I am trying to create an IPSEC tunnel between ISA2004 and a Sonicwall SOHO3. From the ISA network, when I ping the Sonicwall network, I get "Negotiating IP Security". In the Sonicwall's logs I see the following:
18.104.22.168 = ISA Server Public IP 22.214.171.124 = Remote Sonicwall Public IP
When you test connectivity from the ISA Server, it sources from it's external IP address 126.96.36.199. Does the Sonicwall have this address in it's list of address for the IPSec Tunnel Mode config?
I've explained this in the past and here's a copy/paste of the description - sorry for the length.
SubnetA -- ISA-A -- Internet -- Sonicwall -- SubnetB
ISA-A has a Remote Site for SubnetB that contains the addresses of that subnet.
This results in ISA-A having an IPSec Filter List of A1 - SubnetA ū SubnetB A2 - SubnetB - SubnetA A3 - ISA-A - SubnetB A4 - SubnetB - ISA-A
Sonicwall has a IPSec Tunnel Mode policy for SubnetA that contains the addresses of that subnet.
This results in Sonicwall having an IPSec Filter List of B1 - SubnetB - SubnetA B2 - SubnetA - SubnetB
It's a subtle problem, but when you PING from ISA-A to SubnetB, the traffic sources from ISA-A's external IP address. Because of this, ISA-A has a matching filter for the traffic (A3 above) but the Sonicwall doesn't have a matching filter for this (B1 through B2 don't match the traffic). As a result, ISA-A continue trying to negotiate IP Security with ISA-B but this will never complete as there is not a match for the traffic on ISA-B.
To fix this, on ISA-A, you'll need to add the SonicwallĘs external IP address into the Addresses tab of the Remote Site. On the Sonicwall, you'll need to add ISA-A's external IP address.
What happens is now ISA and the Sonicwall will now have the following filters...