Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Strange ESP frame - NATed? - resolved

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Strange ESP frame - NATed? - resolved Page: [1]
Login
Message << Older Topic   Newer Topic >>
Strange ESP frame - NATed? - resolved - 11.Dec.2007 4:02:34 PM   
test541

 

Posts: 17
Joined: 9.Jan.2005
Status: offline 		I'm trying to build site-to-site IPSEC pre-shared tunnel between Cisco router and ISA 2006 Std.
External ISA interface is connected to Ethernet segment with Cisco router and hardware firewall to internet. External interface has two IP addresses: "normal" for most of the traffic/publications and secondary for VPN tunnel.
I've defined a tunnel to remote site behind Cisco in ISA console. Everything created by wizard looks good, there's also a rule for routing to remote site (3rd network rule) and 5th rule is "normal" NAT from LAN internal network

When IPSEC negotiation starts to create the tunnel, first ISAKMP packets are exchanged with Cisco - it is OK. But after that, when negotiation uses ESP packets, it is a problem. Every ESP frame sent to Cisco is adressed in second OSI layer for MAC address of external gateway. IP address in packet is correct - Cisco router IP, but MAC is from the internet gateway.
It looks like ISA does NAT on ESP packet instead of routing them.
In oakley.log I can see negotiation timeout - not strange when ESP packets are lost for Cisco remote end.

Even if the routing tunnel rule is on second place (first is local host to protected networks - default rule) it also does not help.
In the rule as a source and destination are both remote site network and internal network

**************************
Resolved by adding static routes for remote network in ISA routing table.
It's strange that I had to modify routing table - when ISA knows IP it should build frame based on IP addressing from connected network and then looking into routing table.

< Message edited by test541 -- 12.Dec.2007 6:54:08 AM >
Post #: 1
RE: Strange ESP frame - NATed? - resolved - 12.Dec.2007 11:16:23 AM   
test541

 

Posts: 17
Joined: 9.Jan.2005
Status: offline 		After moving Cisco router at public addressing (before external gateway) VPN tunnel can be established only by ISA side.
When Cisco tries to establish tunnel it failes, communication is done on UDP 4500 port because external gateway (PIX) does static translation.
All ACLS on PIX are OK, also "nat traversal" command and "isakmp enable".
Oakley.log says "negotiation timeout"
Debug on Cisco (isakmp and ipsec) does not helped me:-(

What to check next?

(in reply to test541)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Strange ESP frame - NATed? - resolved Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts