Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site to Site IPSEC - ISA to IOS
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site to Site IPSEC - ISA to IOS - 30.Oct.2005 9:38:00 AM
|
|
|
Guest
|
Hi everyone,
after a late night, i've finally got cisco IOS talking to ISA2004. I've lab'd it on 2 servers. The first server I didn't have too many issues. 2nd Server (production) seems to have a weird issue.
When I ping from the ISA 2004 to the remote subnet, the packet source is "local host" but uses the ISA external IP and gets dropped by the VPN.
In the dos window, in the ping bit, it says - negiotating IP security - but all the pings timeout. Can anyone explain how to force the source IP of the packets for VPN traffic ?
Cheers
Peter
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 30.Oct.2005 12:43:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
You can't control the source IP unfortunately - you'll have to add ISAs external IP into the CryptoACL on the other device.
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 30.Oct.2005 8:51:00 PM
|
|
|
Guest
|
ClintD - this doesn't sound right ? I've never seen configs with the crypto peer included in the ACL ?
The whole problem seems weird, ISA monitoring shows the outgoing ping as "LOCAL host to IPSecTunnel" - so that bit looks ok.
Strangely when this packet goes out the cisco end doesn't like it arriving with the wrong IP and the tunnel appears to be torn down.
On both servers that I tested I found that after 5 mins or so the IOS-ISA tunnel would die and not always come back up. I'm hoping the registry fix to adjust the timeout fixes this. Both ends are configured for 3600 secs for rekeying phaseII - but the ISA end seems to prematurely want to rekey.
Cheers
Peter.
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 31.Oct.2005 12:05:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
You're right about it being weird to add the ISA external IP into the CryptoACL, but the problem is that when PINGing the remote subnet, Windows checks the routing table and since it doesn't have a route for this network, it uses its default route, but since the default route is using the external NIC, Windows uses that NIC as the source IP of the traffic. This only occurs when traffic is sourced from ISA.
ISA automatically builds a Quick Mode filter for ISA to Remote Site and another for Remote Site to ISA - the problem is that the IOS probably doesn't have a match for this Quick Mode offer and QM fails to complete. Adding ISAs external IP into the ACl allows QM to find a match and complete.
I'll readily admit I'm not a pro with Cisco and the way to configure the CryptoACLs, but I'll give you a little history a to why I think it's true and necessary.
Once upon a time, I worked in MS PSS and authored most of the IPSec Tunnel Mode interoperability guides up on http://www.microsoft.com/isaserver/techinfo/guidance/2004/vpn.mspx. When I was creating the ISA to PIX guide, I had this same problem - communicating from ISA to the remote subnet. I had just bought my baby PIX 501 for learning and bought a support contract with it. I opened up a case with Cisco TAC and they told me that adding the ISA external IP was necessary in this scenario - I've heard of bad experiences with TAC before, but my guy was pretty sharp, or at least sharper than me, which isn't saying much.
Err...anyways, once he gave me the commands to enter (these are seen at the bottom of the PIX-ISA guide at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ipsecvpn.mspx), then traffic from ISA worked correctly.
Take all of this with a grain of salt, but this is how it went down.
Of particular note, this will also be necessary for HTTP traffic going across the tunnel, like to an internet web server on the far side of the tunnel. What happens is that when the client sends its HTTP request, it gets processed by the Web Proxy component of ISA - ISA is now the originator of the traffic (it's a proxy) and therefore sources the HTTP traffic from its external interface.
As for the 5 minutes, it sounds like the Windows IPSec reaper process is kicking in - Windows IPSec deletes any unused SAs every 5 minutes via the reaper. Since the traffic isn't going through the tunnel, Windows tears it down. As for it now coming back up, I don't have an immediate answer for that, but there might be some "hold down" process that I'm unaware of.
[ October 31, 2005, 12:11 AM: Message edited by: ClintD ]
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 31.Oct.2005 6:26:00 AM
|
|
|
Guest
|
Thanks for your help Clint. I did what you said and added the external IP of the ISA box to my ACL that matches the remote subnet. This works fine. I was concerned about my NAT rules conflicting.
Eg before the tunnel is up - i guessed that traffic FROM the cisco internal interface would need to be natted to get to the ISA external interface. However I've now realised, since the ISA ext IP is part of the crypto set, the router uses its external IP to bring the tunnel up. Tracerts to ISA ext IP show only 2 hops.
I guess now I can't have any traffic to that ISA server site that doesn't go down the IPsec tunnel - hopefully ipsec will be stable enough not to need unencrypted plain internet to EXT ISA IP.
I checked that doco you provided but the crypto ACL's didn't seem to have the 192.168.55.100 which I thought is the remote peer ??
access-list inside_outbound_nat0_acl line 1 permit ip 172.25.3.0 255.255.255.0 172.25.10.0 255.255.255.0
>access-list outside_cryptomap_20 permit ip 172.25.3.0 255.255.255.0 172.25.10.0 255.255.255.0
Thanks again for your help.
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 31.Oct.2005 6:56:00 AM
|
|
|
Guest
|
SA - idletimeout info
More details here - http://support.microsoft.com/default.aspx?scid=kb;en-us;257225
The settings for the IPsec driver are located in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
You can modify the values of the following entries: ò SAIdleTime
This REG_DWORD entry configures the Security Association Idle Timer. The default value is 300 seconds. You can specify a value of 300 to 3600 seconds.
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 31.Oct.2005 8:46:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Ugh... you're right - now that I re-read the article and check my topology diagram - I think I left those commands out of the doc. Crikey...
It's too late now to correct it - it was hard enough getting an edit done when I worked there - I can't imagine how long it would take now that I've moved on from there.
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 2.Jan.2006 11:19:09 AM
|
|
|
mustafa
Posts: 9
Joined: 21.Nov.2003
Status: offline
|
Hi,
in my case everything went right at first then the tunnel start to behave in a strange way, it is trying to establish the SA with different subnet mask than what included in the allowed network which cause the tunnel to drop. please see the event below from the ISA server
Event ID: 547
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)
Filter:
Source IP Address 192.168.6.0
Source IP Address Mask 255.255.254.0
Destination IP Address 192.168.13.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr <my isa external IP>
IKE Peer Addr <my router (cisco 2811) external IP>
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Peer Identity:
Preshared key ID.
Peer IP Address: <my router (cisco 2811) external IP>
Failure Point:
Me
Failure Reason:
IKE SA deleted before establishment completed
Extra Status:
Processed third (ID) payload
Initiator. Delta Time 63
0x0 0x0
For more information, see Help and Support Center at
As you can see the Source IP Address Mask 255.255.254.0 which should be 255.255.255.0.
please help
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 2.Jan.2006 8:58:47 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
What are the addresses in the Internal Network object? ISA builds it's Filter List based directly off of the addresses in this Network.
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 3.Jan.2006 2:23:27 PM
|
|
|
mustafa
Posts: 9
Joined: 21.Nov.2003
Status: offline
|
the addresses is 192.168.0.0/24 and 192.168.6.0/24. i checked my internal network setting and it is correct.
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 3.Jan.2006 3:14:03 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Can you run a 'c:\netsh ipsec dynamic show qmfilter all' and post the results?
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 9.Jan.2006 12:55:02 PM
|
|
|
aeropostale
Posts: 65
Joined: 19.Jul.2005
From: Lake of Zurich, Switzerland
Status: offline
|
Hi all
i had a same issue with ipsec stuff, the netmask was wrong.
the reason was, that it takes the wron SN Mask when in the remote management (ISA System Policy)
a subnet exists with , for example 172.16.0.0/16, then the Networks in ISA gets in Trouble.
Verfiy that the settings in the remote Managemt are correct.
Aero P.
|
|
|
|
|
RE: Site to Site IPSEC - ISA to IOS - 24.Jan.2006 3:16:18 AM
|
|
|
danek
Posts: 1
Joined: 22.Aug.2005
Status: offline
|
quote:
ORIGINAL: Guest
Thanks for your help Clint. I did what you said and added the external IP of the ISA box to my ACL that matches the remote subnet. This works fine. I was concerned about my NAT rules conflicting.
Eg before the tunnel is up - i guessed that traffic FROM the cisco internal interface would need to be natted to get to the ISA external interface. However I've now realised, since the ISA ext IP is part of the crypto set, the router uses its external IP to bring the tunnel up. Tracerts to ISA ext IP show only 2 hops.
I guess now I can't have any traffic to that ISA server site that doesn't go down the IPsec tunnel - hopefully ipsec will be stable enough not to need unencrypted plain internet to EXT ISA IP.
I checked that doco you provided but the crypto ACL's didn't seem to have the 192.168.55.100 which I thought is the remote peer ??
access-list inside_outbound_nat0_acl line 1 permit ip 172.25.3.0 255.255.255.0 172.25.10.0 255.255.255.0
>access-list outside_cryptomap_20 permit ip 172.25.3.0 255.255.255.0 172.25.10.0 255.255.255.0
Thanks again for your help.
Hello.
You can post you config Cisco."sh run" ?
I want build site to site ISA2004 and Cisco , but have problem whis ip-sec on Cisco.
Pleeeeease.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
