ISA 2004 IPSEC configuration

Hi all,

We are looking to create an IPSEC connection to a clients ISA 2004 using Global VPN client from either Sonicwall or Watchguards client. I have gone through the 5 steps to set this up but need some help.
I see in the logs that the VPN client tries to make the connection to the ISA Server using Ike but that it. On the client system it states message not received> Retransmitting!
Any thoughts.
Who is Participating?
Closed, 500 points refunded.
Community Support Moderator
replacement part #xm34
Keith AlabasterEnterprise ArchitectCommented:
Any help?
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

PCLANTECHSAuthor Commented:

We did take a look at those links, and I personally have been doing remote (road warrior type or other) VPNs into routers, firewalls, etc. for three years.  Although I have successfully used other clients, I favor the Sentinel VPN client used by WatchGuard, Netgear, etc.. and which works beautifully for Linksys/Cisco, Netopia, Juniper and other hardware implementations.  Takes about twenty minutes or less to set up on both sides.

Now even the tutorials say to keep it simple, plain vanilla and use defaults, which we strive to do, unless its a gateway-to-gateway permanent connection with multiple proposals to ensure 24-7 connections.  Especially to make a base remote-to-server set before any customization.  As far as we know, setting up a remote PC or Mac IPSec VPN client entails:

1. Keep away from piggybacking IPSec on L2Tp (use UDP 500 as it was originally)
2. Stay away from certificates. (exclude any compromisable third-party as a rule of thumb)
3. Setting up an IKE policy on the server with helpful remote and local Identity handles.
4. Use Shared-Key, PFS, 3-DES/MD-5 or 3-DES/SHA-1 for encryption/authentication.
5. Setting up the VPN policy (or Tunnel, if you wish) to match & reference that IKE policy.
6. Match the PFS with Diffie-Hellman 1 or 2, 3-DES/MD-5 or SHA-1, correspondingly.
7. Match the remote Sentinel VPN Client with or without using a Virtual Adapter.
Note we also learned to remove VPN passthru and all redirects or triggers on UDP 500..

Now those steps are pretty darn simple.  Where is this described in ISA 2000 or 2004, both of which we have?  The links you sent seem hellbent on us using certificates and on using ISA-specific nomenclature for terms and technology that have been pretty standard for what, 20 years?  Rude awakening after easily setting up successful PPTP VPN remote-to-server sets on ISA.. but then again, PPTP security is a joke, comparatively.  Is there something inherently stupid about ISA and original IPSec?  How can it be hard to make an IKE, refer to it with a VPNPol/Tunnel, and then match with the dang remote client?.  Isn't there a 7-10 step way to fill in ISA and match the procedure enumerated above?
Keith AlabasterEnterprise ArchitectCommented:
Can you drop me an email at

I can use this to reply with my personal ftp address. From there you can pull the isa2004 vpn kit
Keith AlabasterEnterprise ArchitectCommented:
Thanks Brian. I have replied; hopefully you will have received the mail. I note you alrweady have the VPN kit. As you will have seen, using ISA for site-to-site vpn's is pretty much the way you desribe although the VPN IPSEC client to ISA VPN should be simpler.

I am just pulling down the Cisco 4.8 client and will see if I can replicate your problem here.

Keith AlabasterEnterprise ArchitectCommented:
Yes. I can replicate it with this client (fails on the stage 1 SA and retransmits last packet). monitoring shows all is cool and no calls on port 4500 which is strange.

have you seen this?
PCLANTECHSAuthor Commented:
Sorry to say that the ISA Server 2004 VPN Deployment Kit is miserable reading at best, and self-contradicting:

from Page 17-18 of 513 of the ISA S2KVPNDK:

"....Note that only PPTP and L2TP/IPSec are the only VPN protocols supported for remote access VPN clients. The  reason for this is that IPSec tunnel mode is less secure than L2TP/IPSec. IPSec tunnel mode is subject to a number of well-known exploits that can lead to man-in-the-middle attacks. In contrast, L2TP/IPSec required much strong authentication and key generation mechanisms, and therefore, is not open to the same attacks.  IPSec tunnel mode support greatly increases the VPN site-to-site compatibility for ISA Server 2004 and makes it possible to place an ISA Server 2004 firewall/VPN server at any branch of a main office and connect to a third-party VPN gateway. "

They basically omitted remote client support for IPSec tunnel mode, while politically glossing over Microsoft's own more laughable PPTP (even with MS-CHAP2, MPPE), which they do support, of course(?), despite the fact that it shouldn't even be close to IPSec tunnel mode.  ISA 2004, at least from my first 2 readings, is 50% marketing crap.  So there is absolutely no way to use IPSec tunnel mode from remote access VPN clients to ISA.  Very puzzling. Very Microsoft.
Keith AlabasterEnterprise ArchitectCommented:
I have to say that my reading of the text is the same as yours. The ipsec tunnel to anything as long as it is 'from' ISA rather than terminating on ISA was a bit of an eye opener. Not that my dismay helps you in the slightest of course.
Keith AlabasterEnterprise ArchitectCommented:
Yeah OK although I would prefer PAQ - refund..
Keith AlabasterEnterprise ArchitectCommented:
This may help others in a similar position.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.