Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Point to Point VPN connection to ISA 2006 not connecting

Posted on 2008-06-12
10
Medium Priority
?
434 Views
Last Modified: 2011-09-20
On one end I have ISA 2006 which is setup with a point to point VPN connection.  On the other end I have a Linksys BEFSX41.  I have set both ends up and gone over the settings litterally hundreds of times.  When watching from the Linksys it keeps ending in this...

2008-06-12 10:58:02 IKE[1] Rx << QM_I1 : <ISA External IP> HASH, SA, KE, NONCE, ID, ID
2008-06-12 10:58:02 IKE[1] **Check your Local/Remote Secure Group settings !

I have verified the Local/Remote group settings are correct, and even changed them from "subnets" to "ranges".  Always ends in the same thing.

Can anybody assist me with this?
0
Comment
Question by:MotleyWare
  • 6
  • 4
10 Comments
 
LVL 6

Expert Comment

by:Nyah247
ID: 21771125
There are several things it could be but do you happen to have the latest firmware on your Linksys?  Some of the earlier versions had some issues with IPSEC.  Be careful though...Make sure you don't paint yourself in a corner...  Read the Linksys documentation before applying an update to make sure your config will remain intact.
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21771181
Also...  Have you double-checked your local and remote accounts to make sure they have their remote capabilities enabled.  Its under the "Dial-In" tab > "Remote Access Permission" on your user properties within AD.
0
 

Author Comment

by:MotleyWare
ID: 21771677
I installed the latest firmware immediately after opening the box!

A point to point connection doesn't have "Dial-In" properties.  Point to point with IPSEC doesn't use a username.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:Nyah247
ID: 21771905
My duh moment...  Sorry.  Have you created an access rule on ISA allowing All Outbound Traffic from internal to remote site for All Users.  I know you had to do this on 2004 and am assuming on 2006 as well.  Anything coming in through the ISA event logs?  Is either server behind a NAT device?  This Technet article may also help:

http://technet.microsoft.com/en-us/library/bb794765(TechNet.10).aspx
0
 

Author Comment

by:MotleyWare
ID: 21772744
2006 does this for you automatically.

I do not see anything Denied in the ISA logs, and there is nothing in the windows event logs.

The Linksys is behind a cable modem, and the ISA server is behind a CISCO router for the T1.
0
 

Author Comment

by:MotleyWare
ID: 21779161
This issue appears to be something IPSEC related.  After enabling IPSEC logging, the event log shows this in the Security log.  Event ID 547.

Failure Point:
Me

Failure Reason:
No Policy Configured

The ISA best practices wizard will complain that the remote IP (Linksys IP) is not in the address list for the VPN connection.  However, if I put that address into the address list of the VPN connection, all communication between the hosts is blocked.  I really need help!

0
 

Author Comment

by:MotleyWare
ID: 21779174
To clarify the above post, last sentence....  I don't mean the VPN connection is created and then all traffic is blocked.  The VPN is NOT created, and something as simple as SMTP to the mail server is is blocked!
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21779357
So you have :

** MainSite should have RemoteSubnet on the addresses tab and your RemoteISA external IP

** RemoteSite should have RemoteSubnet on the addresses tab and you MainISA external IP

** Route not NAT from Internal to Remote Site

Check this out too:
http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html
0
 

Author Comment

by:MotleyWare
ID: 21780861
The remote is not an ISA server, it is the Linksys.
0
 

Accepted Solution

by:
MotleyWare earned 0 total points
ID: 21803155
I have fixed this problem.  The issue is on the ISA end.  Most documents will tell you that the "Addresses" tab should contain a start range of "x.x.x.1" and an end range of "x.x.x.254".  This is wrong.  If you look at the "View Settings Summary" with those values, the ISA server creates all sorts of crazy subnets out of the remote local network addresses.

FIX:

Use Start Address of "x.x.x.0" and End Address of "x.x.x.255"

 Also... DO NOT put in the remote public (external) IP address into the "Addresses" tab as the ISA wizard and even the Best Practices tool will tell you.  It is not needed and will cause *ALL* communcations between the sites to be blocked.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question