Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion for article on Site to Site ISA to DLink VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: Discussion for article on Site to Site ISA to DLink VPN Page: <<   < prev  1 2 [3]
Login
Message << Older Topic   Newer Topic >>
RE: Discussion for article on Site to Site ISA to DLink... - 14.May2007 4:55:20 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi White,
quote:

ISA Server - LAN Interface (Internal IP 192.168.10.2)

This should be ISA's External interface, is this true ?
quote:

Primary HQ LAN = 192.168.0.0/24

since this is your Primary this should be ISA's default Internal network.
Is ISA the Calling Gateway or the Answering Gateway?
In other words who is initializing the l2tp/ipsec connection?
indeed your Dlinks 502T must support NAT-T.
are you using pre-shared keys/certificates with ms-chap/eap-tls(you've said about l2tp/ipsec so I have assumed that you are using it)?
what are ISA's logs saying?
are there any vpn sessions established?
for further monitoring use wireshark and capture the traffic on ISA's side to see how long IKE negotiation goes and also if the use of UDP port 4500 is done in order that NAT-T  be successful.
don't test from ISA itself. check from clients behind the VPN gateways.
Best regards!

< Message edited by justmee -- 14.May2007 5:24:43 AM >

(in reply to whitehjb)
Post #: 41
RE: Discussion for article on Site to Site ISA to DLink... - 16.Jan.2008 5:12:29 AM   
Domel

 

Posts: 7
Joined: 21.Jan.2007
Status: offline 		I have configured my DI-804HV as described in article, but it's not working.
I don't understand what mean errors in device log (SDP Error and error = 77).
217.153.119.* is ISA server 2004
217.153.119.* is DI-804HV
D-Link log looks like that (Time in logs is wrong - clock was not set)... 
WAN Type: Static IP Address (V1.44)
Display time: Friday November 24, 2006 00:57:09
Friday November 24, 2006 00:37:09 SPD Error : not found [192.168.168.0]<->[192.168.1.64] from peer IP address 217.153.150.*
Friday November 24, 2006 00:37:09 error = 77
Friday November 24, 2006 00:37:13 IKED re-TX : QINIT to 217.153.150.*
Friday November 24, 2006 00:37:13 Receive IKE Q1(QINIT) : [217.153.150.*]-->[217.153.119.*]
Friday November 24, 2006 00:37:13 SPD Error : not found [192.168.168.0]<->[192.168.1.64] from peer IP address 217.153.150.*
Friday November 24, 2006 00:37:13 error = 77
Friday November 24, 2006 00:37:14 Send IKE (INFO) : delete [192.168.1.1|217.153.119.*]-->[217.153.150.*|192.168.168.1] phase 2
Friday November 24, 2006 00:37:14 IKE phase2 (IPSec SA) remove : 192.168.1.1 <-> 192.168.168.1
Friday November 24, 2006 00:37:14 inbound SPI = 0x39000010, outbound SPI = 0x0
Friday November 24, 2006 00:37:14 Send IKE Q1(QINIT) : 192.168.1.1 --> 192.168.168.1
Friday November 24, 2006 00:37:14 Receive IKE INFO : 217.153.150.* --> 217.153.119.*
Friday November 24, 2006 00:37:19 IKED re-TX : QINIT to 217.153.150.*
Friday November 24, 2006 00:37:21 Receive IKE Q1(QINIT) : [217.153.150.*]-->[217.153.119.*]
Friday November 24, 2006 00:37:21 SPD Error : not found [192.168.168.0]<->[192.168.1.64] from peer IP address 217.153.150.*
Friday November 24, 2006 00:37:21 error = 77
Friday November 24, 2006 00:37:24 IKED re-TX : QINIT to 217.153.150.*
Friday November 24, 2006 00:37:34 IKED re-TX : QINIT to 217.153.150.*
Friday November 24, 2006 00:37:37 Receive IKE Q1(QINIT) : [217.153.150.*]-->[217.153.119.*]

< Message edited by Domel -- 16.Jan.2008 5:14:26 AM >

_____________________________

In skating over thin ice, our safety is in our speed.

