Advertisement

05.01.2007 at 02:01PM PDT, ID: 22546107
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.2

ISA2004 to LinksysRV042 Site-to-Site VPN can't connect

Asked by dcadler in MS Forefront-ISA, Virtual Private Networking (VPN), IPSec Security Protocol

Tags: ,

I have an SBS 2003 PE R2 with SP2 and ISA 2004 SP2 in the main office. I am trying to hook up branch office using a Linksys RV042 VPN Router.

I followed the instructions provided in the Microsoft Site-to-Site VPN in ISA 2004 (http://www.microsoft.com/technet/isa/2004/plan/sitetositevpn.mspx). Specificaly, the IPSec Tunnel solution.

Main Office
ISA Server internal network IP: 192.168.2.0
ISA Server external IP 70.62.55.42 -->Connected directly to cable modem

Branch Office
RV042 LAN IP: 192.168.3.254
RV042 WAN1 IP: 12.109.87.87 -->Connected directly to Cisco 2600-->T1

In ISA, on the VPN node, I added a remote site network called BranchVPN
I set the VPN protocol to IPSec Tunnel
On the connection page...
   I set the Remote VPN gateway address to 12.109.87.87
   I set the Local VPN Gateway Address to 70.63.55.42

  On the Networks button I checked the External network box

On the Authentication page, I selected preshared key and entered a key value

On the Network Addresses page, I entered the range of 192.168.3.1 - 192.168.3.254

I saved and applied the new remote site network.

I created a new Network Rule as follows:
  Name: BranchVPN IPSEC Tunnel
  Source Networks: BranchVPN
  Destination Networks: Internal
  Network Relationship: Route

I saved and applied the Network Rule
 
Since I wanted the branch network to have full access to the main network, I only created an acces rule. This was created as follows
  Access Rule Name: BranchVPN Access  
  Action: Allow
  Protocols: All
  From: Internal and Local Host networks
  To: BranchVPN Network
  Users: All

I saved and applied the Access Rule

As I understand it, that is all I need on the ISA Server side.

I selected the BranchVPN from the VPN Node, Remote Sites tab and then selected the View IPSec Policy link and printed out the information.

Next, I configured the RV042 VPN Router. I followed the configuration settings from LinkSys for a RV082 Interoperability Profile Gateway to Gateway VPN configuration. I couldn't find one for the RV042 but they had almost he same properties.

I set the Time
I went to the Network-->Setup page and set up the LAN setting.
  Device IP: 192.168.3.254 Submet Maks: 255.255.255.0
  DMZ selected (although I am connnecting to the Internet on the WAN1 Port. Linksys doc recommended DMZ)

I set up the WAN as follows
  Static IP
  WAN IP: 12.109.87.87
  Subnet Mask: 25.255.255.240
  Default Gateway: 12.109.87.81

I entered DNS and I also had to provide another WAN IP for the DMZ in order to save the settings

On the Firewall--> General page, I disabled Block WAN request and Ileft Multicast Pass-through disabled. The RV082 documentaiton talked about enabling Fragmented Packed Pass Through but the RV042 I am using didn't have that option.

On the VPN page, I selected Add New Tunnel and chose the RV082 to VPN device option.

I set up the VPN Tunnel matching the data I got from the ISA Server Vire IPSec Policy page for the VPN Remote Site Policy

  Tunnel name: BranchVPN
   Interface: WAN1
   Enabled: Checked

Local Group Setup
  Local Security Gateway type: IP Only
  IP Address 12.109.87.87
  Local Security Group Type: Subnet
  IP Address: 192.168.3.0
  Subnet Mask: 255.255.255.0

Remote Group Setup
  Remote Securiy Gateway Type: IP Only
  IP Address: 70.63.55.42
  Remote Security Group type: Subnet
  IP Address: 192.168.2.0
  Subnet Mask: 255.255.255.0

IPSec Setup
  Keying Mode: IKE with Preshared Key
  Phase 1 DH Group; Group 2
  Phase 1 Encryption: 3DES
  Phase 1 Authentication: SHA1
  Phase 1 SA Lifetime: 28800 seconds
  Perfect Forward Secrecy: Checked
  Phase 2 DH Group: Group 2
  Phase 2 Encryption: 3DES
  Phase 2 Authentication: SHA1
  Phase 2 SA Lifetime: 2600
  Preshared Key: Same as I used in the ISA setup

At this point, according the the documentation, everyting should connect.

It doesn't.

When I go the RV042 VPN page and click on the Test Connection button, it tries to connect and after a few seconds, it switches to "Waiting for connection..."

The log on the RV042 repeats a series of messages every time I click on the test button. the last entry in each group of messages is...

Received informational payload, type INVALID_ID_INFORMATION

It looks like it is getting through Phase 1 and stopping on Phase 2

On the ISA Server, I can go to the Monitoring node and select the Sessions tab and see the session from 12.109.87.87

There are no alerts on the alert tab and there are no errors in the event viewer.

