RE: IPCop site to site VPN with ISA 2004
- From: Alexandre Gauthier <gauthiera@xxxxxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 15 Feb 2006 12:28:38 -0500
This might be a stab in the dark but I'd say it has to do with the specified
main mode policy not being found.
Okay kidding apart, what is the IPCOP box using to establish IPSEC
connections? Kernel mode Racoon/IKE IPSEC or something like OpenSWAN? (And
can those even *talk* to ISA?)
-----Message d'origine-----
De : Danny [mailto:nocmonkey@xxxxxxxxx]
Envoyé : 15 février 2006 12:03
À : [ISAserver.org Discussion List]
Objet : [isalist] IPCop site to site VPN with ISA 2004
http://www.ISAserver.org
Hello,
My goal is to setup a site to site VPN (attempting IPSec) between
IPCop and Microsoft's ISA 2004. I am not having any luck. Has anyone
accomplished this goal?
The admin at the IPCop site has setup:
1) The same PSK
2) IP address of ISA server external (public) IP
3) The remote network 10.1.5.0/255.255.255.0
4) 3DES MD5 encryption
On the ISA server:
1) Site to Site IPSec VPN profile
2) The IP address of IPCop external (public) IP
3) The remote network 10.200.0.0/255.255.0.0 and external IPCop IP
4) 3DES MD5 encryption
5) Tried a Route and NAT configuration for Network Rules for remote network
The errors on the ISA server:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 2/15/2006
Time: 11:43:07 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: SRV01
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)
Filter:
Source IP Address 100.100.100.100
Source IP Address Mask 255.255.255.255
Destination IP Address 200.200.200.200
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 100.100.100.100
IKE Peer Addr 200.200.200.200
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Peer Identity:
Failure Point:
Me
Failure Reason:
The specified main mode policy was not found.
Extra Status:
Sent first (SA) payload
Initiator. Delta Time 0
0x0 0x0
----------------------------------------------------------------------------
---------------------------------------
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 21197
Date: 2/15/2006
Time: 11:37:16 AM
User: N/A
Computer: SRV01
Description:
ISA Server cannot locate a route to the ABC remote site. As a result,
a connection cannot be established. To establish the IPSec
site-to-site connection, you must update the routing table.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
I do not yet have the errors (if there are any) from the IPCop side.
When I try to ping from the ISA server, the replies first say timed
out and from there on: Negotiating IP Security.
Any suggestions?
Thanks,
...D
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gauthiera@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
