
As the destination of the traffic that is coming from your branch office.
Yes, I’m also letting everyone in. You may want to filter that, of course.
And we’re done on the ISA firewall part! Now let’s head down to the D-Link.
The D-Link VPN Router Piece
The D-link comes configured with a preconfigured IP. All you have to do to configure it is plug your PC behind it and get a DHCP address, and access http://192.168.0.1 , default user admin with no password.
Here, I’ve already clicked on the tools tab and then on the firmware button, because I found a firmware update for this device at D-Link’s site. I like to keep things up-to-date.
After you supply the password, it’ll throw you at the default page. On this screenshot I’ve already clicked the LAN button to change the IP address of the router itself. Once you change its IP address, it’ll automatically change the DHCP scope, too! Very clever…
Well, this router will support almost anything you plug on to the WAN interface. It can do Dynamic DNS Updates for PPPoE DSL’s, it can use a modem as a primary interface or as a backup solution thru its built-in serial interface. Be careful with the MTU if you’re using DSL modems! If you find that pages are taking a long time do open, try decreasing it.
One good way to find out if your MTU is too high is ping somewhere with a big packet. For an example:
Ping www.google.com –f –l 1500
This’ll ping the google folks with a 1500-byte packet. If you don’t get any responses, try decreasing the packet size until you receive responses.
Well, let’s get down to business. Click the Home tab and then click VPN.
Enable VPN and give a name for your tunnel. This VPN router supports up to 50 simultaneous tunnels! When you click more, it’ll show you this:
Now set your Internal Network, netmask, remote subnet and remote gateway (ISA’s external IP Address) as shown. Type the same pre-shared you typed on the ISA firewall.
Hey! We have a typo on pre-shared there! 😉
Now let’s edit the IKE Proposal:
Well, these are the default settings ISA 2004 generates when we finish the Wizard. There’s a secret to fill this page: First type the proposal name, change menus as indicated, set the life time and apply. Then, add the proposal ID 1 followed by the Proposal ID 2 by clicking on the "Add to" button, and apply it again.
Now click back, and edit the IPSec Proposal index.
Same thing as before. Add the IPsec Proposals, add them to the index, and click back.
You can now start a ping against a host on your HQ network! If you’re lucky enough, you’ll get it!
"Resposta de" means "answer from" 😉
And if you click on the VPN Status button on the main VPN screen, you’ll see:
Well, this concludes our tutorial! If you run into trouble, remember: IPSec can’t pass thru NAT conversions, and the local and remote network subnets must be same on both sides. I’ve bumped into that one a good couple of times.
In case of doubt, e-mail me! [email protected]