[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

ISA 2004 IPSec with 3Com

Posted on 2006-07-05
5
Medium Priority
?
537 Views
Last Modified: 2013-11-16
I am getting desperate. I am unable to complete Phase I on a site-to-site IPSec VPN between an ISA 2004 and a 3Com CR870 router (the 3Com connects well with another 3Com using IPSec). When I initiate the connection from the 3Com, the ISA logging files shows an "IKE Client" and "Initiated Connection" with the Rule being "Allow VPN Client traffic to ISA Server". If I look at the 3Com log, it show a Phase I attempt and is waiting for a response and finally aborts after approximately 30 seconds. Ethereal network software show a single packet arriving at the ISA Server destined for port 500. ISA Server immediately responds with an ICMP message to the 3Com "Destination unreachable (port unreachable)". The ISA 2004 shows a VPN session with the 3Com under Sessions. Phase I never completes and I am at a loss to understand the ICMP message. Port software shows UDP Port 500 open with "UDP port 500 (isakmp service): LISTENING".  ISA 2004 closes the Session after 90 seconds.

It appears that ISA 2004 receives the request but never responds. I checked to ensure that the 3Com had port 500 open, which it did.

In ISA 2004 firewall rules, I have all protocols open for the "Remote Site" firewall access rule. I have and inbound access rule and and an outbound access rule (inbound from the "Remote Site" and outbound to the "Remote Site". "Remote Site" being the network object identifying the remote site.

I am curious why the rule for the initial connection would be the VPN Client rule. I just turned of VPN Client Access and the rule "Allow VPN Site-to-Site traffic to ISA Server" appeared instead when I attempted another connection. But the end result was the same.

It appears that ISA 2004 receives the Phase I connection but never sends a response to the 3Com. It instead waits for a response from the 3Com and finally times out (which the 3Com also does). The session appears under Sessions and times out after 90 seconds.

The 3Com does not have different settings for Phase I and Phase II (just one group of settings). I select 3DES, SHA1, Diffie-Hellman Group 1 (768), Renegotiate after 28800 seconds and a pre-shared key. I have turned PFS (Perfect Forward Secrecy) both on and off for testing. I assume the 3DES, SHA1 and 28800 apply for both Phase I and Phase II.

It is an Edge firewall configuration. Internal addresses are 192.168.168.0 - 192.168.168.255. Address of remote site is 192.168.164.0 - 192.168.164.255.

Any thoughts?
0
Comment
Question by:guyguzman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 17045909
Hello Guy,

to save me going through the whole scenario, can I ask you to quickly review this link, its the ISA2004 VPN Kit or have you a;lready scoped it out?
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/isa2004se_vpnkit-rev%201%2004.doc
0
 

Author Comment

by:guyguzman
ID: 17046398
Keith,

Somehow I managed to miss that document but I have now downloaded it and am going through it (a large document). Thanks for the link and I will let you know what happens.

Guy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17048355
:)
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question