?
Solved

Issues establishing point-to-point VPN from SonicWall TZ180 to ISA 2004

Posted on 2007-11-29
5
Medium Priority
?
2,087 Views
Last Modified: 2012-05-05
We are setting up Point-to-point VPN tunnels to remote offices using DSL lines with SonicWall TZ180s at the remote locations.  These are connecting to a ISA 2004 firewall running on a windows 2003 server at our data center.  We have had 2 successful sites connt but I am stuck on the third.  Everything appears to be identically configured between the 3 sites, but I keep getting the following ewrror mesage on the ISA server whenever the remote site tries to establish the tunnel:

IKE security association negotiation failed.
 Mode:
Data Protection Mode (Quick Mode)

 Filter:
Source IP Address 192.168.10.0
Source IP Address Mask 255.255.255.0
Destination IP Address 192.168.25.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 216.75.59.2
IKE Peer Addr 99.164.27.153
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

 Peer Identity:
Preshared key ID.
Peer IP Address: 99.164.27.153

  Failure Point:
Me

 Failure Reason:
No policy configured

 Extra Status:
Processed third (ID) payload
Responder.  Delta Time 0
 0x0 0x0

On the sonicwall we get the following matching error on the Log:

12 11/29/2007 09:57:57.316 Received notify: INVALID_ID_INFO 216.75.59.2, dcmopxy01.mossy.com (admin) 99.164.27.153    
13 11/29/2007 09:57:57.283 IKE Initiator: Start Quick Mode (Phase 2). 99.164.27.153, 500 216.75.59.2, 500, dcmopxy01.mossy.com
0
Comment
Question by:sobergfell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20376124
looks like your sonicwall tries to use different ID than ISA expects.
please double chech, that your sonicwall router uses IP address as ID
0
 

Author Comment

by:sobergfell
ID: 20376320
I don't think that is the issue.  All the SonicWalls ( including the 2 that are working ) use thier serial numbers as unique firewall identifiers.  Other than that all units are Id'd by IP address.

I had SonicWall tech support verify the settings on the Sonicwall to make sure they were setup correctly.



0
 
LVL 21

Expert Comment

by:from_exp
ID: 20376761
looking at the log you have provided, it seems that you miss configured policy for peer 99.164.27.153
0
 

Author Comment

by:sobergfell
ID: 20376803
The ISA creates the IPsec policies based on the wizard used to create the network object and the network rules.  I suppose I could always just delete and recreate these objects.
0
 
LVL 21

Accepted Solution

by:
from_exp earned 1000 total points
ID: 20376881
try to do that. try to run the wizard again if necessary
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question