ISA to Cisco 3030 vpn (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN



Message

jimmyk -> ISA to Cisco 3030 vpn (10.Oct.2006 12:25:17 PM)

Hello,
I can get the Cisco 3030 VPN Concentrator to establish an IPSEC tunnel to a Linksys Router,  but I cannot get the Cisco 3030 VPN Concentrator to establish an IPSEC tunnel to ISA 2004 SP2.

The ip address 1.1.1.1 is the endpoint on the ISA.
The ip address 2.2.2.2 is the endpoint on the Cisco 3030.

Here is the output from the ISA log.
I have BOLDENED what I feel are the pertinent parts.
Any help is greatly appreciated.

10-09: 10:36:43:312:700 Creating socket directly on MS base provider. Bypassing LSPs
10-09: 10:36:43:312:700 Creating socket directly on MS base provider. Bypassing LSPs
10-09: 10:36:43:312:700 Creating socket directly on MS base provider. Bypassing LSPs
10-09: 10:36:43:312:700 Initialization OK
10-09: 11:24:29:900:778 Acquire from driver: op=00000006 src=1.1.1.1.0 dst=10.1.0.81.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=2.2.2.2 Inbound TunnelEndpt=1.1.1.1
10-09: 11:24:29:916:2e0 Filter to match: Src 2.2.2.2 Dst 1.1.1.1
10-09: 11:24:29:916:2e0 MM PolicyName: ISA Server CompanyX #2 MM Policy
10-09: 11:24:29:916:2e0 MMPolicy dwFlags 0 SoftSAExpireTime 28800
10-09: 11:24:29:916:2e0 MMOffer[0] LifetimeSec 86400 QMLimit 0 DHGroup 2
10-09: 11:24:29:916:2e0 MMOffer[0] Encrypt: Triple DES CBC Hash: MD5
10-09: 11:24:29:916:2e0 Auth[0]:PresharedKey KeyLen 36
10-09: 11:24:29:916:2e0 QM PolicyName: ISA Server CompanyX #2 QM Policy dwFlags 0
10-09: 11:24:29:916:2e0 QMOffer[0] LifetimeKBytes 0 LifetimeSec 86400
10-09: 11:24:29:916:2e0 QMOffer[0] dwFlags 0 dwPFSGroup 0
10-09: 11:24:29:916:2e0  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
10-09: 11:24:29:916:2e0 Starting Negotiation: src = 1.1.1.1.0500, dst = 2.2.2.2.0500, proto = 00, context = 00000006, ProxySrc = 1.1.1.1.0000, ProxyDst = 10.1.0.0.0000 SrcMask = 255.255.255.255 DstMask = 255.255.255.0
10-09: 11:24:29:916:2e0 constructing ISAKMP Header
10-09: 11:24:29:916:2e0 constructing SA (ISAKMP)
10-09: 11:24:29:916:2e0 Constructing Vendor MS NT5 ISAKMPOAKLEY
10-09: 11:24:29:916:2e0 Constructing Vendor FRAGMENTATION
10-09: 11:24:29:916:2e0 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
10-09: 11:24:29:916:2e0 Constructing Vendor Vid-Initial-Contact
10-09: 11:24:29:916:2e0
10-09: 11:24:29:916:2e0 Sending: SA = 0x00122C50 to 2.2.2.2:Type 2.500
10-09: 11:24:29:916:2e0 ISAKMP Header: (V1.0), len = 168
10-09: 11:24:29:916:2e0   I-COOKIE 3e3a5fc3d412eb41
10-09: 11:24:29:916:2e0   R-COOKIE 0000000000000000
10-09: 11:24:29:916:2e0   exchange: Oakley Main Mode
10-09: 11:24:29:916:2e0   flags: 0
10-09: 11:24:29:916:2e0   next payload: SA
10-09: 11:24:29:916:2e0   message ID: 00000000
10-09: 11:24:29:916:2e0 Ports S:f401 D:f401
10-09: 11:24:29:931:2e0
10-09: 11:24:29:931:2e0 Receive: (get) SA = 0x00122c50 from 2.2.2.2.500
10-09: 11:24:29:931:2e0 ISAKMP Header: (V1.0), len = 108
10-09: 11:24:29:931:2e0   I-COOKIE 3e3a5fc3d412eb41
10-09: 11:24:29:931:2e0   R-COOKIE c161efb8a77e5d79
10-09: 11:24:29:931:2e0   exchange: Oakley Main Mode
10-09: 11:24:29:931:2e0   flags: 0
10-09: 11:24:29:931:2e0   next payload: SA
10-09: 11:24:29:931:2e0   message ID: 00000000
10-09: 11:24:29:931:2e0 processing payload SA
10-09: 11:24:29:931:2e0 Received Phase 1 Transform 1
10-09: 11:24:29:931:2e0      Encryption Alg Triple DES CBC(5)
10-09: 11:24:29:931:2e0      Hash Alg MD5(1)
10-09: 11:24:29:931:2e0      Oakley Group 2
10-09: 11:24:29:931:2e0      Auth Method Preshared Key(1)
10-09: 11:24:29:931:2e0      Life type in Seconds
10-09: 11:24:29:931:2e0      Life duration of 86400
10-09: 11:24:29:931:2e0 Phase 1 SA accepted: transform=1
10-09: 11:24:29:931:2e0 SA - Oakley proposal accepted
10-09: 11:24:29:931:2e0 processing payload VENDOR ID
10-09: 11:24:29:931:2e0 Received VendorId FRAGMENTATION
10-09: 11:24:29:931:2e0 ClearFragList
10-09: 11:24:29:931:2e0 constructing ISAKMP Header
10-09: 11:24:29:962:2e0 constructing KE
10-09: 11:24:29:962:2e0 constructing NONCE (ISAKMP)
10-09: 11:24:29:962:2e0
10-09: 11:24:29:962:2e0 Sending: SA = 0x00122C50 to 2.2.2.2:Type 2.500
10-09: 11:24:29:962:2e0 ISAKMP Header: (V1.0), len = 184
10-09: 11:24:29:962:2e0   I-COOKIE 3e3a5fc3d412eb41
10-09: 11:24:29:962:2e0   R-COOKIE c161efb8a77e5d79
10-09: 11:24:29:962:2e0   exchange: Oakley Main Mode
10-09: 11:24:29:962:2e0   flags: 0
10-09: 11:24:29:962:2e0   next payload: KE
10-09: 11:24:29:962:2e0   message ID: 00000000
10-09: 11:24:29:962:2e0 Ports S:f401 D:f401
10-09: 11:24:30:25:2e0
10-09: 11:24:30:25:2e0 Receive: (get) SA = 0x00122c50 from 2.2.2.2.500
10-09: 11:24:30:25:2e0 ISAKMP Header: (V1.0), len = 256
10-09: 11:24:30:25:2e0   I-COOKIE 3e3a5fc3d412eb41
10-09: 11:24:30:25:2e0   R-COOKIE c161efb8a77e5d79
10-09: 11:24:30:25:2e0   exchange: Oakley Main Mode
10-09: 11:24:30:25:2e0   flags: 0
10-09: 11:24:30:25:2e0   next payload: KE
10-09: 11:24:30:25:2e0   message ID: 00000000
10-09: 11:24:30:25:2e0 processing payload KE
10-09: 11:24:30:41:2e0 processing payload NONCE
10-09: 11:24:30:41:2e0 processing payload VENDOR ID
10-09: 11:24:30:41:2e0 processing payload VENDOR ID
10-09: 11:24:30:41:2e0 processing payload VENDOR ID
10-09: 11:24:30:41:2e0 processing payload VENDOR ID
10-09: 11:24:30:41:2e0 ClearFragList
10-09: 11:24:30:41:2e0 constructing ISAKMP Header
10-09: 11:24:30:41:2e0 constructing ID
10-09: 11:24:30:41:2e0 MM ID Type 1
10-09: 11:24:30:41:2e0 MM ID 434fbf7e
10-09: 11:24:30:41:2e0 constructing HASH
10-09: 11:24:30:41:2e0
10-09: 11:24:30:41:2e0 Sending: SA = 0x00122C50 to 2.2.2.2:Type 2.500
10-09: 11:24:30:41:2e0 ISAKMP Header: (V1.0), len = 60
10-09: 11:24:30:41:2e0   I-COOKIE 3e3a5fc3d412eb41
10-09: 11:24:30:41:2e0   R-COOKIE c161efb8a77e5d79
10-09: 11:24:30:41:2e0   exchange: Oakley Main Mode
10-09: 11:24:30:41:2e0   flags: 1 ( encrypted )
10-09: 11:24:30:41:2e0   next payload: ID
10-09: 11:24:30:41:2e0   message ID: 00000000
10-09: 11:24:30:41:2e0 Ports S:f401 D:f401
10-09: 11:24:30:165:2e0
10-09: 11:24:30:165:2e0 Receive: (get) SA = 0x00122c50 from 2.2.2.2.500
10-09: 11:24:30:165:2e0 ISAKMP Header: (V1.0), len = 84
10-09: 11:24:30:165:2e0   I-COOKIE 3e3a5fc3d412eb41
10-09: 11:24:30:165:2e0   R-COOKIE c161efb8a77e5d79
10-09: 11:24:30:165:2e0   exchange: Oakley Main Mode
10-09: 11:24:30:165:2e0   flags: 1 ( encrypted )
10-09: 11:24:30:165:2e0   next payload: ID
10-09: 11:24:30:165:2e0   message ID: 00000000
10-09: 11:24:30:165:2e0 processing payload ID
10-09: 11:24:30:165:2e0 processing payload HASH
10-09: 11:24:30:165:2e0 AUTH: Phase I authentication accepted
10-09: 11:24:30:165:2e0 processing payload VENDOR ID
10-09: 11:24:30:165:2e0 ClearFragList
10-09: 11:24:30:165:2e0 MM established.  SA: 00122C50
10-09: 11:24:30:181:2e0 QM PolicyName: ISA Server CompanyX #2 QM Policy dwFlags 0
10-09: 11:24:30:181:2e0 QMOffer[0] LifetimeKBytes 0 LifetimeSec 86400
10-09: 11:24:30:181:2e0 QMOffer[0] dwFlags 0 dwPFSGroup 0
10-09: 11:24:30:181:2e0  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
10-09: 11:24:30:181:2e0 GetSpi: src = 10.1.0.0.0000, dst = 1.1.1.1.0000, proto = 00, context = 00000006, srcMask = 255.255.255.0, destMask = 255.255.255.255, TunnelFilter 1
10-09: 11:24:30:181:2e0 Setting SPI  957874780
10-09: 11:24:30:181:2e0 constructing ISAKMP Header
10-09: 11:24:30:181:2e0 constructing HASH (null)
10-09: 11:24:30:181:2e0 constructing SA (IPSEC)
10-09: 11:24:30:181:2e0 constructing NONCE (IPSEC)
10-09: 11:24:30:181:2e0 constructing ID (proxy)
10-09: 11:24:30:181:2e0 constructing ID (proxy)
10-09: 11:24:30:181:2e0 constructing HASH (QM)
10-09: 11:24:30:181:2e0
10-09: 11:24:30:181:2e0 Sending: SA = 0x00122C50 to 2.2.2.2:Type 2.500
10-09: 11:24:30:181:2e0 ISAKMP Header: (V1.0), len = 156
10-09: 11:24:30:181:2e0   I-COOKIE 3e3a5fc3d412eb41
10-09: 11:24:30:181:2e0   R-COOKIE c161efb8a77e5d79
10-09: 11:24:30:181:2e0   exchange: Oakley Quick Mode
10-09: 11:24:30:181:2e0   flags: 1 ( encrypted )
10-09: 11:24:30:181:2e0   next payload: HASH
10-09: 11:24:30:181:2e0   message ID: 81c7baa1
10-09: 11:24:30:181:2e0 Ports S:f401 D:f401
10-09: 11:24:30:197:2e0
10-09: 11:24:30:197:2e0 Receive: (get) SA = 0x00122c50 from 2.2.2.2.500
10-09: 11:24:30:197:2e0 ISAKMP Header: (V1.0), len = 76
10-09: 11:24:30:197:2e0   I-COOKIE 3e3a5fc3d412eb41
10-09: 11:24:30:197:2e0   R-COOKIE c161efb8a77e5d79
10-09: 11:24:30:197:2e0   exchange: ISAKMP Informational Exchange
10-09: 11:24:30:197:2e0   flags: 1 ( encrypted )
10-09: 11:24:30:197:2e0   next payload: HASH
10-09: 11:24:30:197:2e0   message ID: 248b093e
10-09: 11:24:30:197:2e0 processing HASH (Notify/Delete)
10-09: 11:24:30:197:2e0 processing payload DELETE
10-09: 11:24:30:197:2e0 SA Dead. sa:00122C50 status:35ef
10-09: 11:24:30:197:2e0 CE Dead. sa:00122C50 ce:000E1EE8 status:35ef
10-09: 11:24:30:197:2e0 Data Protection Mode (Quick Mode)
10-09: 11:24:30:197:2e0 Source IP Address 1.1.1.1  Source IP Address Mask 255.255.255.255  Destination IP Address 10.1.0.0  Destination IP Address Mask 255.255.255.0  Protocol 0  Source Port 0  Destination Port 0  IKE Local Addr 1.1.1.1  IKE Peer Addr 2.2.2.2  IKE Source Port 500  IKE Destination Port 500  Peer Private Addr
10-09: 11:24:30:197:2e0 Preshared key ID.  Peer IP Address: 2.2.2.2
10-09: 11:24:30:197:2e0 Me
10-09: 11:24:30:197:2e0 IKE SA deleted by peer before establishment completed
10-09: 11:24:30:197:2e0 Processed third (ID) payload  Initiator.  Delta Time 1   0x0 0x0
10-09: 11:24:30:197:2e0 isadb_set_status sa:00122C50 centry:000E1EE8 status 35ef
10-09: 11:24:30:197:2e0 Re-initiating SA SRC=7ebf4f43 DST=180a
10-09: 11:24:30:197:2e0 Internal Acquire: op=00000006 src=1.1.1.1.0 dst=10.1.0.0.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=2.2.2.2 Inbound TunnelEndpt=1.1.1.1, InitiateEvent=00000000, IKE SrcPort=500 IKE DstPort=500
10-09: 11:24:30:197:2e0 isadb_set_status sa:00122C50 centry:00000000 status 35ef
10-09: 11:24:30:259:e54 Filter to match: Src 2.2.2.2 Dst 1.1.1.1
10-09: 11:24:30:259:e54 MM PolicyName: ISA Server CompanyX #2 MM Policy
10-09: 11:24:30:259:e54 MMPolicy dwFlags 0 SoftSAExpireTime 28800
10-09: 11:24:30:259:e54 MMOffer[0] LifetimeSec 86400 QMLimit 0 DHGroup 2
10-09: 11:24:30:259:e54 MMOffer[0] Encrypt: Triple DES CBC Hash: MD5
10-09: 11:24:30:259:e54 Auth[0]:PresharedKey KeyLen 36
10-09: 11:24:30:259:e54 QM PolicyName: ISA Server CompanyX #2 QM Policy dwFlags 0
10-09: 11:24:30:259:e54 QMOffer[0] LifetimeKBytes 0 LifetimeSec 86400
10-09: 11:24:30:259:e54 QMOffer[0] dwFlags 0 dwPFSGroup 0
10-09: 11:24:30:259:e54  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
10-09: 11:24:30:259:e54 Starting Negotiation: src = 1.1.1.1.0500, dst = 2.2.2.2.0500, proto = 00, context = 00000006, ProxySrc = 1.1.1.1.0000, ProxyDst = 10.1.0.0.0000 SrcMask = 255.255.255.255 DstMask = 255.255.255.0
10-09: 11:24:30:259:e54 constructing ISAKMP Header
10-09: 11:24:30:259:e54 constructing SA (ISAKMP)
10-09: 11:24:30:259:e54 Constructing Vendor MS NT5 ISAKMPOAKLEY
10-09: 11:24:30:259:e54 Constructing Vendor FRAGMENTATION
10-09: 11:24:30:259:e54 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
10-09: 11:24:30:259:e54
10-09: 11:24:30:259:e54 Sending: SA = 0x00122FB8 to 2.2.2.2:Type 2.500
10-09: 11:24:30:259:e54 ISAKMP Header: (V1.0), len = 148
10-09: 11:24:30:259:e54   I-COOKIE e59749e4903bb9a2
10-09: 11:24:30:259:e54   R-COOKIE 0000000000000000
10-09: 11:24:30:259:e54   exchange: Oakley Main Mode
10-09: 11:24:30:259:e54   flags: 0
10-09: 11:24:30:259:e54   next payload: SA
10-09: 11:24:30:259:e54   message ID: 00000000
10-09: 11:24:30:259:e54 Ports S:f401 D:f401
10-09: 11:24:30:275:e54
10-09: 11:24:30:275:e54 Receive: (get) SA = 0x00122fb8 from 2.2.2.2.500
10-09: 11:24:30:275:e54 ISAKMP Header: (V1.0), len = 108
10-09: 11:24:30:275:e54   I-COOKIE e59749e4903bb9a2
10-09: 11:24:30:275:e54   R-COOKIE ae60f81c0e5995a8
10-09: 11:24:30:275:e54   exchange: Oakley Main Mode
10-09: 11:24:30:275:e54   flags: 0
10-09: 11:24:30:275:e54   next payload: SA
10-09: 11:24:30:275:e54   message ID: 00000000
10-09: 11:24:30:275:e54 processing payload SA
10-09: 11:24:30:275:e54 Received Phase 1 Transform 1
10-09: 11:24:30:275:e54      Encryption Alg Triple DES CBC(5)
10-09: 11:24:30:275:e54      Hash Alg MD5(1)
10-09: 11:24:30:275:e54      Oakley Group 2
10-09: 11:24:30:275:e54      Auth Method Preshared Key(1)
10-09: 11:24:30:275:e54      Life type in Seconds
10-09: 11:24:30:275:e54      Life duration of 86400
10-09: 11:24:30:275:e54 Phase 1 SA accepted: transform=1
10-09: 11:24:30:275:e54 SA - Oakley proposal accepted
10-09: 11:24:30:275:e54 processing payload VENDOR ID
10-09: 11:24:30:275:e54 Received VendorId FRAGMENTATION
10-09: 11:24:30:275:e54 ClearFragList
10-09: 11:24:30:275:e54 constructing ISAKMP Header
10-09: 11:24:30:306:e54 constructing KE
10-09: 11:24:30:306:e54 constructing NONCE (ISAKMP)
10-09: 11:24:30:306:e54
10-09: 11:24:30:306:e54 Sending: SA = 0x00122FB8 to 2.2.2.2:Type 2.500
10-09: 11:24:30:306:e54 ISAKMP Header: (V1.0), len = 184
10-09: 11:24:30:306:e54   I-COOKIE e59749e4903bb9a2
10-09: 11:24:30:306:e54   R-COOKIE ae60f81c0e5995a8
10-09: 11:24:30:306:e54   exchange: Oakley Main Mode
10-09: 11:24:30:306:e54   flags: 0
10-09: 11:24:30:306:e54   next payload: KE
10-09: 11:24:30:306:e54   message ID: 00000000
10-09: 11:24:30:306:e54 Ports S:f401 D:f401
10-09: 11:24:30:384:e54
10-09: 11:24:30:384:e54 Receive: (get) SA = 0x00122fb8 from 2.2.2.2.500
10-09: 11:24:30:384:e54 ISAKMP Header: (V1.0), len = 256
10-09: 11:24:30:384:e54   I-COOKIE e59749e4903bb9a2
10-09: 11:24:30:384:e54   R-COOKIE ae60f81c0e5995a8
10-09: 11:24:30:384:e54   exchange: Oakley Main Mode
10-09: 11:24:30:384:e54   flags: 0
10-09: 11:24:30:384:e54   next payload: KE
10-09: 11:24:30:384:e54   message ID: 00000000
10-09: 11:24:30:384:e54 processing payload KE
10-09: 11:24:30:400:e54 processing payload NONCE
10-09: 11:24:30:400:e54 processing payload VENDOR ID
10-09: 11:24:30:400:e54 processing payload VENDOR ID
10-09: 11:24:30:400:e54 processing payload VENDOR ID
10-09: 11:24:30:400:e54 processing payload VENDOR ID
10-09: 11:24:30:400:e54 ClearFragList
10-09: 11:24:30:400:e54 constructing ISAKMP Header
10-09: 11:24:30:400:e54 constructing ID
10-09: 11:24:30:400:e54 MM ID Type 1
10-09: 11:24:30:400:e54 MM ID 434fbf7e
10-09: 11:24:30:400:e54 constructing HASH
10-09: 11:24:30:400:e54
10-09: 11:24:30:400:e54 Sending: SA = 0x00122FB8 to 2.2.2.2:Type 2.500
10-09: 11:24:30:400:e54 ISAKMP Header: (V1.0), len = 60
10-09: 11:24:30:400:e54   I-COOKIE e59749e4903bb9a2
10-09: 11:24:30:400:e54   R-COOKIE ae60f81c0e5995a8
10-09: 11:24:30:400:e54   exchange: Oakley Main Mode
10-09: 11:24:30:400:e54   flags: 1 ( encrypted )
10-09: 11:24:30:400:e54   next payload: ID
10-09: 11:24:30:400:e54   message ID: 00000000
10-09: 11:24:30:400:e54 Ports S:f401 D:f401
10-09: 11:24:30:509:e54
10-09: 11:24:30:509:e54 Receive: (get) SA = 0x00122fb8 from 2.2.2.2.500
10-09: 11:24:30:509:e54 ISAKMP Header: (V1.0), len = 84
10-09: 11:24:30:509:e54   I-COOKIE e59749e4903bb9a2
10-09: 11:24:30:509:e54   R-COOKIE ae60f81c0e5995a8
10-09: 11:24:30:509:e54   exchange: Oakley Main Mode
10-09: 11:24:30:509:e54   flags: 1 ( encrypted )
10-09: 11:24:30:509:e54   next payload: ID
10-09: 11:24:30:509:e54   message ID: 00000000
10-09: 11:24:30:509:e54 processing payload ID
10-09: 11:24:30:509:e54 processing payload HASH
10-09: 11:24:30:509:e54 AUTH: Phase I authentication accepted
10-09: 11:24:30:509:e54 processing payload VENDOR ID
10-09: 11:24:30:509:e54 ClearFragList
10-09: 11:24:30:509:e54 MM established.  SA: 00122FB8
10-09: 11:24:30:509:e54 QM PolicyName: ISA Server CompanyX #2 QM Policy dwFlags 0
10-09: 11:24:30:509:e54 QMOffer[0] LifetimeKBytes 0 LifetimeSec 86400
10-09: 11:24:30:509:e54 QMOffer[0] dwFlags 0 dwPFSGroup 0
10-09: 11:24:30:509:e54  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
10-09: 11:24:30:509:e54 GetSpi: src = 10.1.0.0.0000, dst = 1.1.1.1.0000, proto = 00, context = 00000006, srcMask = 255.255.255.0, destMask = 255.255.255.255, TunnelFilter 1
10-09: 11:24:30:509:e54 Setting SPI  957874780
10-09: 11:24:30:509:e54 constructing ISAKMP Header
10-09: 11:24:30:509:e54 constructing HASH (null)
10-09: 11:24:30:509:e54 constructing SA (IPSEC)
10-09: 11:24:30:509:e54 constructing NONCE (IPSEC)
10-09: 11:24:30:509:e54 constructing ID (proxy)
10-09: 11:24:30:509:e54 constructing ID (proxy)
10-09: 11:24:30:509:e54 constructing HASH (QM)
10-09: 11:24:30:509:e54
10-09: 11:24:30:509:e54 Sending: SA = 0x00122FB8 to 2.2.2.2:Type 2.500
10-09: 11:24:30:509:e54 ISAKMP Header: (V1.0), len = 156
10-09: 11:24:30:509:e54   I-COOKIE e59749e4903bb9a2
10-09: 11:24:30:509:e54   R-COOKIE ae60f81c0e5995a8
10-09: 11:24:30:509:e54   exchange: Oakley Quick Mode
10-09: 11:24:30:509:e54   flags: 1 ( encrypted )
10-09: 11:24:30:509:e54   next payload: HASH
10-09: 11:24:30:509:e54   message ID: 0eef9e0e
10-09: 11:24:30:509:e54 Ports S:f401 D:f401
10-09: 11:24:30:540:e54
10-09: 11:24:30:540:e54 Receive: (get) SA = 0x00122fb8 from 2.2.2.2.500
10-09: 11:24:30:540:e54 ISAKMP Header: (V1.0), len = 76
10-09: 11:24:30:540:e54   I-COOKIE e59749e4903bb9a2
10-09: 11:24:30:540:e54   R-COOKIE ae60f81c0e5995a8
10-09: 11:24:30:540:e54   exchange: ISAKMP Informational Exchange
10-09: 11:24:30:540:e54   flags: 1 ( encrypted )
10-09: 11:24:30:540:e54   next payload: HASH
10-09: 11:24:30:540:e54   message ID: e0a5b0b8
10-09: 11:24:30:540:e54 processing HASH (Notify/Delete)
10-09: 11:24:30:540:e54 processing payload DELETE
10-09: 11:24:30:540:e54 SA Dead. sa:00122FB8 status:35ef
10-09: 11:24:30:540:e54 isadb_set_status sa:00122FB8 centry:00000000 status 35ef
10-09: 11:24:30:540:e54 Data Protection Mode (Quick Mode)
10-09: 11:24:30:540:e54 Source IP Address 1.1.1.1  Source IP Address Mask 255.255.255.255  Destination IP Address 10.1.0.0  Destination IP Address Mask 255.255.255.0  Protocol 0  Source Port 0  Destination Port 0  IKE Local Addr 1.1.1.1  IKE Peer Addr 2.2.2.2  IKE Source Port 500  IKE Destination Port 500  Peer Private Addr
10-09: 11:24:30:540:e54 Preshared key ID.  Peer IP Address: 2.2.2.2
10-09: 11:24:30:540:e54 Me
10-09: 11:24:30:540:e54 IKE SA deleted by peer before establishment completed
10-09: 11:24:30:540:e54 Processed third (ID) payload  Initiator(Internal).  Delta Time 0   0x0 0x0
10-09: 11:24:30:540:e54 isadb_set_status sa:00122FB8 centry:000E2020 status 35ef
10-09: 11:24:33:868:e54 ClearFragList
10-09: 11:24:33:868:e54 ClearFragList



abnascimento -> RE: ISA to Cisco 3030 vpn (17.Jun.2009 5:16:38 PM)

Hi

Have you any information about your question?
I really very interested on it... I have a problem very similar.

Adalberto



adimcev -> RE: ISA to Cisco 3030 vpn (18.Jun.2009 11:27:23 AM)

You should have replaced the hex value of you public IP address too...

I'm not familiar with the concentrator, but you have an established IKE MM, at least from ISA's point of view.
10-09: 11:24:30:165:2e0 MM established.

Next, ISA starts IKE QM.
What are the needed local and remote subnets ?
From your logs, you propose on ISA as local subnet ISA's public IP address, and as remote 10.1.0.0/24 ?
Is that correct, meaning are these configured in reverse on the concentrator as: local subnet 10.1.0.0/24 and remote subnet ISA's public IP address ?
If not, and actually you are trying to have on ISA as local subnet the subnet beind ISA, do you have a network rule with a route relationship on ISA between the local subnet and the remote site, or you are pinging from ISA itslef, or is this HTTP proxied traffic ?

If the proxy ids do not match on both sides, your VPN tunnel will fail.

Thanks,
Adrian



abnascimento -> RE: ISA to Cisco 3030 vpn (18.Jun.2009 11:25:18 PM)

Hi!
Let me explain better my situation...

Side A - ISA Server 2006 (updated)
Internal network: 192.168.0.0/24
Internet network interface: 200.10.10.123

Side B-  CISCO 3030 Concentrator
Internal network: 193.221.30.0/24
Internet Gatway Interface: 218.21.31.210

IPSec tunnel using pré-shared key.
Site-to-Site Source-NAT.
Site B can route out internal IP Address.

After I´d configured all. I did a ping from Side A to gateway from 218.21.31.210 on Side B. I got an information that start negotiation of security but it can concluded it... So when I stopped Firewall services It could authenticate Phase 1 and Phase 2 and tunnel was stablished.
I did try to access URL that are in other network´s site B, I´m in site A, using port 443... It doesn´t work.
For this moment I just trying to solve problem of authentication. Solved it I´ll go after other problem URL using Port 443.

If someone have an idea to help me, I really appreciate.

thanks
Adalberto



adimcev -> RE: ISA to Cisco 3030 vpn (19.Jun.2009 5:11:59 AM)

If you nat on ISA, then traffic will be sourced from ISA's public IP address. So IKE QM negotiations will fail due to wrong proxy ids if you do not add on your concentrator ISA's public IP address( 200.10.10.123) to the definition of the remote site.

The subnet behind the concentrator is a public subnet ?

