As you might know, the ISA firewall supports site to site VPN connections between other ISA firewalls, as well as third party firewalls, using the IPsec tunnel mode protocol. IPsec tunnel mode support was added to enable the ISA firewall administrator to use IPsec tunnel mode to connect to other, non-ISA firewall VPN gateways. However, in your test environment, you might find that traffic isn’t routed from one network to another. Why?

Cause: The network adapter that listens for site-to-site VPN connections from the remote site network (usually the External network) does not have a default gateway configured.

Solution: To correct this error, define a default gateway that is not a local address for the network adapter that listens for site-to-site VPN connections. Note that ISA Server does not support multiple default gateways. Set a default gateway on only one of the network adapters associated with ISA Server networks, and do not configure more than one default gateway on that adapter.

Yep. Even if the external interfaces of both ends of the site to site IPsec tunnel mode connection are on the same network ID, you still need to have both ends configured with a default gateway.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)