(in reply to justmee)
Post #: 42
RE: Discussion for article on Site to Site ISA to DLink... - 16.Jan.2008 5:37:10 AM   
Domel

 

Posts: 7
Joined: 21.Jan.2007
Status: offline 		Here are few other errors 
Tuesday January 16, 2007 11:11:50 inbound SPI = 0x74000010, outbound SPI = 0x0
Tuesday January 16, 2007 11:11:50 Send IKE Q1(QINIT) : 192.168.1.0 --> 192.168.168.0
Tuesday January 16, 2007 11:11:50 Receive IKE INFO : 217.153.150.* --> 217.153.119.*
Tuesday January 16, 2007 11:11:55 IKED re-TX : QINIT to 217.153.150.*
Tuesday January 16, 2007 11:12:00 IKED re-TX : QINIT to 217.153.150.*
Tuesday January 16, 2007 11:12:10 IKED re-TX : QINIT to 217.153.150.*
Tuesday January 16, 2007 11:12:20 IKED re-TX : QINIT to 217.153.150.*
Tuesday January 16, 2007 11:12:40 IKED re-TX : QINIT to 217.153.150.*
Tuesday January 16, 2007 11:12:41 Send IKE (INFO) : delete [192.168.1.0|217.153.119.*]-->[217.153.150.*|192.168.168.0] phase 2
Tuesday January 16, 2007 11:12:41 IKE phase2 (IPSec SA) remove : 192.168.1.0 <-> 192.168.168.0
Tuesday January 16, 2007 11:12:41 inbound SPI = 0x76000010, outbound SPI = 0x0
Tuesday January 16, 2007 11:12:41 Send IKE Q1(QINIT) : 192.168.1.0 --> 192.168.168.0
Tuesday January 16, 2007 11:12:41 Receive IKE INFO : 217.153.150.* --> 217.153.119.*
Tuesday January 16, 2007 11:12:46 IKED re-TX : QINIT to 217.153.150.*
Tuesday January 16, 2007 11:12:51 IKED re-TX : QINIT to 217.153.150.*
Tuesday January 16, 2007 11:13:01 IKED re-TX : QINIT to 217.153.150.*
Tuesday January 16, 2007 11:13:11 IKED re-TX : QINIT to 217.153.150.*
Tuesday January 16, 2007 11:13:31 IKED re-TX : QINIT to 217.153.150.*
Tuesday January 16, 2007 11:13:32 Send IKE (INFO) : delete [192.168.1.0|217.153.119.*]-->[217.153.150.*|192.168.168.0] phase 2
Tuesday January 16, 2007 11:13:32 IKE phase2 (IPSec SA) remove : 192.168.1.0 <-> 192.168.168.0













_____________________________

In skating over thin ice, our safety is in our speed.

(in reply to Domel)
Post #: 43
RE: Discussion for article on Site to Site ISA to DLink... - 16.Jan.2008 7:50:50 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Dominik,
I think it would be more useful to post the Oakley.log from ISA.
Not sure what those errors mean.
Regards!

(in reply to Domel)
Post #: 44
RE: Discussion for article on Site to Site ISA to DLink... - 16.Jan.2008 9:26:21 AM   
Domel

 

Posts: 7
Joined: 21.Jan.2007
Status: offline 		oakley.log:
1-16: 15:22:26:972:bf8 Retransmit failed to find SA
1-16: 15:22:27:66:1d6c SA Dead. sa:0799B6B8 status:35f0
1-16: 15:22:27:66:1d6c isadb_set_status sa:0799B6B8 centry:00000000 status 35f0
1-16: 15:22:27:66:1d6c Key Exchange Mode (Main Mode)
1-16: 15:22:27:66:1d6c Source IP Address 217.153.150.*  Source IP Address Mask 255.255.255.255  Destination IP Address 217.153.119.*  Destination IP Address Mask 255.255.255.255  Protocol 0  Source Port 0  Destination Port 0  IKE Local Addr 217.153.150.*  IKE Peer Addr 217.153.119.*  IKE Source Port 500  IKE Destination Port 500  Peer Private Addr
1-16: 15:22:27:66:1d6c
1-16: 15:22:27:66:1d6c Me
1-16: 15:22:27:66:1d6c IKE SA deleted before establishment completed
1-16: 15:22:27:66:1d6c Sent first (SA) payload  Initiator.  Delta Time 70   0x0 0x0
1-16: 15:22:27:66:1d6c constructing ISAKMP Header
1-16: 15:22:27:66:1d6c constructing DELETE. MM 0799B6B8
1-16: 15:22:27:66:1d6c
1-16: 15:22:27:66:1d6c Sending: SA = 0x0799B6B8 to 217.153.119.*:Type 1.500
1-16: 15:22:27:66:1d6c ISAKMP Header: (V1.0), len = 56
1-16: 15:22:27:66:1d6c   I-COOKIE a3a5ae59c0e81671
1-16: 15:22:27:66:1d6c   R-COOKIE 0402bb67e1df658d
1-16: 15:22:27:66:1d6c   exchange: ISAKMP Informational Exchange
1-16: 15:22:27:66:1d6c   flags: 0
1-16: 15:22:27:66:1d6c   next payload: DELETE
1-16: 15:22:27:66:1d6c   message ID: fffc2738
1-16: 15:22:27:66:1d6c Ports S:f401 D:f401
1-16: 15:22:27:66:1d6c ClearFragList
1-16: 15:23:01:160:bf0 Acquire from driver: op=0000008E src=192.168.168.49.0 dst=192.168.1.100.0 proto = 0, SrcMask=255.255.255.0, DstMask=255.255.255.192, Tunnel 1, TunnelEndpt=217.153.119.* Inbound TunnelEndpt=217.153.150.*
1-16: 15:23:01:160:1d6c Filter to match: Src 217.153.119.* Dst 217.153.150.*
1-16: 15:23:01:160:1d6c MM PolicyName: ISA Server Gliwice MM Policy
1-16: 15:23:01:160:1d6c MMPolicy dwFlags 0 SoftSAExpireTime 28800
1-16: 15:23:01:160:1d6c MMOffer[0] LifetimeSec 28800 QMLimit 0 DHGroup 2
1-16: 15:23:01:160:1d6c MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
1-16: 15:23:01:160:1d6c Auth[0]:PresharedKey KeyLen 18
1-16: 15:23:01:160:1d6c QM PolicyName: ISA Server Gliwice QM Policy dwFlags 0
1-16: 15:23:01:160:1d6c QMOffer[0] LifetimeKBytes 0 LifetimeSec 3600
1-16: 15:23:01:160:1d6c QMOffer[0] dwFlags 0 dwPFSGroup 2
1-16: 15:23:01:160:1d6c  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA
1-16: 15:23:01:160:1d6c Starting Negotiation: src = 217.153.150.*.0500, dst = 217.153.119.*.0500, proto = 00, context = 0000008E, ProxySrc = 192.168.168.0.0000, ProxyDst = 192.168.1.64.0000 SrcMask = 255.255.255.0 DstMask = 255.255.255.192
1-16: 15:23:01:160:1d6c constructing ISAKMP Header
1-16: 15:23:01:160:1d6c constructing SA (ISAKMP)
1-16: 15:23:01:160:1d6c Constructing Vendor MS NT5 ISAKMPOAKLEY
1-16: 15:23:01:160:1d6c Constructing Vendor FRAGMENTATION
1-16: 15:23:01:160:1d6c Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
1-16: 15:23:01:160:1d6c Constructing Vendor Vid-Initial-Contact
1-16: 15:23:01:160:1d6c
1-16: 15:23:01:160:1d6c Sending: SA = 0x0846D1E8 to 217.153.119.*:Type 2.500
1-16: 15:23:01:160:1d6c ISAKMP Header: (V1.0), len = 168
1-16: 15:23:01:160:1d6c   I-COOKIE f0a10f116ec7d425
1-16: 15:23:01:160:1d6c   R-COOKIE 0000000000000000
1-16: 15:23:01:160:1d6c   exchange: Oakley Main Mode
1-16: 15:23:01:160:1d6c   flags: 0
1-16: 15:23:01:160:1d6c   next payload: SA
1-16: 15:23:01:160:1d6c   message ID: 00000000
1-16: 15:23:01:160:1d6c Ports S:f401 D:f401
1-16: 15:23:01:316:1d6c
1-16: 15:23:01:316:1d6c Receive: (get) SA = 0x0846d1e8 from 217.153.119.*.500
1-16: 15:23:01:316:1d6c ISAKMP Header: (V1.0), len = 84
1-16: 15:23:01:316:1d6c   I-COOKIE f0a10f116ec7d425
1-16: 15:23:01:316:1d6c   R-COOKIE 7228fc05759801bf
1-16: 15:23:01:316:1d6c   exchange: Oakley Main Mode
1-16: 15:23:01:316:1d6c   flags: 0
1-16: 15:23:01:316:1d6c   next payload: SA
1-16: 15:23:01:316:1d6c   message ID: 00000000
1-16: 15:23:01:316:1d6c Failed for length exceeded
1-16: 15:23:01:332:1d6c invalid payload received
1-16: 15:23:01:332:1d6c GetPacket failed 3613
1-16: 15:23:01:972:bf8 Retransmit failed to find SA

_____________________________

In skating over thin ice, our safety is in our speed.

(in reply to justmee)
Post #: 45
RE: Discussion for article on Site to Site ISA to DLink... - 16.Jan.2008 10:14:22 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hmmm.
That's the entire log ?
A quick advise when you "take" a Oakley.log, take it clean: reaboot ISA or the services in order to have an empty "Oakley.log". Then connect. In this way we have a clean path over what had happened starting from the first packet.
Are you sure the remote site only includes 192.168.1.64/26 ?
We can follow the "end" of your Oakley.log
ISA is sending the first IKE MM packet:
1-16: 15:23:01:160:1d6c constructing ISAKMP Header
...
1-16: 15:23:01:160:1d6c Sending: SA = 0x0846D1E8 to 217.153.119.*:Type 2.500
1-16: 15:23:01:160:1d6c ISAKMP Header: (V1.0), len = 168
1-16: 15:23:01:160:1d6c   I-COOKIE f0a10f116ec7d425
1-16: 15:23:01:160:1d6c   R-COOKIE 0000000000000000
And receives a response from D-Link:
1-16: 15:23:01:316:1d6c Receive: (get) SA = 0x0846d1e8 from 217.153.119.*.500
1-16: 15:23:01:316:1d6c ISAKMP Header: (V1.0), len = 84
1-16: 15:23:01:316:1d6c   I-COOKIE f0a10f116ec7d425
1-16: 15:23:01:316:1d6c   R-COOKIE 7228fc05759801bf
Witch turns into:
1-16: 15:23:01:316:1d6c Failed for length exceeded
1-16: 15:23:01:332:1d6c invalid payload received
1-16: 15:23:01:332:1d6c GetPacket failed 3613
At a first glance looks like crappy IPsec software on the D-link.
Can you please take a clean Oakley.log, maybe we can find out more.
J

(in reply to Domel)
Post #: 46
RE: Discussion for article on Site to Site ISA to DLink... - 17.Jan.2008 6:35:20 AM   
Domel

 

Posts: 7
Joined: 21.Jan.2007
Status: offline 		There is entire log

And ISA IPSec is set to:
Local Tunnel Endpoint: 217.153.150.*
Remote Tunnel Endpoint: 217.153.119.*

To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.

IKE Phase I Parameters:
   Mode: Main mode
   Encryption: 3DES
   Integrity: SHA1
   Diffie-Hellman group: Group 2 (1024 bit)
   Authentication method: Pre-shared secret (pass removed)
   Security Association lifetime: 28800 seconds

IKE Phase II Parameters:
   Mode: ESP tunnel mode
   Encryption: 3DES
   Integrity: SHA1
   Perfect Forward Secrecy: ON
   Diffie-Hellman group: Group 2 (1024 bit)
   Time rekeying: ON
   Security Association lifetime: 3600 seconds
   Kbyte rekeying: OFF

Remote Network 'Gliwice' IP Subnets:
   Subnet: 192.168.1.1/255.255.255.255
   Subnet: 192.168.1.2/255.255.255.254
   Subnet: 192.168.1.4/255.255.255.252
   Subnet: 192.168.1.8/255.255.255.248
   Subnet: 192.168.1.16/255.255.255.240
   Subnet: 192.168.1.32/255.255.255.224
   Subnet: 192.168.1.64/255.255.255.192
   Subnet: 192.168.1.128/255.255.255.128

Local Network 'Internal' IP Subnets:
   Subnet: 192.168.168.0/255.255.255.0

But I don't understand why there are so many subnets. I putet only one in New Location Wizard ...

_____________________________

In skating over thin ice, our safety is in our speed.

(in reply to justmee)
Post #: 47
RE: Discussion for article on Site to Site ISA to DLink... - 17.Jan.2008 7:53:07 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Why are so many subnets?
Maybe because you have entered them ?
What exactly have you entered ?
If you want to include 192.168.1.0/24(which appears in your D-Link log) then type:
192.168.1.0-192.168.1.255
Don't start with 192.168.1.1
Regarding the Oakley.log same story from my previous post.
To be honest I have seen the same message (Failed for length exceeded, invalid payload received, GetPacket failed 3613) some time ago when I attempted to create a site to site between ISA and a crappy two cent device. That was fixed with a firmware upgrade on that device(it had a bug).
What's happening: ISA is sending the first IKE MM message with the proposal of IKE MM settings.
The D-Link replies something(don't know what from the Oakley.log). If configured correctly it should reply back with the same IKE MM proposal. After that, the second round of IKE messages should follow(DH key exchange).
But it appears it is something wrong with the D-Link packet.
If the D-Link does not have the same IKE MM settings it should inform ISA about that with a Notification payload(ISAKMP Informational).
Can you take a Wireshark trace on ISA's external interface and tell us(if you do not want to put a link for it due to some reasons) what's in the packet sent by D-Link ?
Watch for the first ISA IKE MM message(R-COOKIE 0) which contains ISA's proposal payload(something like):
Sending: SA = 0x0846D1E8 to 217.153.119.*:Type 2.500
SAKMP Header: (V1.0), len = 168
I-COOKIE f0a10f116ec7d425
R-COOKIE 0000000000000000
And the D-LINK response to that. See if the D-Link sends back a proposal.
Is there any other device between ISA and D-Link?

< Message edited by justmee -- 17.Jan.2008 7:54:32 AM >

(in reply to Domel)
Post #: 48
RE: Discussion for article on Site to Site ISA to DLink... - 17.Jan.2008 8:34:45 AM   
Domel

 

Posts: 7
Joined: 21.Jan.2007
Status: offline
quote:


Why are so many subnets?
Maybe because you have entered them ?
What exactly have you entered ?
If you want to include 192.168.1.0/24(which appears in your D-Link log) then type:
192.168.1.0-192.168.1.255
Don't start with 192.168.1.1

My fault. I have entered 192.168.1.1.
I have configured ISA again with 192.168.1.0, upgraded again firmware and it started to work exactly as described in article :)
Thanks for help! :)

_____________________________

In skating over thin ice, our safety is in our speed.

(in reply to justmee)
Post #: 49
RE: Discussion for article on Site to Site ISA to DLink... - 23.Jan.2008 2:44:36 PM   
clayman24

 

Posts: 3
Joined: 21.Sep.2006
Status: offline 		I have this VPN working reliably with the Dlink router mentiuoned in the article:

I couple gotcha's that were not mentioned in the document:

Assumptions: 
ISA external Adapter fixed IP: 10.0.0.1
Internal Subnet Addresses: 192.168.1.0 - 192.168.1.255
 
DLINK External Fixed IP: 10.0.1.1
Intenal Subnet at DLink SIte: 192.168.3.1 - 192.168.3.255


1. The Fixed IP address for the remote site where the gateway is installed must be included in the subnet addressing: At both the dlink and the ISA locations: i.e.

ISA side:
192.168.3.0-192.168.3.255
10.0.1.1 - 10.0.1.1

DLink Side:
192.168.1.0 - 192.168.1.255
10.0.0.1

2.  The static route has to be setup to point the correct way:

ISA side:
Destination: 192.168.3.0
SubnetMask: 255.255.255.0
Gateway: 10.0.1.1 ( external ip of DLink)

DLINk side:
Destination: 192.168.1.0
Subnet Mask: 255.255.255.0
Gateway: 10.0.0.1 ( ISA external adapter)

I hope this helps

Clayton


(in reply to Domel)
Post #: 50

Page:   <<   < prev  1 2 [3] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: Discussion for article on Site to Site ISA to DLink VPN Page: <<   < prev  1 2 [3]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts