• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

cisco again...

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> cisco again... Page: [1]
Login
Message << Older Topic   Newer Topic >>
cisco again... - 23.Jan.2006 2:51:15 PM   
Cobos

 

Posts: 13
Joined: 29.Jan.2005
From: Belgium
Status: offline
Hi This gives me nightmares  A sbs2003premium  network with isa 2004, 4 clients.  2 of that 4 clients has to make a vpn connection to another network to get some business info. They have to use the cisco client. So i started playing with isa, everytime they get disconnected after 10-15 minutes, nomather what i do... Rules:Allow all to "ip of that vpn connection" from "internal" to "external" for all users

then:
Allow ike client, ipsec ESP, IPSEC NAT-T, port 10000 udp send and receive, port 4500 udp send and receive.

But still they get disconnected.

What i think is that they don't have Nat traversal enabled on their vpn servers. But can't find that out, that company just don't want to give support, unless for 25 /hour and just want to sell their site to site vpn solution. But that's not an option for my client.

This is what the cisco client gives me:
13     14:28:23.305  01/23/06  Sev=Warning/3      IKE/0xE3000065
Could not find an IKE SA for 192.168.16.9.  KEY_REQ aborted.14     14:28:23.305  01/23/06  Sev=Warning/2      IKE/0xE3000099
Failed to initiate P2 rekey: Error dectected (Initiate:176)15     14:28:23.305  01/23/06  Sev=Warning/2      IKE/0xE3000099
Unable to initiate QM (IKE_MAIN:458) Maybe somebody has experience with it?
Post #: 1
RE: cisco again... - 23.Jan.2006 7:52:26 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Cobos,

did you already checked out my article http://www.isaserver.org/articles/IPSec_Passthrough.html? Don't forget to read the related topics too, especially http://forums.isaserver.org/m_130199300/tm.htm for the Cisco stuff.

HTH,
Stefaan

(in reply to Cobos)
Post #: 2
RE: cisco again... - 23.Jan.2006 11:13:24 PM   
Cobos

 

Posts: 13
Joined: 29.Jan.2005
From: Belgium
Status: offline
Hi

Thx for the reply. Yes read them all.

Thin is they get connected, but after +/-10 minutes they get disconnected.

Could it be that the vpn server aren't nat traversal nabled? That's the only thing i can think of.


(in reply to spouseele)
Post #: 3
RE: cisco again... - 23.Jan.2006 11:53:27 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Cobos, 

you said that they get connected. Does that mean that the Main and Quick mode SA's are correctly setted up, check out the Cisco client log and status for that, and that they can effectively work for about a 10 minutes?

If that's the case, it could not be a NAT-T problem because the Main and Quick mode SA's wouldn't be established in the first place. With NAT-T you should see communications on UDP port 4500 or whatever UDP port the Cisco NAT-T is using. Also, every 20 seconds you should see a NAT-keepalive packet from the client to the VPN server.

HTH,
Stefaan

(in reply to Cobos)
Post #: 4
RE: cisco again... - 24.Jan.2006 12:26:06 PM   
Cobos

 

Posts: 13
Joined: 29.Jan.2005
From: Belgium
Status: offline
Hi

Got in touch with the vpn administrator and he said that the option NAT-T isn't enabled.

So i mailed him and asked if he could turn this on, i hope he does. Otherwise it's my word against his...

Then can work perfect for 10 minutes. I see ever x time some traffic on port 4500.

Gonna wait now until i have answer..

Ow.. just received a mail they have to see for any security problems that it could give and what the impact would be...

Can anybody give me a pointer to see for myself when they contact me i know what to talk about.

Thx for everything and gonna post the results here.

(in reply to spouseele)
Post #: 5
RE: cisco again... - 24.Jan.2006 8:59:11 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Cobos, 

for the full security considerations in using NAT-T, check out http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-07.txt , section '8. Security Considerations'. The major difference is of course that you can't use IP addresses for authentication purpose because NAT always breaks that. Personally I don't find this a real problem because authentication on the basis of IP addresses is a bad security practice in any case!

Now, you said "Otherwise it's my word against his... ". I don't understand that! Whether NAT-T is negotiated are not and if the VPN connection is effectively established, you can see that in the Cisco logging and the status screen at the client! So it sounds you never checked that out!  

HTH,
Stefaan

(in reply to Cobos)
Post #: 6
RE: cisco again... - 30.Jan.2006 3:47:39 PM   
Cobos

 

Posts: 13
Joined: 29.Jan.2005
From: Belgium
Status: offline
Hi

Friday everything worked fine with NAT-T off.

Now i get a mail from that company that all the other customers who have a site to site connection couldn't connect anymore.

So they gonna put it off again. I mean commo'n that's forcing somebody to use something they wan't.

I can't really believe it but hey how to begin the discussion right?

(in reply to spouseele)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> cisco again... Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts