Solved

ISA 2004 IPSec with 3Com

Posted on 2006-07-05
5
493 Views
Last Modified: 2013-11-16
I am getting desperate. I am unable to complete Phase I on a site-to-site IPSec VPN between an ISA 2004 and a 3Com CR870 router (the 3Com connects well with another 3Com using IPSec). When I initiate the connection from the 3Com, the ISA logging files shows an "IKE Client" and "Initiated Connection" with the Rule being "Allow VPN Client traffic to ISA Server". If I look at the 3Com log, it show a Phase I attempt and is waiting for a response and finally aborts after approximately 30 seconds. Ethereal network software show a single packet arriving at the ISA Server destined for port 500. ISA Server immediately responds with an ICMP message to the 3Com "Destination unreachable (port unreachable)". The ISA 2004 shows a VPN session with the 3Com under Sessions. Phase I never completes and I am at a loss to understand the ICMP message. Port software shows UDP Port 500 open with "UDP port 500 (isakmp service): LISTENING".  ISA 2004 closes the Session after 90 seconds.

It appears that ISA 2004 receives the request but never responds. I checked to ensure that the 3Com had port 500 open, which it did.

In ISA 2004 firewall rules, I have all protocols open for the "Remote Site" firewall access rule. I have and inbound access rule and and an outbound access rule (inbound from the "Remote Site" and outbound to the "Remote Site". "Remote Site" being the network object identifying the remote site.

I am curious why the rule for the initial connection would be the VPN Client rule. I just turned of VPN Client Access and the rule "Allow VPN Site-to-Site traffic to ISA Server" appeared instead when I attempted another connection. But the end result was the same.

It appears that ISA 2004 receives the Phase I connection but never sends a response to the 3Com. It instead waits for a response from the 3Com and finally times out (which the 3Com also does). The session appears under Sessions and times out after 90 seconds.

The 3Com does not have different settings for Phase I and Phase II (just one group of settings). I select 3DES, SHA1, Diffie-Hellman Group 1 (768), Renegotiate after 28800 seconds and a pre-shared key. I have turned PFS (Perfect Forward Secrecy) both on and off for testing. I assume the 3DES, SHA1 and 28800 apply for both Phase I and Phase II.

It is an Edge firewall configuration. Internal addresses are 192.168.168.0 - 192.168.168.255. Address of remote site is 192.168.164.0 - 192.168.164.255.

Any thoughts?
0
Comment
Question by:guyguzman
  • 2
5 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 17045909
Hello Guy,

to save me going through the whole scenario, can I ask you to quickly review this link, its the ISA2004 VPN Kit or have you a;lready scoped it out?
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/isa2004se_vpnkit-rev%201%2004.doc
0
 

Author Comment

by:guyguzman
ID: 17046398
Keith,

Somehow I managed to miss that document but I have now downloaded it and am going through it (a large document). Thanks for the link and I will let you know what happens.

Guy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17048355
:)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Assymetric routing asa 4 44
DHCP lease issue ? 8 94
ACL per VPN User 12 105
How do I restrict App Service access to specific IPs (i.e. firewall)? 4 71
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question