Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Troubleshooting VPN AccessBetween ISA 2006 and Netopia Router

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Troubleshooting VPN AccessBetween ISA 2006 and Netopia Router Page: [1]
Login
Message << Older Topic   Newer Topic >>
Troubleshooting VPN AccessBetween ISA 2006 and Netopia ... - 29.Jun.2008 5:56:14 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		I am trying to make VPN  connection  (IPSec) between ISA 2006 and Netopia router. Please check the below logs and let me know how to fix the VPN connection problem.

Here's the error from error log:
Event ID 541 IKE security association established
Event ID 547 IKE security association negotiation failed.
 
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)
Filter:
Source IP Address 192.168.100.0
Source IP Address Mask 255.255.255.0
Destination IP Address xxx.x.214.4
Destination IP Address Mask 255.255.255.252
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr xx.xx.1.130
IKE Peer Addr xx.xx.85.182
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Peer Identity:
Preshared key ID.
Peer IP Address: xx.xx.85.182
Failure Point:
Me
 Failure Reason:
Failed to obtain new SPI for the inbound SA from Ipsec driver.  The most common cause for this is that the driver does not have the correct filter.  Check your policy to verify the filters.
Extra Status:
Processed third (ID) payload
Initiator(Internal).  Delta Time 3
0x0 0x0
Failure Reason:
No policy configured
 Failure Reason:
IKE SA deleted before establishment completed

Oakley Logs
-29: 17:52:08:148:f20 Receive: (get) SA = 0x0245f0e0 from xx.xx.85.182.500
6-29: 17:52:08:148:f20 ISAKMP Header: (V1.0), len = 156
6-29: 17:52:08:148:f20   I-COOKIE ddeda93c615b1c63
6-29: 17:52:08:148:f20   R-COOKIE 125ae345bb965bbb
6-29: 17:52:08:148:f20   exchange: Oakley Quick Mode
6-29: 17:52:08:148:f20   flags: 1 ( encrypted )
6-29: 17:52:08:148:f20   next payload: HASH
6-29: 17:52:08:148:f20   message ID: 2dd43ec9
6-29: 17:52:08:148:f20 Dropping Centry processing because SA status set.  SA 0245F0E0 Centry 01A7ADA8 Status 3601
Post #: 1
RE: Troubleshooting VPN AccessBetween ISA 2006 and Neto... - 21.Oct.2008 10:08:49 AM   
DatDamnZotz

 

Posts: 8
Joined: 18.Nov.2004
Status: offline 		bhavin78,
 
I had the same issue.  Phase one completes and phase 2 never establishes.
 
I have a Netopia 3347-02 with the standard qwest firmware, using the defaults:
 
How I figured it out was looking at the oaklog and seeing it was requesting both a time and size.
 
 
In ISA Phase I:
 
Encrypt: 3DES
Integrity: sha1
DH Group 2
New key every: 28000
 
Phase II:
Encrypt: 3DES
Integrity: sha1
Gen key every: 1200000 kb
Gen key every: 28798 seconds
Checked Use perfect secrecy PFS: Group 2
 
In your case Phase 1 is never completing, check your Encryption, Integrity, DH and seconds.
 
I had to reset my netopia back to defaults, and change ISA to match.
 

(in reply to bhavin78)
Post #: 2
RE: Troubleshooting VPN AccessBetween ISA 2006 and Neto... - 21.Oct.2008 10:52:59 AM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		Thanks for the reply. I will look into what you suggested.

(in reply to DatDamnZotz)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Troubleshooting VPN AccessBetween ISA 2006 and Netopia Router Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts