• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Site-to-Site: TZ170 to ISA Server 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Site-to-Site: TZ170 to ISA Server 2006 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Site-to-Site: TZ170 to ISA Server 2006 - 14.Jul.2009 10:30:16 AM   
y0sh1

 

Posts: 25
Joined: 14.Sep.2004
Status: offline
I am trying to create an IPSEC tunnel between ISA2006 sp1 (ver. 5.0.5723.502) and a Sonicwall TZ170. All settings have completed according to article:
http://www.sonicwall.com/downloads/V...erver_2004.pdf
VPN channel has established fine (as far as i can see in the monitors and logs) but there are some errors appears in the logs of SonicWall:

[log1]
2 06/26/2009 08:00:29.464IKE Responder: IPSec proposal does not match (Phase 2)190.90.90.5, gate.ourdomain.com200.50.50.6190.90.90.5/32 -> 172.15.10.0/24
3 06/26/2009 08:00:29.464IKE Responder: No match for proposed remote network address190.90.90.5, gate.ourdomain.com200.50.50.6190.90.90.5/32

AFAIK this error has appeared only when somebody trying to access to Sonicwall internal network from ISA server. For expl our proxy server (which works with external IP of ISA server) cannot forward http request to internal network of sonicwall and HTTP\HTTPS don't work from internal network of ISA to internal network of Sonicwall thus. (but connect to external ip of sonicwall [200.50.50.6] over http\https work fine from internal of ISA)

I have found some solution in the Internet: http://forums.isaserver.org/m_300048100/tm.htm It recommend to add on ISA side Sonicwall's external IP address into the Addresses tab of the Remote Site. On the Sonicwall, it's needed to add ISA's external IP address to the Addresses tab of the Remote Site. It has not solved a problem and has turned it on the other hand: vpn has established fine and i can connect to internal network of sonicwall from external ip of ISA but now i cannot connect from internal network of sonicwall to external ip of ISA (and from internal network of ISA to external ip of Sonicwall) And new log entries has appeared:

[log2]
3 07/09/2009 16:56:33.928 IKE Responder: IPSec proposal does not match (Phase 2) 190.90.90.5, gate.ourdomain.com (Admin) 200.50.50.6 190.90.90.5/32 -> 200.50.50.6/32
4 07/09/2009 16:56:33.928 IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall 190.90.90.5, gate.ourdomain.com (Admin)

Our networks:
190.90.90.5 = ISA Server Public IP
200.50.50.6 = Sonicwall Public IP
10.10.10.0 = ISA Internal Network
172.15.10.0 = Sonicwall Internal Network
gate.ourdomain.com = external FQDN of ISA

The questions are:
1. Is ISA 2006 compatible with sonicwall TZ170?
2. How can i fix errors?
Post #: 1
RE: Site-to-Site: TZ170 to ISA Server 2006 - 10.May2011 9:41:16 PM   
henryhoang

 

Posts: 2
Joined: 10.May2011
Status: offline
I think you should create a network rule between Sonic and ISA on "netword rule" tab in ISA2k6 with "route" instead of "NAT".

In addition, please check IPSec setting on properties of VPN (remote site) in ISA is matched with IPSec in Sonicwall.

(in reply to y0sh1)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Site-to-Site: TZ170 to ISA Server 2006 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts