Windows Server 2003 IPSEC vpn to cisco 1710 Router VPN connection

I'm working on this very issue for a client today. I've setup a Win2k3 server, and I'm waiting on a PIX license upgrade, and I have another router (a Linksys) all setup in my lab. Perhaps I can get this to work...or at least figure out why it won't..

Is the Linksys doing NAT ?
If so, you will need to set up NAT traversal (NAT-T) at both ends, and ensure the Linksys NATs UDP 4500 into the DMZ.

No the linksys is just a gateway.  I have it setup to DMZ the server.  

I'm not having any luck. I can get the tunnel to establish directly connected to the PIX interface outside, but not if I'm behind the linksys, with the server set as the DMZ host.
Can't get ISAKMP to establish an SA at all...

SUCCES! With XP laptop. Should be the same with the Win2k3 server.

PIX Config:

access-list no_nat permit ip 192.168.122.128 255.255.255.128 host 192.168.1.100
access-list 110 permit ip 192.168.122.128 255.255.255.128 host 192.168.1.100
ip address outside 21.21.21.21 255.255.255.0
ip address inside 192.168.122.252 255.255.255.128
ip address dmz1 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list no_nat
route inside 0.0.0.0 0.0.0.0 192.168.122.132 1
route outside 192.168.1.0 255.255.255.0 21.21.21.22 1

sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600

crypto map TEST 15 ipsec-isakmp
crypto map TEST 15 match address 110
crypto map TEST 15 set peer 21.21.21.22   <--- public p address of Linksys
crypto map TEST 15 set transform-set TEST
crypto map TEST interface outside
isakmp enable outside
isakmp key ******** address 21.21.21.22 netmask 255.255.255.255 no-xauth no-conf
ig-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400

Follow the steps here exactly to create 2 filter lists:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816514

In the NetA to NetB tunnel rule, the tunnel endpoint is the outside interface of the PIX
In the NetB to NetA tunnel rule, the tunnel endpoint is your local private IP address

Is the xp box right on the public net?

Can you do me a favor and give me the walk through with the xp client and the rules.  I have followed that doc at microsoft and have had no luck with it..

What is the ipsec section in xp like. did you use custom?  What where the settings.  This is where the cisco docs and microsoft differ.  One says mirror rules the other says not to.

George

>Is the xp box right on the public net?
No, it is behind a Linksys router, IP address 192.168.1.100

Disregard the Cisco docs, and use the step-by-step from Microsoft (uncheck the miror)
I used this step-by-step for Windows2K:
http://support.microsoft.com/default.aspx?scid=kb;en-us;252735

NetA is the network ID of the Windows 2000 gateway internal network.
 192.168.1.0

W2KintIP is the IP address assigned to the Windows 2000 gateway internal network adapter.
 192.168.1.100

W2KextIP is the IP address assigned to the Windows 2000 gateway external network adapter.
 192.168.1.100

3rdExtIP is the IP address assigned to the third-party gateway external network adapter.
 21.21.21.21  <-- my PIX outside interface

3rdIntIP is the IP address assigned to the third-party gateway internal network adapter.

NetB is the network ID of the third-party gateway internal network.
  192.168.122.128/255.255.255.128

Start/Run/secpol.msc
Then step-by-step with the link...

did you dmz the linksys?

Yes....    .100 is DMZ host

is there any way you can get me screen shots of the ipsec filter action in both rules. The msft doc is confusing, and i have done this now about 10 times and have not had it work.

George

Here is the router config i am using...

!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxx
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
enable secret xxxx
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
no ip domain-lookup
ip name-server 206.222.97.50
ip name-server 206.222.97.82
ip name-server 216.21.234.74
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
 authentication pre-share
 hash sha
 group 2
 lifetime 28800
!
crypto isakmp policy 2
 authentication pre-share
 hash md5
 group 2
 lifetime 86400
!
crypto isakmp key mykey address yyy.yyy.63.82
!
!
crypto ipsec transform-set rtpset2 esp-3des esp-sha-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map rtp 1 ipsec-isakmp
 set peer yyy.yyy.63.82
 set transform-set rtpset2
 match address 111
!
!
interface Ethernet0
 description Connection to Internet
 ip address xx.xxx.144.45 255.255.255.192
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 full-duplex
 no cdp enable
 crypto map rtp
!
interface FastEthernet0
 description Connection to Private Network
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 no ip route-cache
 ip policy route-map nonat
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
!
ip nat pool NAT xxx.xxx.144.45 xxx.xxx.144.45 netmask 255.255.255.192
ip nat inside source route-map nonat pool NAT overload
!
ip nat inside source static tcp 192.168.3.2 3389 xxx.xxx.144.45 3389 extendable
!
ip classless
ip route 192.168.1.0 255.255.255.0 216.144.45
ip route 0.0.0.0 0.0.0.0 xxx.xxx.144.1
no ip http server
!
!
!
access-list 111 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 122 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.3.0 0.0.0.255 any
!
route-map nonat permit 10
  match ip address 122
!
no cdp run
!
!
line con 0
line aux 0
line vty 0 4
 access-class 2 in
 password xxxx
 login
line vty 5 15
 login
!
end


the win 2003 server is 192.168.1.3
i have a device at 192.168.3.2 which is just a xp client to try pings, behind the cisco box. The cisco 1710 is on the interent with a routable ip.

I will make a web page for you to see my ipsec screen shots on my win2003 server to see what i am doing wrong.
the win 2003 server is behind the linksys and it has dmz ported to the ip of 192.168.1.3.  pptp and ppp forwarding are enabled on the lindsys. changing that does not seem to make any difference.
I will post a line to the page in few min.

http://www.aginix.com/vpn/vpn.htm  thats the link for the images for my ipsec rules. please look them over to see what i am missing.

When i ping from the Win 2003 serer to the 192.168.3.x address space i get the negotiating message and on the router when i issue show cry isa sa i get the following:
dst             src             state           conn-id    slot
xxx.xxx.144.45   yyy.yyy.63.82    MM_NO_STATE           1       0

the key is the same. i blanked it out before they match the xyz123

Extended IP access list 111
    permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 (4 matches)
Extended IP access list 122
    deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 (8 matches)
    permit ip 192.168.3.0 0.0.0.255 any (51 matches)

i also get a

01:09:58: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed w
ith peer at yyy.yyy.63.82

default gateway for 192.168.3.2 is 192.168.3.1 (the cisco 1710) and its gateway is public xxx.xxx.144.45

Got it! it was the 3des in the crypto policy!

What is the best policy to setup and use?  and what is the best transform set to use.  I want to set it up to use only one set enterprise wide.

Thanks for the help!

strange that i cant ping anything other than the server at the 192.168.1.x side.
there is a client at 192.168.1.34 that will not travel accross the tunnel.

You did add the encryption to your policy, right?

Try adding this to your 1710, too:

crypto isakmp keepalive 30


Just for giggles, on your Linksys, in the port forwarding, go ahead and forward
port 500 udp and port 50 tcp to the server IP

oh, the server has 2 nics in it.

I cleared the ipsec passthorugh, ppp pass through and remove the dmz.  i have 500 and 50 forwarded to the server on the linksys and it still works

>What is the best policy to setup and use?  and what is the best transform set to use.  I want to set it up to use only one set enterprise wide.
What you have is the best and easiest to work with most clients. 3DES/SHA, group 2

I can't help you on the 2-NIC server thing to pass traffic from another host... I was only trying to get host to remote lan..
You've worn me out on this one so far!

Glad you're working, though!.

i'm wondering if i put a route on the linksys that points the 192.168.3.0 network to the interface 192.168.1.3 if it will work.

Will let you know.

When i turn off ipsec pass through it prevents a new tunnel from forming. so that setting has to be on, and port forwarding of port 500 and 50.

And adding the static route on the linksys to point 192.168.3.0 to 192.168.1.3 worked perfectly!

Thanks for all your help!

Wooo hooo!

One wierd thing happening.  When i let the tunnel sit for a while, if i try to connect from the 192.168.3.2 side to the 192.168.1.2 side the ping times out forever, until i ping from the 192.168.1.2 side then it works.  its like initially the cisco does no know where to route the packets to.

Any idea?

it gets stuck here

dst             src             state           conn-id    slot
yyy.yy.63.82    xxx.xxx.144.45   MM_KEY_EXCH           3       0

after issuing a Clear Crypto SA then everything gets rolling again.  Weird

Remove this statement from the router:
>ip route 192.168.1.0 255.255.255.0 216.144.45

Let that traffic go out the default because the gateway that you have is not local to the 1700

Found it, you need to port forward 4500 from linksys to server for IKE to work on outside key exchange.

With all due respect, that was the first thing I said... !

Tim's right. That was part of the equation, as you have discovered. As long as the server is in the DMZ, then all traffic will be forwarded. Take it out of the DMZ and you need to specify UDP 4500.

We owe Tim some points for the assist..

Your right.  Unfortunatly I closed the question already, wish is could split the points.

Thanks Tim.

You can always post a new question "points for tim_holman" and reference this question in the body, like:
For your assistance in
https://www.experts-exchange.com/questions/21086711/Windows-Server-2003-IPSEC-vpn-to-cisco-1710-Router-VPN-connection.html#11766844


<8-}