Solved

Point to Point VPN connection to ISA 2006 not connecting

Posted on 2008-06-12
10
432 Views
Last Modified: 2011-09-20
On one end I have ISA 2006 which is setup with a point to point VPN connection.  On the other end I have a Linksys BEFSX41.  I have set both ends up and gone over the settings litterally hundreds of times.  When watching from the Linksys it keeps ending in this...

2008-06-12 10:58:02 IKE[1] Rx << QM_I1 : <ISA External IP> HASH, SA, KE, NONCE, ID, ID
2008-06-12 10:58:02 IKE[1] **Check your Local/Remote Secure Group settings !

I have verified the Local/Remote group settings are correct, and even changed them from "subnets" to "ranges".  Always ends in the same thing.

Can anybody assist me with this?
0
Comment
Question by:MotleyWare
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 6

Expert Comment

by:Nyah247
ID: 21771125
There are several things it could be but do you happen to have the latest firmware on your Linksys?  Some of the earlier versions had some issues with IPSEC.  Be careful though...Make sure you don't paint yourself in a corner...  Read the Linksys documentation before applying an update to make sure your config will remain intact.
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21771181
Also...  Have you double-checked your local and remote accounts to make sure they have their remote capabilities enabled.  Its under the "Dial-In" tab > "Remote Access Permission" on your user properties within AD.
0
 

Author Comment

by:MotleyWare
ID: 21771677
I installed the latest firmware immediately after opening the box!

A point to point connection doesn't have "Dial-In" properties.  Point to point with IPSEC doesn't use a username.
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 6

Expert Comment

by:Nyah247
ID: 21771905
My duh moment...  Sorry.  Have you created an access rule on ISA allowing All Outbound Traffic from internal to remote site for All Users.  I know you had to do this on 2004 and am assuming on 2006 as well.  Anything coming in through the ISA event logs?  Is either server behind a NAT device?  This Technet article may also help:

http://technet.microsoft.com/en-us/library/bb794765(TechNet.10).aspx
0
 

Author Comment

by:MotleyWare
ID: 21772744
2006 does this for you automatically.

I do not see anything Denied in the ISA logs, and there is nothing in the windows event logs.

The Linksys is behind a cable modem, and the ISA server is behind a CISCO router for the T1.
0
 

Author Comment

by:MotleyWare
ID: 21779161
This issue appears to be something IPSEC related.  After enabling IPSEC logging, the event log shows this in the Security log.  Event ID 547.

Failure Point:
Me

Failure Reason:
No Policy Configured

The ISA best practices wizard will complain that the remote IP (Linksys IP) is not in the address list for the VPN connection.  However, if I put that address into the address list of the VPN connection, all communication between the hosts is blocked.  I really need help!

0
 

Author Comment

by:MotleyWare
ID: 21779174
To clarify the above post, last sentence....  I don't mean the VPN connection is created and then all traffic is blocked.  The VPN is NOT created, and something as simple as SMTP to the mail server is is blocked!
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21779357
So you have :

** MainSite should have RemoteSubnet on the addresses tab and your RemoteISA external IP

** RemoteSite should have RemoteSubnet on the addresses tab and you MainISA external IP

** Route not NAT from Internal to Remote Site

Check this out too:
http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html
0
 

Author Comment

by:MotleyWare
ID: 21780861
The remote is not an ISA server, it is the Linksys.
0
 

Accepted Solution

by:
MotleyWare earned 0 total points
ID: 21803155
I have fixed this problem.  The issue is on the ISA end.  Most documents will tell you that the "Addresses" tab should contain a start range of "x.x.x.1" and an end range of "x.x.x.254".  This is wrong.  If you look at the "View Settings Summary" with those values, the ISA server creates all sorts of crazy subnets out of the remote local network addresses.

FIX:

Use Start Address of "x.x.x.0" and End Address of "x.x.x.255"

 Also... DO NOT put in the remote public (external) IP address into the "Addresses" tab as the ISA wizard and even the Best Practices tool will tell you.  It is not needed and will cause *ALL* communcations between the sites to be blocked.
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question