Point to Point VPN connection to ISA 2006 not connecting

On one end I have ISA 2006 which is setup with a point to point VPN connection.  On the other end I have a Linksys BEFSX41.  I have set both ends up and gone over the settings litterally hundreds of times.  When watching from the Linksys it keeps ending in this...

2008-06-12 10:58:02 IKE[1] Rx << QM_I1 : <ISA External IP> HASH, SA, KE, NONCE, ID, ID
2008-06-12 10:58:02 IKE[1] **Check your Local/Remote Secure Group settings !

I have verified the Local/Remote group settings are correct, and even changed them from "subnets" to "ranges".  Always ends in the same thing.

Can anybody assist me with this?
MotleyWareAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
MotleyWareConnect With a Mentor Author Commented:
I have fixed this problem.  The issue is on the ISA end.  Most documents will tell you that the "Addresses" tab should contain a start range of "x.x.x.1" and an end range of "x.x.x.254".  This is wrong.  If you look at the "View Settings Summary" with those values, the ISA server creates all sorts of crazy subnets out of the remote local network addresses.

FIX:

Use Start Address of "x.x.x.0" and End Address of "x.x.x.255"

 Also... DO NOT put in the remote public (external) IP address into the "Addresses" tab as the ISA wizard and even the Best Practices tool will tell you.  It is not needed and will cause *ALL* communcations between the sites to be blocked.
0
 
Nyah247Commented:
There are several things it could be but do you happen to have the latest firmware on your Linksys?  Some of the earlier versions had some issues with IPSEC.  Be careful though...Make sure you don't paint yourself in a corner...  Read the Linksys documentation before applying an update to make sure your config will remain intact.
0
 
Nyah247Commented:
Also...  Have you double-checked your local and remote accounts to make sure they have their remote capabilities enabled.  Its under the "Dial-In" tab > "Remote Access Permission" on your user properties within AD.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
MotleyWareAuthor Commented:
I installed the latest firmware immediately after opening the box!

A point to point connection doesn't have "Dial-In" properties.  Point to point with IPSEC doesn't use a username.
0
 
Nyah247Commented:
My duh moment...  Sorry.  Have you created an access rule on ISA allowing All Outbound Traffic from internal to remote site for All Users.  I know you had to do this on 2004 and am assuming on 2006 as well.  Anything coming in through the ISA event logs?  Is either server behind a NAT device?  This Technet article may also help:

http://technet.microsoft.com/en-us/library/bb794765(TechNet.10).aspx
0
 
MotleyWareAuthor Commented:
2006 does this for you automatically.

I do not see anything Denied in the ISA logs, and there is nothing in the windows event logs.

The Linksys is behind a cable modem, and the ISA server is behind a CISCO router for the T1.
0
 
MotleyWareAuthor Commented:
This issue appears to be something IPSEC related.  After enabling IPSEC logging, the event log shows this in the Security log.  Event ID 547.

Failure Point:
Me

Failure Reason:
No Policy Configured

The ISA best practices wizard will complain that the remote IP (Linksys IP) is not in the address list for the VPN connection.  However, if I put that address into the address list of the VPN connection, all communication between the hosts is blocked.  I really need help!

0
 
MotleyWareAuthor Commented:
To clarify the above post, last sentence....  I don't mean the VPN connection is created and then all traffic is blocked.  The VPN is NOT created, and something as simple as SMTP to the mail server is is blocked!
0
 
Nyah247Commented:
So you have :

** MainSite should have RemoteSubnet on the addresses tab and your RemoteISA external IP

** RemoteSite should have RemoteSubnet on the addresses tab and you MainISA external IP

** Route not NAT from Internal to Remote Site

Check this out too:
http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html
0
 
MotleyWareAuthor Commented:
The remote is not an ISA server, it is the Linksys.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.