Problem with ISA/Netscreen site-to-site

Problem with ISA/Netscreen site-to-site (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN

Message

ElPolloDiablo -> Problem with ISA/Netscreen site-to-site (29.May2006 10:52:36 AM)
Hi, I must establish a site-to-site VPN between my of my subnet in a DMZ to a remote 3rd party subnet, on my side I use an ISA 2004 SP2 server, on the 3rd party site there's a Netscreen firewall, that I don't control at all. Remote LAN (in one DMZ among many I suppose) : 10.1.0.0/24 \| Netscreen LAN \| Netscreen WAN : 3rd party public IP \| \| ISA 2004 WAN : my public IP \| \|____________________________________________________________________ \| \| \| ISA 2004 "internal" : 10.2.0.0/24 DMZ1 : 192.168.1.0/24 DMZ2 : 192.168.2.0/24 In this case DMZ2 is the subnet that I must connect to the subnet behind the remote netscreen, DMZ1 is used with another site-to-site VPN to a Cisco Pix (and a 172.x.x.x subnet) that works just fine. The probleme is I can't even complete phase 1, we've check both side parameters a dozen times and we can't find the source of the problem, and I don't know the first thing about netscreen firewalls, and so does the 3rd party about ISA 2004, which surely doesn't help. On my end the oakley.log gives this : 5-29: 09:59:07:939:36c Receive: (get) SA = 0x00000000 from remote_public_ip.500 5-29: 09:59:07:939:36c ISAKMP Header: (V1.0), len = 156 5-29: 09:59:07:939:36c I-COOKIE 0271ef181ae341cd 5-29: 09:59:07:939:36c R-COOKIE 0000000000000000 5-29: 09:59:07:939:36c exchange: Oakley Main Mode 5-29: 09:59:07:939:36c flags: 0 5-29: 09:59:07:939:36c next payload: SA 5-29: 09:59:07:939:36c message ID: 00000000 5-29: 09:59:07:939:36c Filter to match: Src remote_public_ip Dst my_public_ip 5-29: 09:59:07:939:36c MM PolicyName: ISA Server 3rd party VPN MM Policy 5-29: 09:59:07:939:36c MMPolicy dwFlags 0 SoftSAExpireTime 28800 5-29: 09:59:07:939:36c MMOffer[0] LifetimeSec 28800 QMLimit 0 DHGroup 2 5-29: 09:59:07:939:36c MMOffer[0] Encrypt: Triple DES CBC Hash: SHA 5-29: 09:59:07:939:36c Auth[0]:PresharedKey KeyLen 48 5-29: 09:59:07:939:36c Responding with new SA 100958 5-29: 09:59:07:939:36c processing payload SA 5-29: 09:59:07:939:36c Received Phase 1 Transform 1 5-29: 09:59:07:939:36c Encryption Alg Triple DES CBC(5) 5-29: 09:59:07:939:36c Hash Alg SHA(2) 5-29: 09:59:07:939:36c Oakley Group 2 5-29: 09:59:07:939:36c Auth Method Cl‚ pr‚-partag‚e(1) 5-29: 09:59:07:939:36c Life type in Seconds 5-29: 09:59:07:939:36c Life duration of 28800 5-29: 09:59:07:939:36c Phase 1 SA accepted: transform=1 5-29: 09:59:07:952:36c SA - Oakley proposal accepted 5-29: 09:59:07:952:36c processing payload VENDOR ID 5-29: 09:59:07:952:36c processing payload VENDOR ID 5-29: 09:59:07:952:36c processing payload VENDOR ID 5-29: 