The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the 'Ask the Author' form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: I want to create a site-to-site VPN between my branch offices and main office networks. Do I need to change the IP address scheme on any of these networks?
A: It depends on your current IP addressing scheme. The ISA firewalls connecting the main office to the branch offices act as VPN routers. Routers route between different network IDs. So, if any of your branch offices use addresses on the same network ID as the main office, or over any of the other branch offices, then you will need to change the IP addressing scheme in that office so that all networks joined by the site-to-site VPN links are on different network IDs.
Q: I want to use a Voice over IP system (VoIP) for intraorganizational calls throughout our company's main and branch offices. I plan on using ISA firewall site-to-site VPNs to join the offices. Should I use a Route or NAT relationship between the networks connected via the site-to-site VPN links?
A: VoIP systems are legendary for not being NAT friendly because they often embed the client IP address on the application-layer data. If you plan on implementing VoIP, then definitely use Route Network Rules between all your networks joined by site-to-site links.
Q: I'm using EAP user certificate authentication with my ISA firewall remote access VPN server. However, whenever a user tries to connect to the VPN server, they immediately get disconnected. How can I fix this?
A: The most likely problem is that your ISA firewall is not a member of a domain. When using EAP user certificate authentication, the ISA firewall must be a member of the domain. Another situation where you might see this problem is when you use RADIUS authentication for VPN clients and enable User Mapping. If the ISA firewall is not a member of the domain, there is no Windows user database to map to, and so the VPN connection closes immediately after the connection request.
Q: My site-to-site VPN connections seem to disconnect frequently, and often, I need to reboot the server before they will reconnect. Is there anything I can do about this?
A: If you're using PPTP for your site-to-site VPN, you might consider using L2TP/IPSec. The L2TP/IPSec VPN connections have been reported to be more stable. Another option worth trying to is to make sure that only one side of the site-to-site VPN link is configured as the calling VPN gateway and one site is the answering VPN gateway. If both sides are configured as calling VPN gateways, there is the potential for a 'collision' if they try to each other at the same time. If you're using a DSL connection, make sure there are no black hole routers in the path by testing and adjusting the MTU on the ISA firewall and clients. This is mostly a problem with PPPoE hobbyist accounts. It would be worth trying to get a business-class DSL connection to overcome the MTU issue.
Q: I installed a machine certificate on my ISA firewall so that I could use L2TP/IPSec for my remote access VPN client connections. However, the connections always fail. There are no problems when I try to connect using PPTP. What can I do to get L2TP/IPSec working?
A: One common reason for the L2TP/IPSec connection not working is that while the machine ISA firewall or the VPN clients have a computer certificate, the machine doesn't have the CA certificate of the root CA issuing the certificate in its Trusted Root Certification Authorities machine certificate store. Another reason why the L2TP/IPSec might fail is that the machines were assigned user certificates instead of machine certificates. Machine certificates are stored in the machine certificate store and user certificates are stored in the User certificate store.
Q: I want to create a site-to-site VPN between my main office and branch office using ISA firewalls. We currently have third-party firewalls/VPN gateways at both the main and branch office, and they are using IPSec tunnel more and pre-shared keys for the site-to-site link. Should I do the same thing when I replace these devices with ISA firewalls?
A: No. The highest level of security can be obtained by using L2TP/IPSec with EAP user certificate authentication for the PPP authentication sequence. We recommend that you only use IPSec tunnel mode for site-to-site VPN links when you want to support connections between the ISA firewall and downlevel VPN gateways.