Thanks,
Adrian



abnascimento -> RE: ISA to Cisco 3030 vpn (19.Jun.2009 7:10:06 AM)

Adrian,

First of all thank you for read my posted question.

Subnet behind the Cisco is private (193.221.30.0/24).
IPSec tunnel has constructed between Gateways (Gateway-to-gateway), where on side request access to other side as a client Source-NAT.
On both sides, the privite network doesn´t know network on other site.
ISA works as NAT (200.10.10.123) for Site A too.

tks
Adalberto



adimcev -> RE: ISA to Cisco 3030 vpn (19.Jun.2009 7:43:39 AM)

I was not aware that 193.221.30.0 is from the private IP address space...[;)][8D]

So on ISA you have a network rule with a NAT relationship between the Internal Network and the Remote site(in this order), so outbound connections to the remote site are sourced with the first IP address from ISA's external interface.
The remote subnet for the s2s on ISA comprises only the IP address of the remote VPN gateway(218.21.31.210).

In this case, the proxy ids negotiated during IKE QM should be 218.21.31.210 and 200.10.10.123. Check the Oakley.log to see if this happens.
And you use on ISA access rules to allow access between the Internal Network and the remote site and publishing rules to allow the remote site hosts to access hosts behind ISA located on the Internal Network(there). See this for more details:
http://forums.isaserver.org/m_2002071753/mpage_1/key_/tm.htm#2002076700

I'm not familiar with the concentrator(more exactly I never wanted to use it), so I don't know how it should be configured, but I found this:
http://technet.microsoft.com/en-us/library/cc302438.aspx
Maybe the logs on it will show some info too.

Thanks,
Adrian



abnascimento -> RE: ISA to Cisco 3030 vpn (19.Jun.2009 11:33:41 PM)

Adrian,

I'd been getting the following log:


6-19: 17:38:12:107:69c
   Acquire from driver: op=0000000E
   src=200.10.10.123.0 dst=218.21.31.210.0 proto = 0,
   SrcMask=255.255.255.255, DstMask=255.255.255.255,
   Tunnel 1, TunnelEndpt=218.21.31.210
   Inbound TunnelEndpt=200.10.10.123
6-19: 17:38:12:107:d70
   Filter to match: Src 218.21.31.210 Dst 200.10.10.123
6-19: 17:38:12:107:d70 MM PolicyName: ISA Server IPSec Tunnel MM Policy
6-19: 17:38:12:107:d70 MMPolicy dwFlags 0 SoftSAExpireTime 28800
6-19: 17:38:12:107:d70 MMOffer[0] LifetimeSec 86400 QMLimit 0 DHGroup 2
6-19: 17:38:12:107:d70 MMOffer[0] Encrypt: Triplo DES CBC Hash: SHA
6-19: 17:38:12:107:d70 Auth[0]:PresharedKey KeyLen 64
6-19: 17:38:12:107:d70 QM PolicyName: ISA Server IPSec Tunnel QM Policy dwFlags 0
6-19: 17:38:12:107:d70 QMOffer[0] LifetimeKBytes 0 LifetimeSec 28800
6-19: 17:38:12:107:d70 QMOffer[0] dwFlags 0 dwPFSGroup 2
6-19: 17:38:12:107:d70  Algo[0] Operation: ESP Algo: Triplo DES CBC HMAC: SHA
6-19: 17:38:12:107:d70
   Starting Negotiation:
       src = 200.10.10.123.0500, dst = 218.21.31.210.0500, proto = 00,
       context = 0000000E, ProxySrc = 200.10.10.123.0000,
       ProxyDst = 218.21.31.210.0000 SrcMask = 255.255.255.255 DstMask = 255.255.255.255

6-19: 17:38:12:107:d70 constructing ISAKMP Header
6-19: 17:38:12:107:d70 constructing SA (ISAKMP)
6-19: 17:38:12:107:d70 Constructing Vendor MS NT5 ISAKMPOAKLEY
6-19: 17:38:12:107:d70 Constructing Vendor FRAGMENTATION
6-19: 17:38:12:107:d70 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
6-19: 17:38:12:107:d70 Constructing Vendor Vid-Initial-Contact
6-19: 17:38:12:107:d70

6-19: 17:38:12:107:d70 Sending: SA = 0x00114768 to 218.21.31.210:Type 2.500
6-19: 17:38:12:107:d70 ISAKMP Header: (V1.0), len = 168
6-19: 17:38:12:107:d70   I-COOKIE 7c7d07fb9b2741f4
6-19: 17:38:12:107:d70   R-COOKIE 0000000000000000
6-19: 17:38:12:107:d70   exchange: Oakley Main Mode
6-19: 17:38:12:107:d70   flags: 0
6-19: 17:38:12:107:d70   next payload: SA
6-19: 17:38:12:107:d70   message ID: 00000000
6-19: 17:38:12:107:d70 Ports S:f401 D:f401
6-19: 17:38:12:889:6a4 retransmit: sa = 00114768 centry 00000000 , count = 1
6-19: 17:38:12:889:6a4

...

