Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and Third-Party Gateways

This document outlines virtual private network (VPN) site-to-site interoperability solutions for Microsoft Internet Security and Acceleration (ISA) Server 2004. Specifically, testing on Internet Protocol security (IPSec) tunnel mode (TM) connections is described. Site-to-site VPN is a common method to connect remote offices and business partners over the public Internet, and is becoming an important feature in the following scenarios:

  • Branch offices of large organizations that would like to deploy ISA Server.
  • Medium-sized organizations that would like to deploy ISA Server in the central office with less expensive third-party VPN solutions in branch offices.
  • Connection to an Extranet.

ISA Server combines firewall and VPN functionality within a single server product, and includes new site-to-site functionality based on IPSec tunnel mode protocol.

This document provides step-by-step instructions for the configuration of IPSec tunnels between the ISA Server computer and other industry leading IPSec compatible gateways including Cisco, CheckPoint, NetScreen, Sonicwall, and Linksys. The instructions for each gateway have been described in separate sections, allowing you to focus on the specific gateways to be configured as the IPSec tunnel peer with the ISA Server computer. Detailed statistics of the interoperability performance between the ISA Server computer and the individual gateways can be found at the end of this document in Appendix A.

Each scenario is addressed with a preshared secret solution and a certificate solution.

The exact versions or models of the third-party gateways are as follows:

  • Cisco Concentrator (Version 3.5.2, Cisco VPN 3005 Concentrator)
  • Checkpoint VPN-1 NG (Feature Pack 3, Microsoft Windows 2000 Server Service Pack 4)
  • NetScreen (Firmware version 4.0.0R9.0, NetScreen-25)
  • Linksys (Firmware version 1.40.4, BEFVP41)
  • Sonicwall (Firmware version, PRO 200)

The setup, configuration, and testing was performed based on the recommendations of the Virtual Private Networking Consortium (

This document assumes that you have an existing knowledge of IPSec terminology and technology. Explanations of IPSec concepts are not provided. For more general information, see the ISA Server product Help, or the document Site to Site VPN in ISA Server 2004 (