If you've been trying to create a site to site VPN using 2004 ISA firewall using a pre-shared key only, I feel your pain. You've probably seen that it doesn't work. The key is to not configure the pre-shared key in the Remote Site Wizard. Instead, leave the pre-shared key checkbox unchecked. Then click the VPN Clients tab in the Details pane, and click the Select Authentication Methods link on the Tasks tab in the Task Pane. On the Authentication tab in the Virtual Private Networks (VPN) dialog box, put a checkmark in the Allow customer IPSec policy for L2TP checkbox and enter the pre-shared key. Use the same procedures and the same key on all your VPN gateways. Keep in mind that remote access VPN clients and VPN gateways will be able to use this key -- so if you can do anything about it, always try to use certificates instead of pre-shared keys. Remember, using pre-shared keys reduces the level of security provided by the ISA firewall to that of a lowly PIX packet filter!
HTH,
Tom
One of the things that drove us nuts with the 2000 ISA firewall was that problem of site to site VPNs. You could use PPTP or L2TP/IPSec to create a site to site VPN, but the problem was that most downlevel VPN gateways (PIX, Sonicwall, etc) use the less secure IPSec tunnel mode. The new ISA firewall fixes this problem with its support for IPSec tunnel mode. The problem is that each vendor has it own proprietary approach to creating a site to site VPN. Don't worry! Microsoft has come to our recue with a bevy of very cool docs that show you how to create the site to site VPNs with a variety of downlevel VPN gateways -- PIX, Astaro, SmoothWall and more! Check it out at:
http://www.microsoft.com/isaserver/techinfo/guidance/2004/vpn.asp
HTH,
Tom