09:59:07:952:36c ClearFragList 5-29: 09:59:07:952:36c constructing ISAKMP Header 5-29: 09:59:07:952:36c constructing SA (ISAKMP) 5-29: 09:59:07:952:36c Constructing Vendor MS NT5 ISAKMPOAKLEY 5-29: 09:59:07:952:36c Constructing Vendor FRAGMENTATION 5-29: 09:59:07:952:36c Constructing Vendor draft-ietf-ipsec-nat-t-ike-02 5-29: 09:59:07:952:36c 5-29: 09:59:07:952:36c Sending: SA = 0x00100958 to remote_public_ip:Type 2.500 5-29: 09:59:07:952:36c ISAKMP Header: (V1.0), len = 148 5-29: 09:59:07:952:36c I-COOKIE 0271ef181ae341cd 5-29: 09:59:07:952:36c R-COOKIE 66d039ae27265c07 5-29: 09:59:07:952:36c exchange: Oakley Main Mode 5-29: 09:59:07:952:36c flags: 0 5-29: 09:59:07:952:36c next payload: SA 5-29: 09:59:07:952:36c message ID: 00000000 5-29: 09:59:07:952:36c Ports S:f401 D:f401 5-29: 09:59:07:993:36c 5-29: 09:59:07:993:36c Receive: (get) SA = 0x00100958 from remote_public_ip.500 5-29: 09:59:07:993:36c ISAKMP Header: (V1.0), len = 184 5-29: 09:59:07:993:36c I-COOKIE 0271ef181ae341cd 5-29: 09:59:07:993:36c R-COOKIE 66d039ae27265c07 5-29: 09:59:07:993:36c exchange: Oakley Main Mode 5-29: 09:59:07:993:36c flags: 0 5-29: 09:59:07:993:36c next payload: KE 5-29: 09:59:07:993:36c message ID: 00000000 5-29: 09:59:07:993:36c processing payload KE 5-29: 09:59:08:34:36c processing payload NONCE 5-29: 09:59:08:34:36c ClearFragList 5-29: 09:59:08:34:36c constructing ISAKMP Header 5-29: 09:59:08:34:36c constructing KE 5-29: 09:59:08:34:36c constructing NONCE (ISAKMP) 5-29: 09:59:08:34:36c 5-29: 09:59:08:34:36c Sending: SA = 0x00100958 to remote_public_ip:Type 2.500 5-29: 09:59:08:34:36c ISAKMP Header: (V1.0), len = 184 5-29: 09:59:08:34:36c I-COOKIE 0271ef181ae341cd 5-29: 09:59:08:34:36c R-COOKIE 66d039ae27265c07 5-29: 09:59:08:34:36c exchange: Oakley Main Mode 5-29: 09:59:08:34:36c flags: 0 5-29: 09:59:08:34:36c next payload: KE 5-29: 09:59:08:34:36c message ID: 00000000 5-29: 09:59:08:34:36c Ports S:f401 D:f401 5-29: 09:59:08:47:36c 5-29: 09:59:08:47:36c Receive: (get) SA = 0x00100958 from remote_public_ip.500 5-29: 09:59:08:47:36c ISAKMP Header: (V1.0), len = 68 5-29: 09:59:08:47:36c I-COOKIE 0271ef181ae341cd 5-29: 09:59:08:47:36c R-COOKIE 66d039ae27265c07 5-29: 09:59:08:47:36c exchange: Oakley Main Mode 5-29: 09:59:08:47:36c flags: 1 ( encrypted ) 5-29: 09:59:08:47:36c next payload: ID 5-29: 09:59:08:47:36c message ID: 00000000 5-29: 09:59:08:47:36c invalid payload received 5-29: 09:59:08:75:36c ID de la cl‚ pr‚-partag‚e. Adresse IP de l'homologueÿ: remote_public_ip 5-29: 09:59:08:75:36c Adresse IP sourcemy_public_ip Masque d'adresse IP source 255.255.255.255 Adresse IP de destination remote_public_ip Masque d'adresse IP de destination 255.255.255.255 Protocole 0 Port source 0 Port de destination 0 Adresse locale IKE my_public_ip Adresse homologue IKE remote_public_ip Port source IKE 500 Port de destination IKE 500 Adr priv‚e homologue 5-29: 09:59:08:75:36c GetPacket failed 3613 5-29: 09:59:09:162:dc retransmit: sa = 00100958 centry 00000000 , count = 1 5-29: 09:59:09:162:dc 5-29: 09:59:09:162:dc Sending: SA = 0x00100958 to remote_public_ip:Type 2.500 5-29: 09:59:09:162:dc ISAKMP Header: (V1.0), len = 184 5-29: 09:59:09:162:dc I-COOKIE 0271ef181ae341cd 5-29: 09:59:09:162:dc R-COOKIE 66d039ae27265c07 5-29: 09:59:09:162:dc exchange: Oakley Main Mode 5-29: 09:59:09:162:dc flags: 0 5-29: 09:59:09:162:dc next payload: KE 5-29: 09:59:09:162:dc message ID: 00000000 5-29: 09:59:09:162:dc Ports S:f401 D:f401 5-29: 09:59:10:903:dc retransmit: sa = 00100958 centry 00000000 , count = 2 5-29: 09:59:10:903:dc 5-29: 09:59:10:903:dc Sending: SA = 0x00100958 to remote_public_ip:Type 2.500 5-29: 09:59:10:903:dc ISAKMP Header: (V1.0), len = 184 5-29: 09:59:10:903:dc I-COOKIE 0271ef181ae341cd 5-29: 09:59:10:903:dc R-COOKIE 66d039ae27265c07 5-29: 09:59:10:903:dc exchange: Oakley Main Mode 5-29: 09:59:10:903:dc flags: 0 5-29: 09:59:10:903:dc next payload: KE 5-29: 09:59:10:903:dc message ID: 00000000 5-29: 09:59:10:903:dc Ports S:f401 D:f401 5-29: 09:59:11:351:36c 5-29: 09:59:11:351:36c Receive: (get) SA = 0x00100958 from remote_public_ip.500 5-29: 09:59:11:351:36c ISAKMP Header: (V1.0), len = 68 5-29: 09:59:11:351:36c I-COOKIE 0271ef181ae341cd 5-29: 09:59:11:351:36c R-COOKIE 66d039ae27265c07 5-29: 09:59:11:351:36c exchange: Oakley Main Mode 5-29: 09:59:11:351:36c flags: 1 ( encrypted ) 5-29: 09:59:11:351:36c next payload: ID 5-29: 09:59:11:351:36c message ID: 00000000 5-29: 09:59:11:351:36c invalid payload received 5-29: 09:59:11:351:36c GetPacket failed 3613 5-29: 09:59:14:383:dc retransmit: sa = 00100958 centry 00000000 , count = 3 The Netscreen logs that the 3rd party gave me look like this : ## 15:08:25 : IKE<my_public_ip4 > Create sa: 3rd_party_public_ip->my_public_ip4 ## 15:08:25 : IKE<0.0.0.0 > getProfileFromP1Proposal-> ## 15:08:25 : IKE<0.0.0.0 > xauthstatus is 0 ## 15:08:25 : IKE<0.0.0.0 > find profile[0]=<00000005 00000002 00000001 00000002> for p1 proosal (id 5) ## 15:08:25 : IKE<0.0.0.0 > init p1sa by peer, pidt = 0x0 ## 15:08:25 : IKE<0.0.0.0 > peer change peer identity for p1 sa, pidt = 0x0 ## 15:08:25 : IKE<0.0.0.0 > create peer identity 0863005fb0 ## 15:08:25 : IKE<my_public_ip4 > Phase 2 task added ## 15:08:25 : IKE<my_public_ip4 > Phase 1: Initiated negotiation in main mode. <3rd_party_public_ip => my_public_ip4> ## 15:08:25 : IKE<my_public_ip4 > Construct ISAKMP header. ## 15:08:25 : IKE<my_public_ip4 > Msg header built (next payload #1) ## 15:08:25 : IKE<my_public_ip4 > Construct [SA] for ISAKMP ## 15:08:25 : IKE<my_public_ip4 > auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2) ## 