Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site-to-Site wrong subnet for IKE
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site-to-Site wrong subnet for IKE - 10.Jan.2007 12:25:37 PM
|
|
|
rebelpeon
Posts: 13
Joined: 9.May2006
Status: offline
|
I'm having some problems attempting to add a new remote network to an existing Site-to-Site network between an ISA 2006 Std and Nortel Contivity 1740. The ISA configuration settings are listed at the bottom of this email. The Network that is not working is the "Company A” one. Basically, originally I had the networks 1.1.1.1/32, 130.197.123.180/32, and 170.248.97.200/32 as the remote networks. That worked great. I have since added the 130.197.123.198/32 address to the network. All of the original networks work fine, but the new address has problems with the tunnel.
On the Nortel side, when I'm attempting to hit the 130.197.123.180/32 address from a machine with the IP 10.254.95.194, the following is posted in the logs and everything works fine:
01/10/2007 10:51:22 0 Security [11] Session: network IPSEC[10.254.95.192-255.255.255.224] attempting login
01/10/2007 10:51:22 0 Security [11] Session: network IPSEC[10.254.95.192-255.255.255.224] logged in from gateway [1.1.1.2]
01/10/2007 10:51:22 0 Security [12] Session: IPSEC[1.1.1.2]:574983 physical addresses: remote 1.1.1.2 local 1.1.1.1
01/10/2007 10:51:22 0 Security [12] Session: IPSEC[-]:575009 physical addresses: remote 1.1.1.2 local 1.1.1.1
01/10/2007 10:51:22 0 Outbound ESP from 1.1.1.1 to 1.1.1.2 SPI 0x4c7c13c6 [03] ESP encap session SPI 0xc6137c4c bound to s/w on cpu 0
01/10/2007 10:51:22 0 Inbound ESP from 1.1.1.2 to 1.1.1.1 SPI 0x00260032 [03] ESP decap session SPI 0x32002600 bound to s/w on cpu 0
01/10/2007 10:51:22 0 Branch Office [00] 53e75b8 BranchOfficeCtxtCls::RegisterTunnel: rem[10.254.95.192-255.255.255.224]@[1.1.1.2] loc[130.197.123.180-255.255.255.255] overwriting tunnel context [0] with [4e338a8]
However, when I attempt to hit the 130.197.123.198/32 address from the same machine (IP of 10.254.95.194), the Nortel displays the following and I'm unable to connect:
01/10/2007 09:44:45 0 Security [11] Session: network IPSEC[10.254.64.0-255.255.224.0] attempting login
01/10/2007 09:44:45 0 tIsakmp [34] Failed Remote Network Login: Username=: Date/Time=01/10/2007 09:44:45
01/10/2007 09:44:45 0 ISAKMP [13] invalid id! quickmode.cpp:line 2532
01/10/2007 09:44:45 0 ISAKMP [13] Invalid ID information in message from 1.1.1.2
I can see where ISA *may* be getting the 10.254.64.0 network, but if you look in the settings below, it "shouldn't” be. The network rule for the Company A network is to route between the Company A network (1.1.1.1/32, 130.197.123.180/32, 130.197.123.198/32, and 170.248.97.200/32) and the 10.254.95.192/27 VLAN, and according to the summary below, the only routable network is 10.254.95.192/27 for this VPN. Not that it matters, but the only Firewall rule that allows traffic is between the Company A network and the 10.254.95.192/27 VLAN too.
What I don't understand is why hitting one of the IPs successfully negotiates the keys, while hitting the other does not, since they are the same VPN and are contained in the same rules (network and firewall). I have tried to recreate the VPN multiple times with it including one and both remote network IPs. Neither case seems to work.
Any help would be greatly appreciated! Thanks!
Setup in ISA 2006:
Local settings:
Local Tunnel Endpoint: 1.1.1.2
Remote Tunnel Endpoint: 1.1.1.1
To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.
IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (****)
Security Association Lifetime: 28800 seconds
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: OFF
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 3600 seconds
Kbyte Rekeying: OFF
Remote Network 'Company A' IP Subnets:
Subnet: 1.1.1.1/255.255.255.255
Subnet: 130.197.123.180/255.255.255.255
Subnet: 130.197.123.198/255.255.255.255
Subnet: 170.248.97.200/255.255.255.255
Local Network 'Internal' IP Subnets:
Subnet: 10.254.9.0/255.255.255.0
Subnet: 10.254.26.0/255.255.255.0
Subnet: 10.254.24.0/255.255.254.0
Subnet: 10.254.20.0/255.255.252.0
Subnet: 10.254.64.0/255.255.224.0
Local Network 'Mumbai' IP Subnets:
Subnet: 10.190.108.128/255.255.255.192
Subnet: 203.190.152.9/255.255.255.255
Local Network 'User' IP Subnets:
Subnet: 192.168.2.0/255.255.255.0
Routable Local IP Addresses:
Subnet: 10.254.95.192/255.255.255.224
Remote Settings:
Local Tunnel Endpoint: 1.1.1.1
Remote Tunnel Endpoint: 1.1.1.2
IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (*****)
Security Association Lifetime: 28800 seconds
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: OFF
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 3600 seconds
Kbyte Rekeying: OFF
Site-to-Site Network IP Subnets:
Subnet: 10.254.95.192/255.255.255.224
< Message edited by rebelpeon -- 10.Jan.2007 6:20:35 PM >
|
|
|
|
RE: Site-to-Site wrong subnet for IKE - 10.Jan.2007 2:14:23 PM
|
|
|
rebelpeon
Posts: 13
Joined: 9.May2006
Status: offline
|
I know it is not good to respond to yourself, but I believe I’ve found the problem. In the IPSec Security Monitor, there is no Quick Mode Specific Filter for the source of 10.254.95.192/27 to 130.197.123.198 (and vice versa). This is causing the next best Filter to be used, which is for 10.254.64.0/255.255.242.0. There is a filter for 10.254.95.192/27 to 130.197.123.180 though (and vice versa). Obviously ISA should be creating these, but it doesn’t seem to be. Does anyone know where I can manually create them, or force ISA to create them?
