IPCop site to site VPN with ISA 2004

• From: Danny <nocmonkey@xxxxxxxxx>
• To: ipcop-user@xxxxxxxxxxxxxxxxxxxxx, "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 15 Feb 2006 12:03:19 -0500

Hello,

My goal is to setup a site to site VPN (attempting IPSec) between
IPCop and Microsoft's ISA 2004.  I am not having any luck.  Has anyone
accomplished this goal?

The admin at the IPCop site has setup:

1) The same PSK
2) IP address of ISA server external (public) IP
3) The remote network 10.1.5.0/255.255.255.0
4) 3DES MD5 encryption

On the ISA server:

1) Site to Site IPSec VPN profile
2) The IP address of IPCop external (public) IP
3) The remote network 10.200.0.0/255.255.0.0 and external IPCop IP
4) 3DES MD5 encryption
5) Tried a Route and NAT configuration for Network Rules for remote network

The errors on the ISA server:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 2/15/2006
Time: 11:43:07 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: SRV01
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address 100.100.100.100
Source IP Address Mask 255.255.255.255
Destination IP Address 200.200.200.200
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 100.100.100.100
IKE Peer Addr 200.200.200.200
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:

  Failure Point:
Me

Failure Reason:
The specified main mode policy was not found.

Extra Status:
Sent first (SA) payload
Initiator.  Delta Time 0
0x0 0x0

-------------------------------------------------------------------------------------------------------------------

Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 21197
Date: 2/15/2006
Time: 11:37:16 AM
User: N/A
Computer: SRV01
Description:
ISA Server cannot locate a route to the ABC remote site. As a result,
a connection cannot be established. To establish the IPSec
site-to-site connection, you must update the routing table.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I do not yet have the errors (if there are any) from the IPCop side.

When I try to ping from the ISA server, the replies first say timed
out and from there on: Negotiating IP Security.

Any suggestions?

Thanks,

...D

Other related posts:

• » IPCop site to site VPN with ISA 2004
• » RE: IPCop site to site VPN with ISA 2004
• » RE: IPCop site to site VPN with ISA 2004

1. Home
2. isalist
3. Archive
4. 02-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---