6-19: 17:39:14:889:6a4 SA Dead. sa:00114768 status:35ed
6-19: 17:39:14:889:6a4 isadb_set_status sa:00114768 centry:00000000 status 35ed

6-19: 17:39:14:889:6a4 Change Key Mode (Main Mode)
6-19: 17:39:14:889:6a4
   Source IP Address 200.10.10.123 
   Source IP Address Mask 255.255.255.255 
   IP Address destination 218.21.31.210 
   IP Address destination Mask 255.255.255.255 
   Protocolo 0  Source Port 0  Destination Port 0 
   Local Address IKE 200.10.10.123 
   Same Level IKE 218.21.31.210   
   Destination Port IKE 500 Private Address Service same level

6-19: 17:39:14:889:6a4
6-19: 17:39:14:889:6a4 Me


6-19: 17:39:14:889:6a4 Anyone response of service of same level protocol
6-19: 17:39:14:889:6a4 First Load AS sent Iniciator. Delta Time 62   0x0 0x0
6-19: 17:39:14:889:6a4 constructing ISAKMP Header
6-19: 17:39:14:889:6a4 constructing DELETE. MM 00114768
6-19: 17:39:14:889:6a4
6-19: 17:39:14:889:6a4 Sending: SA = 0x00114768 to 218.21.31.210:Type 1.500
6-19: 17:39:14:889:6a4 ISAKMP Header: (V1.0), len = 56
6-19: 17:39:14:889:6a4   I-COOKIE 7c7d07fb9b2741f4
6-19: 17:39:14:889:6a4   R-COOKIE 0000000000000000
6-19: 17:39:14:889:6a4   exchange: ISAKMP Informational Exchange
6-19: 17:39:14:889:6a4   flags: 0
6-19: 17:39:14:889:6a4   next payload: DELETE
6-19: 17:39:14:889:6a4   message ID: 0551ad43
6-19: 17:39:14:889:6a4 Ports S:f401 D:f401
6-19: 17:39:17:795:d70 ClearFragList

To me It means that CISCO 3030 isn't answer the request made by ISA.
On other Side Network, Side B, I haven't access to log... and the SA that are in other side, He told me that When I stopped Firewall Services the authentication pass Phase 1 and Phase 2... It's impossible... because When I stop Firewall Services all Polices for IPSec is come down.
There are samething wrong here and I need a lot of logs for show for then that ISA works and reach network on Site B.

Best regards,
Adalberto Nascimento



adimcev -> RE: ISA to Cisco 3030 vpn (20.Jun.2009 7:15:23 AM)

On ISA you can check the system policies allowing IKE traffic from ISA to remote VPN gateway and vice-versa to see if they were enabled and updated accordingly.
Additionally watch the logs on ISA to see if ISA allows the IKE packets.

Thanks,
Adrian



abnascimento -> RE: ISA to Cisco 3030 vpn (20.Jun.2009 8:39:25 AM)

Hi Adrian,

I did it and I could see that other network´s site it doesn´t answer request for authentication.

I´d activated a Diagnostic ISA Server on EventViewer.
If you have an other idea I really appreciate.

tks,
Adalberto



adimcev -> RE: ISA to Cisco 3030 vpn (20.Jun.2009 9:48:11 AM)

From your above Oakley.log, you seem to be stucked when ISA send the first IKE MM packet with its proposal(authentication pre-shared key, and the cipher suite). Usually it fails during this stage due to the remote VPN gateway not having a similar proposal or maybe the IP address of the VPN gateways was mistyped at one end, or a firewall along the path blocks the traffic.
Otherwise, maybe, this packet is not sent or it is sent and, maybe there is a routing problem somewhere so it does not reach the remote VPN gateway, or it reaches the remote gateway(and either the remote VPN gateway simply drops it or drops it as being invalid).

Can the remote admin confirm that its concentrator receives this first MM packet from ISA ?

Did the logs on ISA(from ISA mmc, logging) said that IKE traffic was initiated ?
Have you taken a packet capture on ISA's external interface ?

Thanks,
Adrian



abnascimento -> RE: ISA to Cisco 3030 vpn (22.Jun.2009 11:52:55 PM)

Hi Adrian!

Good News! I got a connection between ISA Server 2006 and CISCO 3030 concentrator.

Now I can stablish a VPN IPSec Tunnel between then.
It can get authentication for Phase 1 and Phase 2 and IPSec tunnel works fine.

But now I got a new problem named "SSL-tunnel".
I need to access https://<address Site B>, so it seems works fine but a got a error 502 proxy error. Proxy Error 502: Host Server unaccessible.

Have you an idea how can i fix it?



adimcev -> RE: ISA to Cisco 3030 vpn (23.Jun.2009 8:24:17 AM)

Since the remote site is NAT-ed behind the gateways IP address or so, the remote admin should add the needed NAT mapping to be able to access the secure web server behind it, assuming you've also added on ISA the needed access rule allowing HTTPS traffic between the internal network and the remote site.

Thanks,
Adrian



Page: [1]