|
|
|
|
|
RE: Site-to-Site wrong subnet for IKE - 10.Jan.2007 7:28:39 PM
|
|
|
rebelpeon
Posts: 13
Joined: 9.May2006
Status: offline
|
This has been fixed. Basically, you can add the required IPSec policies in by hand via the command line. It’s not pretty, but can be done.
netsh ipsec dynamic add rule srcaddr=10.254.95.192 dstaddr=130.197.123.198 mmpolicy="ISA Server Company A MM Policy" qmpolicy="ISA Server Company A QM Policy" mirrored=no srcmask=255.255.255.224 tunneldstaddress=1.1.1.1 kerberos=no psk=***
However, I still have no idea why ISA wasn't updating it automatically like it should. Perhaps a bug?
|
|
|
|
|
RE: Site-to-Site wrong subnet for IKE - 12.Jan.2007 4:25:50 PM
|
|
|
aswatogor
Posts: 14
Joined: 22.Nov.2002
From: toronto
Status: offline
|
just curious rebel: does ISA overwrite your custom policies next time you apply changes? Does ISA play well with your policies?
|
|
|
|
|
RE: Site-to-Site wrong subnet for IKE - 12.Jan.2007 9:12:12 PM
|
|
|
rebelpeon
Posts: 13
Joined: 9.May2006
Status: offline
|
Honestly, I have no idea yet. I'm not only worried about that, but also restarting the machine.
I will test those two things next week and post a followup.
|
|
|
|
|
RE: Site-to-Site wrong subnet for IKE - 15.Jan.2007 3:03:19 PM
|
|
|
rebelpeon
Posts: 13
Joined: 9.May2006
Status: offline
|
Ugh. So editing that ISA configuration doesn't seem to affect the IPsec policies that I've manually added (thankfully). I specifically edited that rule too.
However, a restart blows away my manually entered policies. Does anyone know how to make this persistent (other than running a script on startup)? There isn't a "persistent" switch on the commandline. Otherwise, I think I'm going to have to talk to MS support.
|
|
|
|
|
RE: Site-to-Site wrong subnet for IKE - 16.Jan.2007 2:37:16 PM
|
|
|
aswatogor
Posts: 14
Joined: 22.Nov.2002
From: toronto
Status: offline
|
Can you post updates to this forum? I am having similar issues with IPSec policies.
I'm finding problems with 2006 that I never had with 2004. I am hoping that manual IPSec policies will solve. I will let you know how my tests go.
Thanks,
Aaron
|
|
|
|
|
RE: Site-to-Site wrong subnet for IKE - 1.Jul.2007 9:53:23 AM
|
|
|
compumedic
Posts: 2
Joined: 1.Jul.2007
Status: offline
|
I am having a similiar problem where a quick mode filter pari is automatically generated by ISA 2006 that my 3rd party firewall doesn't accept. LAN inside ISA firewall is 192.168.34.0 subnet and LAN inside 3rd party firewall is 192.168.27.0 subnet. For purposes of this post, lets say public IP on ISA external adapter is 71.71.71.71. When I force tunnel up on 3rd party firewall, the tunnel is connected but within a minute or so drops. Can not get tunnel to come up from ISA side. In quick mode message exchange, 3rd party firewall is rejecting tunnel creation because instead of correct subnets being presented back from ISA, ISA is presenting its public IP address 71.71.71.71 with 255.255.255.255 subnet mask instead of its LAN subnet of 192.168.34.0, with 255.255.255.0 mask. Using IP Security Monitor on ISA, I have confirmed in Generic Filters and Specific Filters that the pubic IP with remote 3rd party LAN subnet and its reverse pair are in the list ahead of and in addition to the ISA LAN - 3rd party LAN subnet filter pair.
I have tried to remove the QM filter that seems to be incorrect with netsh but can not seem to get this to work.
Wondering if this problem is related to other posts along these same lines and if there is a bug in the ISA 2006 automatic quick mode filter generation process?
Is there a way to manually override ISA from creating QM filters to prevent creation of the incorrect QM filter pair? That would allow manual creation of a correct pair and hopefully provide workaround to the QM negotiation problem.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
