RE: IPCop site to site VPN with ISA 2004
- From: "Rob Moore" <RMoore@xxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 15 Feb 2006 13:06:57 -0500
I worked on that problem a bit myself and had no luck. I'd be real
interested in hearing if you get it going and what you had to do to
succeed. Sorry I can't be of much help, though.
I ended up using an IPCop box as an endpoint within my ISA2004 network,
and use static routes to send traffic out the IPCop to the sites that
are connected to the IPCop VPN.
Rob
-----Original Message-----
From: Danny [mailto:nocmonkey@xxxxxxxxx]
Sent: Wednesday, February 15, 2006 12:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] IPCop site to site VPN with ISA 2004
http://www.ISAserver.org
Hello,
My goal is to setup a site to site VPN (attempting IPSec) between IPCop
and Microsoft's ISA 2004. I am not having any luck. Has anyone
accomplished this goal?
The admin at the IPCop site has setup:
1) The same PSK
2) IP address of ISA server external (public) IP
3) The remote network 10.1.5.0/255.255.255.0
4) 3DES MD5 encryption
On the ISA server:
1) Site to Site IPSec VPN profile
2) The IP address of IPCop external (public) IP
3) The remote network 10.200.0.0/255.255.0.0 and external IPCop IP
4) 3DES MD5 encryption
5) Tried a Route and NAT configuration for Network Rules for remote
network
The errors on the ISA server:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 2/15/2006
Time: 11:43:07 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: SRV01
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)
Filter:
Source IP Address 100.100.100.100
Source IP Address Mask 255.255.255.255
Destination IP Address 200.200.200.200
Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0
Destination Port 0 IKE Local Addr 100.100.100.100 IKE Peer Addr
200.200.200.200 IKE Source Port 500 IKE Destination Port 500 Peer
Private Addr
Peer Identity:
Failure Point:
Me
Failure Reason:
The specified main mode policy was not found.
Extra Status:
Sent first (SA) payload
Initiator. Delta Time 0
0x0 0x0
------------------------------------------------------------------------
-------------------------------------------
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 21197
Date: 2/15/2006
Time: 11:37:16 AM
User: N/A
Computer: SRV01
Description:
ISA Server cannot locate a route to the ABC remote site. As a result, a
connection cannot be established. To establish the IPSec site-to-site
connection, you must update the routing table.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
I do not yet have the errors (if there are any) from the IPCop side.
When I try to ping from the ISA server, the replies first say timed out
and from there on: Negotiating IP Security.
Any suggestions?
Thanks,
...D
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rmoore@xxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
