Solved

Point to Point VPN connection to ISA 2006 not connecting

Posted on 2008-06-12
10
424 Views
Last Modified: 2011-09-20
On one end I have ISA 2006 which is setup with a point to point VPN connection.  On the other end I have a Linksys BEFSX41.  I have set both ends up and gone over the settings litterally hundreds of times.  When watching from the Linksys it keeps ending in this...

2008-06-12 10:58:02 IKE[1] Rx << QM_I1 : <ISA External IP> HASH, SA, KE, NONCE, ID, ID
2008-06-12 10:58:02 IKE[1] **Check your Local/Remote Secure Group settings !

I have verified the Local/Remote group settings are correct, and even changed them from "subnets" to "ranges".  Always ends in the same thing.

Can anybody assist me with this?
0
Comment
Question by:MotleyWare
  • 6
  • 4
10 Comments
 
LVL 6

Expert Comment

by:Nyah247
ID: 21771125
There are several things it could be but do you happen to have the latest firmware on your Linksys?  Some of the earlier versions had some issues with IPSEC.  Be careful though...Make sure you don't paint yourself in a corner...  Read the Linksys documentation before applying an update to make sure your config will remain intact.
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21771181
Also...  Have you double-checked your local and remote accounts to make sure they have their remote capabilities enabled.  Its under the "Dial-In" tab > "Remote Access Permission" on your user properties within AD.
0
 

Author Comment

by:MotleyWare
ID: 21771677
I installed the latest firmware immediately after opening the box!

A point to point connection doesn't have "Dial-In" properties.  Point to point with IPSEC doesn't use a username.
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21771905
My duh moment...  Sorry.  Have you created an access rule on ISA allowing All Outbound Traffic from internal to remote site for All Users.  I know you had to do this on 2004 and am assuming on 2006 as well.  Anything coming in through the ISA event logs?  Is either server behind a NAT device?  This Technet article may also help:

http://technet.microsoft.com/en-us/library/bb794765(TechNet.10).aspx
0
 

Author Comment

by:MotleyWare
ID: 21772744
2006 does this for you automatically.

I do not see anything Denied in the ISA logs, and there is nothing in the windows event logs.

The Linksys is behind a cable modem, and the ISA server is behind a CISCO router for the T1.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:MotleyWare
ID: 21779161
This issue appears to be something IPSEC related.  After enabling IPSEC logging, the event log shows this in the Security log.  Event ID 547.

Failure Point:
Me

Failure Reason:
No Policy Configured

The ISA best practices wizard will complain that the remote IP (Linksys IP) is not in the address list for the VPN connection.  However, if I put that address into the address list of the VPN connection, all communication between the hosts is blocked.  I really need help!

0
 

Author Comment

by:MotleyWare
ID: 21779174
To clarify the above post, last sentence....  I don't mean the VPN connection is created and then all traffic is blocked.  The VPN is NOT created, and something as simple as SMTP to the mail server is is blocked!
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21779357
So you have :

** MainSite should have RemoteSubnet on the addresses tab and your RemoteISA external IP

** RemoteSite should have RemoteSubnet on the addresses tab and you MainISA external IP

** Route not NAT from Internal to Remote Site

Check this out too:
http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html
0
 

Author Comment

by:MotleyWare
ID: 21780861
The remote is not an ISA server, it is the Linksys.
0
 

Accepted Solution

by:
MotleyWare earned 0 total points
ID: 21803155
I have fixed this problem.  The issue is on the ISA end.  Most documents will tell you that the "Addresses" tab should contain a start range of "x.x.x.1" and an end range of "x.x.x.254".  This is wrong.  If you look at the "View Settings Summary" with those values, the ISA server creates all sorts of crazy subnets out of the remote local network addresses.

FIX:

Use Start Address of "x.x.x.0" and End Address of "x.x.x.255"

 Also... DO NOT put in the remote public (external) IP address into the "Addresses" tab as the ISA wizard and even the Best Practices tool will tell you.  It is not needed and will cause *ALL* communcations between the sites to be blocked.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now