Solved

Point to Point VPN connection to ISA 2006 not connecting

Posted on 2008-06-12
10
426 Views
Last Modified: 2011-09-20
On one end I have ISA 2006 which is setup with a point to point VPN connection.  On the other end I have a Linksys BEFSX41.  I have set both ends up and gone over the settings litterally hundreds of times.  When watching from the Linksys it keeps ending in this...

2008-06-12 10:58:02 IKE[1] Rx << QM_I1 : <ISA External IP> HASH, SA, KE, NONCE, ID, ID
2008-06-12 10:58:02 IKE[1] **Check your Local/Remote Secure Group settings !

I have verified the Local/Remote group settings are correct, and even changed them from "subnets" to "ranges".  Always ends in the same thing.

Can anybody assist me with this?
0
Comment
Question by:MotleyWare
  • 6
  • 4
10 Comments
 
LVL 6

Expert Comment

by:Nyah247
ID: 21771125
There are several things it could be but do you happen to have the latest firmware on your Linksys?  Some of the earlier versions had some issues with IPSEC.  Be careful though...Make sure you don't paint yourself in a corner...  Read the Linksys documentation before applying an update to make sure your config will remain intact.
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21771181
Also...  Have you double-checked your local and remote accounts to make sure they have their remote capabilities enabled.  Its under the "Dial-In" tab > "Remote Access Permission" on your user properties within AD.
0
 

Author Comment

by:MotleyWare
ID: 21771677
I installed the latest firmware immediately after opening the box!

A point to point connection doesn't have "Dial-In" properties.  Point to point with IPSEC doesn't use a username.
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21771905
My duh moment...  Sorry.  Have you created an access rule on ISA allowing All Outbound Traffic from internal to remote site for All Users.  I know you had to do this on 2004 and am assuming on 2006 as well.  Anything coming in through the ISA event logs?  Is either server behind a NAT device?  This Technet article may also help:

http://technet.microsoft.com/en-us/library/bb794765(TechNet.10).aspx
0
 

Author Comment

by:MotleyWare
ID: 21772744
2006 does this for you automatically.

I do not see anything Denied in the ISA logs, and there is nothing in the windows event logs.

The Linksys is behind a cable modem, and the ISA server is behind a CISCO router for the T1.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:MotleyWare
ID: 21779161
This issue appears to be something IPSEC related.  After enabling IPSEC logging, the event log shows this in the Security log.  Event ID 547.

Failure Point:
Me

Failure Reason:
No Policy Configured

The ISA best practices wizard will complain that the remote IP (Linksys IP) is not in the address list for the VPN connection.  However, if I put that address into the address list of the VPN connection, all communication between the hosts is blocked.  I really need help!

0
 

Author Comment

by:MotleyWare
ID: 21779174
To clarify the above post, last sentence....  I don't mean the VPN connection is created and then all traffic is blocked.  The VPN is NOT created, and something as simple as SMTP to the mail server is is blocked!
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21779357
So you have :

** MainSite should have RemoteSubnet on the addresses tab and your RemoteISA external IP

** RemoteSite should have RemoteSubnet on the addresses tab and you MainISA external IP

** Route not NAT from Internal to Remote Site

Check this out too:
http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html
0
 

Author Comment

by:MotleyWare
ID: 21780861
The remote is not an ISA server, it is the Linksys.
0
 

Accepted Solution

by:
MotleyWare earned 0 total points
ID: 21803155
I have fixed this problem.  The issue is on the ISA end.  Most documents will tell you that the "Addresses" tab should contain a start range of "x.x.x.1" and an end range of "x.x.x.254".  This is wrong.  If you look at the "View Settings Summary" with those values, the ISA server creates all sorts of crazy subnets out of the remote local network addresses.

FIX:

Use Start Address of "x.x.x.0" and End Address of "x.x.x.255"

 Also... DO NOT put in the remote public (external) IP address into the "Addresses" tab as the ISA wizard and even the Best Practices tool will tell you.  It is not needed and will cause *ALL* communcations between the sites to be blocked.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now