15:08:25 : IKE<my_public_ip4 > xauth: disabled ## 15:08:25 : IKE<my_public_ip4 > lifetime/lifesize (28800/0) ## 15:08:25 : IKE<my_public_ip4 > Construct NetScreen [VID] ## 15:08:25 : IKE<my_public_ip4 > Construct custom [VID] ## 15:08:25 : IKE<my_public_ip4 > Xmit : [SA] [VID] [VID] ## 15:08:25 : IKE<my_public_ip4 > send_request to peer ## 15:08:25 : IKE<my_public_ip4 > Send Phase 1 packet (len=136) ## 15:08:25 : IKE<my_public_ip4 > ike packet, len 176, action 0 ## 15:08:25 : IKE<0.0.0.0 > coach. sock 2048 ## 15:08:25 : IKE<my_public_ip4 > **** Recv packet if <ethernet1/1> of vsys <Root> ** ## 15:08:25 : IKE<my_public_ip4 > Catcher: get 148 bytes. src port 500 ## 15:08:25 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 0/0001, i): ## 15:08:25 : IKE<my_public_ip4 > ISAKMP msg: len 148, nxp 1[SA], exch 2[MM], flag 00 ## 15:08:25 : IKE<my_public_ip4 > Recv : [SA] [VID] [VID] [VID] ## 15:08:25 : IKE<my_public_ip4 > extract payload (120): ## 15:08:25 : IKE<my_public_ip4 > MM in state OAK_MM_NO_STATE. ## 15:08:25 : IKE<my_public_ip4 > Process [VID]: ## 15:08:25 : IKE<my_public_ip4 > Vendor ID: ## 15:08:25 : 1e 2b 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61 ## 15:08:25 : 00 00 00 04 ## 15:08:25 : IKE<my_public_ip4 > receive unknown vendor ID payload ## 15:08:25 : IKE<my_public_ip4 > Process [VID]: ## 15:08:25 : IKE<my_public_ip4 > Vendor ID: ## 15:08:25 : 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 ## 15:08:25 : IKE<my_public_ip4 > rcv non-NAT-Traversal VID payload. ## 15:08:25 : IKE<my_public_ip4 > Process [VID]: ## 15:08:25 : IKE<my_public_ip4 > Vendor ID: ## 15:08:25 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f ## 15:08:25 : IKE<my_public_ip4 > rcv non-NAT-Traversal VID payload. ## 15:08:25 : IKE<my_public_ip4 > Process [SA]: ## 15:08:25 : IKE<my_public_ip4 > Proposal received: ## 15:08:25 : IKE<my_public_ip4 > auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2) ## 15:08:25 : IKE<my_public_ip4 > xauth: disabled ## 15:08:25 : IKE<my_public_ip4 > Phase 1 proposal [0] selected. ## 15:08:25 : IKE<my_public_ip4 > SA Life Type = seconds ## 15:08:25 : IKE<my_public_ip4 > SA lifetime (TLV) = 28800 ## 15:08:25 : IKE<0.0.0.0 > dh group 2 ## 15:08:25 : IKE<my_public_ip4 > DH_BG_consume OK. p1 resp ## 15:08:25 : IKE<my_public_ip4 > Phase 1 MM Initiator constructing 3rd message. ## 15:08:25 : IKE<my_public_ip4 > Construct ISAKMP header. ## 15:08:25 : IKE<my_public_ip4 > Msg header built (next payload #4) ## 15:08:25 : IKE<my_public_ip4 > Construct [KE] for ISAKMP ## 15:08:25 : IKE<my_public_ip4 > Construct [NONCE] ## 15:08:25 : IKE<my_public_ip4 > Xmit : [KE] [NONCE] ## 15:08:25 : IKE<my_public_ip4 > send_request to peer ## 15:08:25 : IKE<my_public_ip4 > Send Phase 1 packet (len=184) ## 15:08:25 : IKE<my_public_ip4 > IKE msg done: PKI state<0> IKE state<1/0007> ## 15:08:25 : IKE<my_public_ip4 > ike packet, len 212, action 0 ## 15:08:25 : IKE<0.0.0.0 > coach. sock 2048 ## 15:08:25 : IKE<my_public_ip4 > ** Recv packet if <ethernet1/1> of vsys <Root> **** ## 15:08:25 : IKE<my_public_ip4 > Catcher: get 184 bytes. src port 500 ## 15:08:25 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 1/0007, i): ## 15:08:25 : IKE<my_public_ip4 > ISAKMP msg: len 184, nxp 4[KE], exch 2[MM], flag 00 ## 15:08:25 : IKE<my_public_ip4 > Recv : [KE] [NONCE] ## 15:08:25 : IKE<my_public_ip4 > extract payload (156): ## 15:08:25 : IKE<my_public_ip4 > MM in state OAK_MM_SA_SETUP. ## 15:08:25 : IKE<my_public_ip4 > Process [KE]: ## 15:08:25 : IKE<my_public_ip4 > processing ISA_KE in phase 1. ## 15:08:25 : IKE<0.0.0.0 > pka_job_enqueue, cmd 1, p1 init cookie 72df6af4e6b6,1, msg_id 0x00000000 ## 15:08:25 : IKE<0.0.0.0 > DH job submitted to pka #0, cmd 1, p1 init cookie 72df6af4e6b6,1, msg_id 0x00000000 ## 15:08:25 : IKE<0.0.0.0 > start offline DH, cmd 1, p1 init cookie 72df6af4e6b6,1, msg_id 0x00000000 ## 15:08:25 : IKE<my_public_ip4 > Process [NONCE]: ## 15:08:25 : IKE<my_public_ip4 > processing NONCE in phase 1. ## 15:08:25 : IKE<my_public_ip4 > IKE msg done: PKI state<0> IKE state<1/000f> ## 15:08:25 : IKE<0.0.0.0 > DH job done on pka #0, status 0x00000008, cmd 1, p1 init cookie 72df6af4e6b6,1, msg_id 0x000000 ## 15:08:25 : IKE<0.0.0.0 > IKE dh event 63007800, 1 ## 15:08:25 : IKE<0.0.0.0 > got finished DH, cmd 1, p1 init cookie 72df6af4e6b6,1, msg_id 0x00000000 ## 15:08:25 : IKE<my_public_ip4 > gen_skeyid() ## 15:08:25 : IKE<my_public_ip4 > MM in state OAK_MM_SA_SETUP. ## 15:08:25 : IKE<my_public_ip4 > re-enter MM after offline DH done ## 15:08:25 : IKE<my_public_ip4 > Phase 1 MM Initiator constructing 5th message. ## 15:08:25 : IKE<my_public_ip4 > Construct ISAKMP header. ## 15:08:25 : IKE<my_public_ip4 > Msg header built (next payload #5) ## 15:08:25 : IKE<my_public_ip4 > Construct [ID] for ISAKMP ## 15:08:25 : IKE<my_public_ip4 > Construct [HASH] ## 15:08:25 : IKE<my_public_ip4 > ID, len=8, type=1, pro=17, port=500, ## 15:08:25 : IKE<my_public_ip4 > addr=3rd_party_public_ip ## 15:08:25 : IKE<my_public_ip4 > throw packet to the peer, paket_len=64 ## 15:08:25 : IKE<my_public_ip4 > Xmit: [ID] [HASH] ## 15:08:25 : IKE<my_public_ip4 > Encrypt P1 payload (len 64) ## 15:08:25 : IKE<my_public_ip4 > send_request to peer ## 15:08:25 : IKE<my_public_ip4 > Send Phase 1 packet (len=68) ## 15:08:26 : IKE<my_public_ip4 > nhtb_list_update_status: vpn VPN_OL, status 8 ## 15:08:26 : IKE<my_public_ip4 > ike packet, len 212, action 0 ## 15:08:26 : IKE<0.0.0.0 > coach. sock 2048 ## 15:08:26 : IKE<my_public_ip4 > *** Recv packet if <ethernet1/1> of vsys <Root> ** ## 15:08:26 : IKE<my_public_ip4 > Catcher: get 184 bytes. src port 500 ## 15:08:26 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 2/100f +, i): ## 15:08:26 : IKE<my_public_ip4 > ISAKMP msg: len 184, nxp 4[KE], exch 2[MM], flag 00 ## 15:08:26 : IKE<my_public_ip4 > Recv : [KE] [NONCE] ## 15:08:26 : IKE<my_public_ip4 > Receive re-transmit IKE packet phase 1 SA(my_public_ip4) exchg(2) len(184) ## 15:08:27 : IKE<my_public_ip4 > ike packet, len 112, action 0 ## 15:08:27 : IKE<0.0.0.0 > coach. sock 2048 ## 15:08:27 : IKE<my_public_ip4 > ** Recv packet if <ethernet1/1> of vsys <Root> ** ## 15:08:27 : IKE<my_public_ip4 > Catcher: get 84 bytes. src port 500 ## 15:08:27 : IKE<my_public_ip4 > New Phase 1 SA ## 15:08:27 : IKE<my_public_ip4 > ISAKMP msg: len 84, nxp 8[HASH], exch 5[INFO], flag 01 E ## 15:08:27 : IKE<my_public_ip4 > Cannot locate phase 1 session for IKE packet. next payload type<8> ## 15:08:28 : IKE<my_public_ip4 > ike packet, len 212, action 0 ## 15:08:28 : IKE<0.0.0.0 > coach. sock 2048 ## 15:08:28 : IKE<my_public_ip4 > ** Recv packet if <ethernet1/1> of vsys <Root> ** ## 15:08:28 : IKE<my_public_ip4 > Catcher: get 184 bytes. src port 500 ## 15:08:28 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 2/100f +, i): ## 15:08:28 : IKE<my_public_ip4 > ISAKMP msg: len 184, nxp 4[KE], exch 2[MM], flag 00 ## 15:08:28 : IKE<my_public_ip4 > Recv : [KE] [NONCE] ## 15:08:28 : IKE<my_public_ip4 > Receive re-transmit IKE packet phase 1 SA(my_public_ip4) exchg(2) len(184) ## 15:08:30 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 2/100f +, i): ## 15:08:30 : IKE<my_public_ip4 > re-trans timer expired, msg retry (0) (100f/2) ## 15:08:30 : IKE<my_public_ip4 > send_request to peer ## 15:08:30 : IKE<my_public_ip4 > Send Phase 1 packet (len=68) ## 15:08:32 : IKE<0.0.0.0 > Start DH BG gen for group 2 ## 15:08:32 : IKE<0.0.0.0 > dh group 2 ## 15:08:32 : IKE<0.0.0.0 > pka_job_enqueue, cmd 0, p1 init cookie 6e756c6c0000,0, msg_id 0x00000000 ## 15:08:32 : IKE<0.0.0.0 > DH job submitted to pka #0, cmd 0, p1 init cookie 6e756c6c0000,0, msg_id 0x00000000 ## 15:08:32 : IKE<0.0.0.0 > start offline DH, cmd 0, p1 init cookie 6e756c6c0000,0, msg_id 0x00000000 ## 15:08:32 : IKE<0.0.0.0 > DH job done on pka #0, status 0x00000008, cmd 0, p1 init cookie 6e756c6c0000,0, msg_id 0x000000 ## 15:08:32 : IKE<0.0.0.0 > IKE dh event 63007800, 1 ## 15:08:32 : IKE<0.0.0.0 > got finished DH, cmd 0, p1 init cookie 6e756c6c0000,0, msg_id 0x00000000 ## 15:08:32 : IKE<my_public_ip4 > ike packet, len 212, action 0 ## 15:08:32 : IKE<0.0.0.0 > coach. sock 2048 ## 15:08:32 : IKE<my_public_ip4 > ** Recv packet if <ethernet1/1> of vsys <Root> ** ## 15:08:32 : IKE<my_public_ip4 > Catcher: get 184 bytes. src port 500 ## 15:08:32 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 2/100f +, i): ## 15:08:32 : IKE<my_public_ip4 > ISAKMP msg: len 184, nxp 4[KE], exch 2[MM], flag 00 ## 15:08:32 : IKE<my_public_ip4 > Recv : [KE] [NONCE] ## 15:08:32 : IKE<my_public_ip4 > Receive re-transmit IKE packet phase 1 SA(my_public_ip4) exchg(2) len(184) ## 15:08:34 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 2/100f +, i): ## 15:08:34 : IKE<my_public_ip4 > re-trans timer expired, msg retry (1) (100f/2) ## 15:08:34 : IKE<my_public_ip4 > send_request to peer ## 15:08:34 : IKE<my_public_ip4 > Send Phase 1 packet (len=68) ## 15:08:38 : IKE<my_public_ip4 > nhtb_list_update_status: vpn VPN_OL, status 8 ## 15:08:38 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 2/100f +, i): ## 15:08:38 : IKE<my_public_ip4 > re-trans timer expired, msg retry (2) (100f/2) ## 15:08:38 : IKE<my_public_ip4 > send_request to peer ## 15:08:38 : IKE<my_public_ip4 > Send Phase 1 packet (len=68) ## 15:08:40 : IKE<my_public_ip4 > ike packet, len 212, action 0 ## 15:08:40 : IKE<0.0.0.0 > coach. sock 2048 ## 15:08:40 : IKE<my_public_ip4 > ** Recv packet if <ethernet1/1> of vsys <Root> **** ## 15:08:40 : IKE<my_public_ip4 > Catcher: get 184 bytes. src port 500 ## 15:08:40 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 2/100f +, i): ## 15:08:40 : IKE<my_public_ip4 > ISAKMP msg: len 184, nxp 4[KE], exch 2[MM], flag 00 ## 15:08:40 : IKE<my_public_ip4 > Recv : [KE] [NONCE] ## 15:08:40 : IKE<my_public_ip4 > Receive re-transmit IKE packet phase 1 SA(my_public_ip4) exchg(2) len(184) ## 15:08:42 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 2/100f +, i): ## 15:08:42 : IKE<my_public_ip4 > re-trans timer expired, msg retry (3) (100f/2) ## 15:08:42 : IKE<my_public_ip4 > send_request to peer ## 15:08:42 : IKE<my_public_ip4 > Send Phase 1 packet (len=68) ## 15:08:46 : IKE<my_public_ip4 > SA: (Root, local 3rd_party_public_ip, state 2/100f +, i): ## 15:08:46 : IKE<my_public_ip4 > re-trans timer expired, msg retry (4) (100f/2) ## 15:08:46 : IKE<my_public_ip4 > send_request to peer ## 15:08:46 : IKE<my_public_ip4 > Send Phase 1 packet (len=68) And from there I'm stuck, I tried to google the error codes but it didn't gave me any useful info. The 3rd party says there's nothing wrong on his side (something that I can't verify), and I really don't know what could be wrong on mine, so any lead will be a great help, thanks in advance.

Beefcake -> RE: Problem with ISA/Netscreen site-to-site (4.Jul.2006 11:30:38 PM)
I am not sure if you figured this out yet (being over a month since posted), but here is a link to a MS article that can walk you guys through setting up ISA to other vendors VPN and vice versa. Etherreal comes in very handy for this type of problem as well. http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sitetositeipsec.mspx Brandon

Page: [1]