• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Ping produces "Negotiating IP Security" in IPSEC site to site

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Ping produces "Negotiating IP Security" in IPSEC site to site Page: [1]
Login
Message << Older Topic   Newer Topic >>
Ping produces "Negotiating IP Security" in IP... - 30.Sep.2006 2:48:52 AM   
jincollingo

 

Posts: 26
Joined: 13.Nov.2001
From: Philly, PA
Status: offline
Well, I followed Tom's article on setting up IPSEC between two ISA servers: http://www.isaserver.org/tutorials/2004ipsectunnelmode.html
When I ping from either end I get:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator>ping 192.168.168.1 -t
Pinging 192.168.168.1 with 32 bytes of data:
Request timed out.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.

It never responds.  I need some help here trying to track down what is going wrong. 

Thanks,
Jerry
Post #: 1
RE: Ping produces "Negotiating IP Security" i... - 30.Sep.2006 11:50:39 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jerry,

if it is a VPN connection between two ISA boxes you are far better of by using L2TP/IPSec instead of IPSec tunnel mode. On the other hand, if you have to interface with a third party VPN box you very likely have no other option but using IPSec tunnel mode.

Please, tell us something more about your *exact* network setup.

In the mean time I suggest you check out:
- http://www.isaserver.org/tutorials/enable-ESP-Null-Encryption-ISA-2004-site-to-site-VPN-scenario.html
- http://blogs.isaserver.org/pouseele/2006/09/22/an-ipsec-tunnel-mode-connection-is-not-implemented-as-a-routable-interface-on-a-windows-based-server/ 
- http://blogs.isaserver.org/pouseele/2006/09/08/when-using-an-ipsec-tunnel-mode-site-to-site-vpn-you-are-noticing-frequent-isa-2004-error-messages-0xc0040014-fwx_e_fwe_spoofing_packet_dropped/ 
- http://blogs.isaserver.org/pouseele/2006/09/08/a-new-ipsec-quick-mode-security-association-is-negotiated-every-5-minutes-when-you-use-an-ipsec-tunnel-mode-connection-on-a-windows-2003-sp1-based-server/ 

HTH,
Stefaan

(in reply to jincollingo)
Post #: 2
RE: Ping produces "Negotiating IP Security" i... - 30.Sep.2006 3:24:36 PM   
jincollingo

 

Posts: 26
Joined: 13.Nov.2001
From: Philly, PA
Status: offline
Thanks again for the reply Stefaan.  I understand that between 2 ISA servers the preferred method is L2TP, but for now I am simply testing to see if I can just get 2 ISA servers to talk to each other and it seemed simple enough to follow Tom's article.  I will certainly try the L2TP later.

Here is my setup:

         Main                                                      Remote
ISA2004 --------Linksys ----- Internet ----- SMC --------- ISA2004
10.10.10.2       10.10.10.1                       10.1.10.1         10.1.10.10
192.168.168.1                                                             10.1.11.1    ---> Internal interface addresses
    
Basically, there is a NATing device in front of the ISA servers in each office.  They are set with a DMZ of the ISA server's External address, meaning all traffic is forwarded from the Linksys or SMC device to the ISA servers external NIC.

If something looks wrong with my setup, please let me know.  In the mean time I will look over the articles you provided.

Thanks,
Jerry

(in reply to spouseele)
Post #: 3
RE: Ping produces "Negotiating IP Security" i... - 30.Sep.2006 6:01:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jerry,

hmm... both VPN endpoints are behind a NAT device! That's from an IPSec point of view a complex scenario and is not recommended by Microsoft (http://support.microsoft.com/kb/885348/). I haven't tested yet such a scenario where both the IPSec initiator *and* responder are behind a NAT device, but I can confirm that if only the IPSec initiator *or* the IPSec responder is behind a NAT device it works well.

The problem with IPSec tunnel mode is that it is very hard to debug the tunnel setup and negotiation. I wish there were some good documentation on how to read and interpret the IKE logging!

BTW --- you might check out http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html. The author Clint is a moderator on this board (http://forums.isaserver.org/showprofile.aspx?memid=59) and he has a very good knowledge about IPSec (he used to work in Microsoft PSS). So, maybe you can ping him to get his attention.

HTH,
Stefaan

< Message edited by spouseele -- 30.Sep.2006 11:43:03 PM >

(in reply to jincollingo)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Ping produces "Negotiating IP Security" in IPSEC site to site Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts