according to the posted log excerpt at least some IKE traffic is reaching the ISA server.
Again test first from a client directly connected to the ISA external subnet and use a preshared key. Also, take a Wireshark/Ethereal/Netmon trace on the ISA external interface or on the client and post the download link here. I wonder how far the IKE negotiation goes.
RE: Client VPN using IPSec not working - 15.Jan.2007 5:01:24 AM
for the beggining it would be nice if we would see a screenshot of ISA logs, when packets are reaching its external interface and what actually it hapenning there. a more detailed look with wireshark it would be good but maybe we can get it only from that logs. yes you have to install wireshark on ISA and monitor its external interface.
RE: Client VPN using IPSec not working - 16.Jan.2007 5:02:06 AM
Interesting. What rules do you have in place? It should not do UDP encapsulation of the IPSec packets but it does. It has no NAT device to travers but it seems it is trying to do so. The hash values contains in NAT-D payloads are not matching so it assumes that there is a NAT device along the way.
From 192.168.10.22 -> 192.168.10.20 Hash of address and port:DE20CF222A5058661845E0091889C40FD93EDD35 Hash of address and port:471B75285A816145C6DDE3F2BA265209F94C7085 From 192.168.10.20 -> 192.168.10.22 Hash of address and port:471B75285A816145C6DDE3F2BA265209F94C7085 Hash of address and port:8D3F1EC237A4D588FD2338127C7DF553FD63917B
And then it switches to NAT-T. put here too the screenshot from ISA logs.
< Message edited by adrian_dimcev -- 16.Jan.2007 5:39:05 AM >
RE: Client VPN using IPSec not working - 16.Jan.2007 6:33:50 AM
I want to see your logs from ISA in order to check what policy rule is used by ISA. As I said it should not use UDP encapsulation. If it is doing so I suspect ISA is trying to pass the traffic based on your rules.
RE: Client VPN using IPSec not working - 16.Jan.2007 7:16:52 AM
Mate you are killing me. what logs? those ones? http://forums.isaserver.org/m_2002035746/mpage_1/tm.htm#2002036073 those ones are with a remote client and with the wrong rules in place ! do you still have those rules? delete them all!!! you don't have to have any rules in place except ISA's System Policy rule #13 enabled. and a rule to allow access from vpn clients to internal network. it is important to see the logs from ISA from the session with that client 192.168.10.22 in order to see the rules used by ISA are from that System Policy rule #13 and only the IKE client(not Server or IKE NAT-T client...) should be used as protocol. You don't need NAT-T as it happens when you are connecting. The idea is to have a complete picture of your setup before jumping into conclusions. A someone has said arround here before you got to help us help you.
< Message edited by adrian_dimcev -- 16.Jan.2007 7:26:33 AM >
RE: Client VPN using IPSec not working - 16.Jan.2007 7:26:16 AM
you see: from those logs the destination IP address should be 192.168.10.20 not your ISA's internal ip address(10...). but this is happening because of your rules: ISA is trying to pass the traffic to the internal ip address like in a VPN passthrough connection. The connection should end to ISA's external ip address. you've actually published an internal VPN server with the IP address of 10....
< Message edited by adrian_dimcev -- 16.Jan.2007 8:16:37 AM >
Ah ha! I thought to use IPSec it needs to be published? As soon as i deleted all vpn rules besides open all for VPN clients BINGO it worked, so you guys were correct on my foolish publishing mistake. After reading a few VPN docs it lead me to think that i would need VPN publishing rules but i guess this would apply if the ISA is not apart of a domain?? When do the rules need to be used? (not in my case)
RE: Client VPN using IPSec not working - 17.Jan.2007 3:01:12 AM
Hi Sunny, Nice! No you don't need VPN publishing rule if ISA is not part of domain. The only difference it will be that you will use a Radius Server for authenticating users instead of windows users group. The need of publishing rules is when your VPN server is behind your firewall. As Stefaan said in your case ISA is the VPN server so you don't need to publish it. For example I'm writing this post connected through VPN L2TP/IPSec with certificates to a back-end ISA 2004 Firewall which is a domain member. In front of it I have an ISA 2006 which is not a domain member, a pfsense firewall with two wans with outgoing load balancing and failover from which one wan goes though another firewall, a m0n0wall. Through this m0n0wall I am connected all away to the back-end ISA 2004 which server as my VPN server and implicit as my VPN end-point. All off this firewalls are performing NAT. The publishing rules were used on ISA 2006 to publish ISA 2004 as a VPN Server: Publish VPN Over L2TP/IPSec with NAT-T(two rules: IKE Server and IPSec NAT-T Server). Publish VPN Over PPTP(one rule: PPTP Server). The only problem was that I cannot add GRE IP Protocol 47 to m0n0wall's NAT rules so PPTP will go through pfsense. This is were you are using the publishing rules: to do a VPN passthrough on ISA to a VPN server located behind it. Good to hear it is working now for you!