I have some trouble configuring a site-to-site VPN network between a telecommunications company that has a Cisco VPN 3000 Concentrator and an ISA Server 2004 that's on the clients side, all this configured over IPSec.
It seems that the VPN connection can be established however we can't make any traffic over the link.
The Cisco 3000 administrator claims to have everything perfectly and that he has other companies that work with Cisco, Checkpoint and Linux that have made the connections without problems.
Our configuration is as follows:
Servers with Oracle Data Base running over RedHat Enterprise Linux 3 | | Internal network | Apache Web Server running over RHEL, with a php based application that access the DB | | internal netrork | MS ISA Server 2004 (we tested the ISA Server 2006 without good results) | | external network with public addresses | Internet | | their external addresses | Cisco VPN 3000 Concentrator | | their internal addresses | telco provider servers | | their private network | our mobile telephones with WAP that must access the php web site
Basically, we need to estabish the VPN tunnel, over which the mobile phone should access the server that's on the internal network.
We have followed the Microsoft "Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1" instructions, configured the ISA Server accordingly and polished some things that ware different on the VPN 3000 and the ISA Server. However, the VPN 3000 and the PIX 501 are not exactly the same.
So far, we are wondering if the VPN 3000 is really compatible with the ISA Server 2004 and 2006, and we are also wondering how well did the VPN 3000 administrator did his job. He says that the solution wasn't certified by their engineering department and that the ISA Server was a poor choice for the connection. He suggests we should "disconnect" SecureNAT on the ISA Server, which I'm not sure it would be possible.
However, we can perfectly configure the ISA Server to allow the mobile phones to access the web site, using the Internet. However, the request is that the connection must be made only by private networks and the access control must be very strict.
I guess a pass through Cisco VPN linux client connection, over the ISA Server 2004 or 2006 would be a possible, however, the ISA would eventually give better options should the number of accesesed web servers grow.
Some of the problems we noticed are: when we test the ISA Server connectivity by entering the MMC to see the Main Mode and Quick Mode security associations, only one of them seems to be active. The MS guide indicates that both connections should be made.
The other detail, is that the VPN 3000 defines in the IKE configuration with Data Lifetime of 100.000 KB, however the ISA Server 2004 or the 2006 doesn't have the options for that configuration.
When we try to make a ping to their internal network (address we have added to the VPN site-to-site connection), we receive first a time-out, and subsequently some strange IP Security warnigs.
On the mobile phone the message is that the connection can't be established.
Any ideas on what could be wrong? Has someone tried the ISA Server - Cisco VPN 3000, site-to-site configuration?
PS. To specify the problems more in detail, on the ISA Server 2004 or 2006 there is no any protocol in MMC/IP Security Monitor/localhost name/Quick Mode/Security Associations (and there there is an association on the Main Mode). On the Cisco VPN 3000, only the Fase I connection has been achieved. And the message we get when we send a ping CMD command from the ISA Server to other company servers is "Negotiating IP Security.".
25159 12/15/2006 12:10:48.960 SEV=7 IPSECDBG/14 RPT=26532 Sending KEY_ACQUIRE to IKE for src 18.104.22.168, dst 22.214.171.124 25160 12/15/2006 12:10:48.960 SEV=8 IKEDBG/90 RPT=26532 pitcher: received a key acquire message! 25161 12/15/2006 12:10:49.620 SEV=7 IPSECDBG/9 RPT=17992 IPSEC return FILTER_DISCARD in ipsec_output() because 0 (require 1) seconds have elapsed since IKE negotiation began (src 0xc804c47a, dst 0x071b7964) 25163 12/15/2006 12:10:49.960 SEV=7 IPSECDBG/10 RPT=26527 IPSEC ipsec_output() can call key_acquire() because 1 seconds have elapsed since last IKE negotiation began (src 0xc804c47a, dst 0x071b7964) 25165 12/15/2006 12:10:49.960 SEV=7 IPSECDBG/14 RPT=26533 Sending KEY_ACQUIRE to IKE for src 126.96.36.199, dst 188.8.131.52 25166 12/15/2006 12:10:49.960 SEV=8 IKEDBG/90 RPT=26533 pitcher: received a key acquire message! 25167 12/15/2006 12:10:50.620 SEV=7 IPSECDBG/9 RPT=17993 IPSEC return FILTER_DISCARD in ipsec_output() because 0 (require 1) seconds have elapsed since IKE negotiation began (src 0xc804c47a, dst 0x071b7964) 25169 12/15/2006 12:10:50.960 SEV=7 IPSECDBG/10 RPT=26528 IPSEC ipsec_output() can call key_acquire() because 1 seconds have elapsed since last IKE negotiation began (src 0xc804c47a, dst 0x071b7964) 25171 12/15/2006 12:10:50.960 SEV=7 IPSECDBG/14 RPT=26534 Sending KEY_ACQUIRE to IKE for src 184.108.40.206, dst 220.127.116.11 25172 12/15/2006 12:10:50.960 SEV=8 IKEDBG/90 RPT=26534 pitcher: received a key acquire message! 25173 12/15/2006 12:10:51.620 SEV=7 IPSECDBG/9 RPT=17994 IPSEC return FILTER_DISCARD in ipsec_output() because 0 (require 1) seconds have elapsed since IKE negotiation began (src 0xc804c47a, dst 0x071b7964)
They just informed that the Cisco router that connects the Cisco VPN 3000 to the Internet has NAT instead of a static route. They can't take that configuration out, because of interoperability with other companies.
The most frustrating thing is that other devices such as Cisco PIX-es and Checkpoints work without problems.
Should we switch from IPSec to PPTP or L2TP? Or perhaps use a Cisco VPN Client on the web server and configurate a IKE and NAT-T pass on the ISA Server?
Someone has any ideas?
< Message edited by Igor Sotelo -- 15.Dec.2006 2:13:17 PM >
I had to make some changes in order to make the IPSec connection work. I concluded that the ISA 2004 or 2006 is most probably incompatible in the scenario, since I had the following restrictions imposed by the mobile operator:
- They can't change the VPN 3000 for a PIX - The external interfase of their VPN 3000 has a NAT-ed address - They use only IPSec (no PPTP, no L2TP) - They demanded our server to have an valid IP for the external interfase - They didn't accepted the Linux box to have an Cisco IPSec VPN Client, since they only work with LAN to LAN, so the pass trough ISA configuration either was possible. - Finally, they demanded also that the mobile phone browser was to point another valid IP address
After taking some time with other tasks, we eventually had to:
- Setup a Linux FC 4 server with three interfaces (one external, anther external but disconnected and the third iternal). - We used the StrongSWAN IPSec program. OpenSWAN or FreeS/WAN didn't work well with the 2.6 kernel. - The FC 4 hosts the Apache 2, PhP, the Oracle client software and the WAP application. - We configured Netfilter/Iptables to block everything coming from the outside (exept the IKE 500, NAT-T tunnelized ESP 4500) and we also had to allow the 80 port to the telco mobile phone gateways (otherwise it wasn't working).
Right now, everything is working fine.
< Message edited by Igor Sotelo -- 17.Feb.2007 2:38:01 AM >
I am facing the same problem you faced, but i can not do what you did. I have a little question: What version of Windows Server were you using? I think there are some restrictions on Creating VPN using ISA to Cisco PIX under Windows Server 2003, and i want to be sure. May be if i try with Windows Server 2004 it will work.
Mohammed Mamoun System Engineer - Arabcall for IVR & SMS services