ISA 2006 refuses VPN DHCP requests as spoofing
Posted
by Daniel
on Server Fault
See other posts from Server Fault
or by Daniel
Published on 2009-08-19T17:14:57Z
Indexed on
2010/04/30
5:07 UTC
Read the original article
Hit count: 694
I'm running ISA 2006 with PPTP VPN for my AD-controlled network. DHCP is located on the ISA server itself and authentication is done by RADIUS (NPS) located on the DC.
Right now my VPN clients can connect, access local DNS, and can ping ISA, the DC, and other clients.
Here's where it gets weird. I noticed that despite all this, ipconfig shows the following:
PPP adapter North Horizon VPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : North Horizon VPN
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.42.4.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 10.42.1.10
NetBIOS over Tcpip. . . . . . . . : Enabled
So I went over and checked my ISA logs for both DHCP requests and replies, only to find out that my VPN clients are being denied because ISA thinks its a spoof. Here's some relevant information from the log (the VPN subnet is 10.42.4.0/24):
Client IP: 10.42.4.6
Destination: 255.255.255.255:67
Client Username: (blank)
Protocol: DHCP (request)
Action: Denied Connection
Rule: (blank)
Source Network: VPN Clients
Destination Network: Local Host
Result Code: 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED
Network Interface: 10.42.4.11
---------------------------------------------------------
Original Client IP: 10.42.4.6
Destination: 10.42.1.1
Client Username: (valid user)
Protocol: PING
Action: Initiated Connection
Rule: Allow PING to ISA
Source Network: VPN Clients
Destination Network: Local Host
Result Code: 0x0 ERROR_SUCCESS
Network Interface: (blank)
I wasn't sure what this 10.42.4.11 network interface was - it certainly wasn't something I had setup - untill I saw it in Routing and Remote Access under IP Routing > General as an interface called "Internal" bound to the same IP address. I also noticed that since ISA takes blocks of 10 IP addresses from DHCP for VPN, it had reserved 10.42.4.2-11. I'm not sure if it means anything, though.
Thanks for your help.
© Server Fault or respective owner