Solved

ISA 2004 IPSec with 3Com

Posted on 2006-07-05
5
457 Views
Last Modified: 2013-11-16
I am getting desperate. I am unable to complete Phase I on a site-to-site IPSec VPN between an ISA 2004 and a 3Com CR870 router (the 3Com connects well with another 3Com using IPSec). When I initiate the connection from the 3Com, the ISA logging files shows an "IKE Client" and "Initiated Connection" with the Rule being "Allow VPN Client traffic to ISA Server". If I look at the 3Com log, it show a Phase I attempt and is waiting for a response and finally aborts after approximately 30 seconds. Ethereal network software show a single packet arriving at the ISA Server destined for port 500. ISA Server immediately responds with an ICMP message to the 3Com "Destination unreachable (port unreachable)". The ISA 2004 shows a VPN session with the 3Com under Sessions. Phase I never completes and I am at a loss to understand the ICMP message. Port software shows UDP Port 500 open with "UDP port 500 (isakmp service): LISTENING".  ISA 2004 closes the Session after 90 seconds.

It appears that ISA 2004 receives the request but never responds. I checked to ensure that the 3Com had port 500 open, which it did.

In ISA 2004 firewall rules, I have all protocols open for the "Remote Site" firewall access rule. I have and inbound access rule and and an outbound access rule (inbound from the "Remote Site" and outbound to the "Remote Site". "Remote Site" being the network object identifying the remote site.

I am curious why the rule for the initial connection would be the VPN Client rule. I just turned of VPN Client Access and the rule "Allow VPN Site-to-Site traffic to ISA Server" appeared instead when I attempted another connection. But the end result was the same.

It appears that ISA 2004 receives the Phase I connection but never sends a response to the 3Com. It instead waits for a response from the 3Com and finally times out (which the 3Com also does). The session appears under Sessions and times out after 90 seconds.

The 3Com does not have different settings for Phase I and Phase II (just one group of settings). I select 3DES, SHA1, Diffie-Hellman Group 1 (768), Renegotiate after 28800 seconds and a pre-shared key. I have turned PFS (Perfect Forward Secrecy) both on and off for testing. I assume the 3DES, SHA1 and 28800 apply for both Phase I and Phase II.

It is an Edge firewall configuration. Internal addresses are 192.168.168.0 - 192.168.168.255. Address of remote site is 192.168.164.0 - 192.168.164.255.

Any thoughts?
0
Comment
Question by:guyguzman
  • 2
5 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 17045909
Hello Guy,

to save me going through the whole scenario, can I ask you to quickly review this link, its the ISA2004 VPN Kit or have you a;lready scoped it out?
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/isa2004se_vpnkit-rev%201%2004.doc
0
 

Author Comment

by:guyguzman
ID: 17046398
Keith,

Somehow I managed to miss that document but I have now downloaded it and am going through it (a large document). Thanks for the link and I will let you know what happens.

Guy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17048355
:)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now