Solved

Issues establishing point-to-point VPN from SonicWall TZ180 to ISA 2004

Posted on 2007-11-29
5
2,048 Views
Last Modified: 2012-05-05
We are setting up Point-to-point VPN tunnels to remote offices using DSL lines with SonicWall TZ180s at the remote locations.  These are connecting to a ISA 2004 firewall running on a windows 2003 server at our data center.  We have had 2 successful sites connt but I am stuck on the third.  Everything appears to be identically configured between the 3 sites, but I keep getting the following ewrror mesage on the ISA server whenever the remote site tries to establish the tunnel:

IKE security association negotiation failed.
 Mode:
Data Protection Mode (Quick Mode)

 Filter:
Source IP Address 192.168.10.0
Source IP Address Mask 255.255.255.0
Destination IP Address 192.168.25.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 216.75.59.2
IKE Peer Addr 99.164.27.153
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

 Peer Identity:
Preshared key ID.
Peer IP Address: 99.164.27.153

  Failure Point:
Me

 Failure Reason:
No policy configured

 Extra Status:
Processed third (ID) payload
Responder.  Delta Time 0
 0x0 0x0

On the sonicwall we get the following matching error on the Log:

12 11/29/2007 09:57:57.316 Received notify: INVALID_ID_INFO 216.75.59.2, dcmopxy01.mossy.com (admin) 99.164.27.153    
13 11/29/2007 09:57:57.283 IKE Initiator: Start Quick Mode (Phase 2). 99.164.27.153, 500 216.75.59.2, 500, dcmopxy01.mossy.com
0
Comment
Question by:sobergfell
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20376124
looks like your sonicwall tries to use different ID than ISA expects.
please double chech, that your sonicwall router uses IP address as ID
0
 

Author Comment

by:sobergfell
ID: 20376320
I don't think that is the issue.  All the SonicWalls ( including the 2 that are working ) use thier serial numbers as unique firewall identifiers.  Other than that all units are Id'd by IP address.

I had SonicWall tech support verify the settings on the Sonicwall to make sure they were setup correctly.



0
 
LVL 21

Expert Comment

by:from_exp
ID: 20376761
looking at the log you have provided, it seems that you miss configured policy for peer 99.164.27.153
0
 

Author Comment

by:sobergfell
ID: 20376803
The ISA creates the IPsec policies based on the wizard used to create the network object and the network rules.  I suppose I could always just delete and recreate these objects.
0
 
LVL 21

Accepted Solution

by:
from_exp earned 500 total points
ID: 20376881
try to do that. try to run the wizard again if necessary
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now