I can not access anything across the link, obviously, sine the RV042 just sits there saying "Waiting for Connection..."

Here is my oakley log.

 5-01: 15:19:25:175:338 Creating socket directly on MS base provider. Bypassing LSPs
 5-01: 15:19:25:175:338 Creating socket directly on MS base provider. Bypassing LSPs
 5-01: 15:19:25:175:338 Creating socket directly on MS base provider. Bypassing LSPs
 5-01: 15:19:25:175:338 Initialization OK
 5-01: 15:21:20:490:1a48
 5-01: 15:21:20:490:1a48 Receive: (get) SA = 0x00000000 from 12.109.87.87.500
 5-01: 15:21:20:490:1a48 ISAKMP Header: (V1.0), len = 100
 5-01: 15:21:20:490:1a48   I-COOKIE 0dddac6f7e7ceb03
 5-01: 15:21:20:490:1a48   R-COOKIE 0000000000000000
 5-01: 15:21:20:490:1a48   exchange: Oakley Main Mode
 5-01: 15:21:20:490:1a48   flags: 0
 5-01: 15:21:20:490:1a48   next payload: SA
 5-01: 15:21:20:490:1a48   message ID: 00000000
 5-01: 15:21:20:490:1a48 Filter to match: Src 12.109.87.87 Dst 70.63.55.42
 5-01: 15:21:20:490:1a48 MatchMMFilter failed 13013
 5-01: 15:21:20:490:1a48 Responding with new SA 0
 5-01: 15:21:20:490:1a48 HandleFirstPacketResponder failed 3601
 5-01: 15:21:30:600:1a48
 5-01: 15:21:30:600:1a48 Receive: (get) SA = 0x00000000 from 12.109.87.87.500
 5-01: 15:21:30:600:1a48 ISAKMP Header: (V1.0), len = 100
 5-01: 15:21:30:600:1a48   I-COOKIE 0dddac6f7e7ceb03
 5-01: 15:21:30:600:1a48   R-COOKIE 0000000000000000
 5-01: 15:21:30:600:1a48   exchange: Oakley Main Mode
 5-01: 15:21:30:600:1a48   flags: 0
 5-01: 15:21:30:600:1a48   next payload: SA
 5-01: 15:21:30:600:1a48   message ID: 00000000
 5-01: 15:21:30:600:1a48 Filter to match: Src 12.109.87.87 Dst 70.63.55.42
 5-01: 15:21:30:600:1a48 MatchMMFilter failed 13013
 5-01: 15:21:30:600:1a48 Responding with new SA 0
 5-01: 15:21:30:600:1a48 HandleFirstPacketResponder failed 3601
 5-01: 15:21:50:600:1a48
 5-01: 15:21:50:600:1a48 Receive: (get) SA = 0x00000000 from 12.109.87.87.500
 5-01: 15:21:50:600:1a48 ISAKMP Header: (V1.0), len = 100
 5-01: 15:21:50:600:1a48   I-COOKIE 0dddac6f7e7ceb03
 5-01: 15:21:50:600:1a48   R-COOKIE 0000000000000000
 5-01: 15:21:50:600:1a48   exchange: Oakley Main Mode
 5-01: 15:21:50:600:1a48   flags: 0
 5-01: 15:21:50:600:1a48   next payload: SA
 5-01: 15:21:50:600:1a48   message ID: 00000000
 5-01: 15:21:50:600:1a48 Filter to match: Src 12.109.87.87 Dst 70.63.55.42
 5-01: 15:21:50:600:1a48 MatchMMFilter failed 13013
 5-01: 15:21:50:600:1a48 Responding with new SA 0
 5-01: 15:21:50:600:1a48 HandleFirstPacketResponder failed 3601

Does anyone have any ideas or know what I am doing wrong?

Thanks in advance for any help you can provide.

Dave

Start Free Trial
[+][-]05.01.2007 at 07:01PM PDT, ID: 19013167

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.02.2007 at 10:09AM PDT, ID: 19017543

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.02.2007 at 10:21AM PDT, ID: 19017632

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.02.2007 at 10:24AM PDT, ID: 19017646

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.02.2007 at 10:33AM PDT, ID: 19017726

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.02.2007 at 10:59AM PDT, ID: 19017910

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.02.2007 at 01:51PM PDT, ID: 19019229

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.02.2007 at 04:26PM PDT, ID: 19020063

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.02.2007 at 08:20PM PDT, ID: 19020872

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.03.2007 at 05:08AM PDT, ID: 19022442

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.23.2007 at 11:57AM PDT, ID: 19144064

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]09.04.2008 at 08:01AM PDT, ID: 22388201

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 7-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]09.04.2008 at 08:58AM PDT, ID: 22389110

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]09.09.2008 at 07:51PM PDT, ID: 22434397

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: MS Forefront-ISA, Virtual Private Networking (VPN), IPSec Security Protocol
Tags: isa, rv082
Sign Up Now!
Solution Provided By: Computer101
Participating Experts: 3
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32