Welcome to ISAserver.org

Configuration error

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> Configuration error

Page: [1]

Message

<< Older Topic Newer Topic >>

Configuration error - 14.May2007 7:37:01 AM

Laura_II

Posts: 9
Joined: 9.May2007
Status: offline

Hi

I enabled the VPN of my ISA Server 2006 SE following this links:

http://www.isaserver.org/tutorials/ISA-Firewall-Configure-Granular-Access-Controls-VPN-Part1.html

and

http://www.isaserver.org/tutorials/ISA-Firewall-Configure-Granular-Access-Controls-VPN-Part2.html

It seems so easy but.... appears this message error:

"The VPN configuration could not be completed because the IPsec pre-shared key defined for the server could not be written. The IPsec services may be unavailable."

Somebody can help me?

Post #: 1

Featured Links*

RE: Configuration error - 14.May2007 9:26:07 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi Laura,
Are IPSec Services running?
make sure you did not stopped them through a "hardening operation".
Best regards!

(in reply to Laura_II)

Post #: 2

RE: Configuration error - 14.May2007 11:17:35 AM

Laura_II

Posts: 9
Joined: 9.May2007
Status: offline

Hi justmee, you're right!

I had hardened my server and I didn't remember it!

I fixed it, but... my client still can't connect to my VPN server, the error is 800: unable to establish connection.

I have configured one access rule:

Allow all outbound traffic from VPN clients to Internal, All users

It's right?

(in reply to justmee)

Post #: 3

RE: Configuration error - 15.May2007 3:26:35 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

quote:

Allow all outbound traffic from VPN clients to Internal, All users

It's right?

Maybe but where is that granular control?

Anyway before creating any rules you need first to be able to connect to ISA's VPN server. you don't need any access rule for the vpn clients for that. they will connect because you have enabled VPN Client Access(thus some system policies) but they can't go anywhere, here you need that access rule to allow them to access some resources.
I suppose that the other services are running. check this page:
http://www.microsoft.com/technet/isa/2004/plan/hardeningwindows.mspx
when testing l2tp/ipsec is good to begin the test with the vpn client connected directly to ISA's external interface(or the interface from where vpn clients will initiate connections) and with pre-shared keys+ms-chapv2. if everything is fine then move to machine certificates+eap. if this is working fine too then you can go and test NAT-T if there are any NAT devices along the way.
a step by step approach eliminates the problems one by one.
so from where are you connecting?
are the packets reaching ISA's interface?
if so, what are ISA logs say?
if they do but you don't find enough information in those logs can you take a wireshark trace on ISA's side to see how IKE negotiations are performed?
for NAT-T make sure you add to your registry: "AssumeUDPEncapsulationContextOnSendRule"
http://support.microsoft.com/kb/818043

(in reply to Laura_II)

Post #: 4

RE: Configuration error - 15.May2007 4:35:36 AM

Laura_II

Posts: 9
Joined: 9.May2007
Status: offline

Hi justmee

My IPS had not opened the 1723 TCP port for PPTP (I had requested it), that's all.

Thanks for your answers!

(in reply to justmee)

Post #: 5

RE: Configuration error - 15.May2007 7:53:44 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi Laura,
good to hear is working.
since you are using PPTP I hope you have selected EAP and not ms-chap v2 as the authentication method thus avoiding the highly probability of your users credentials being compromise.

(in reply to Laura_II)

Post #: 6