Hello,
I'm having problems getting a Cisco 800 series router (the 857) to talk to a
Microsoft ISA Server 2004 machine on a remote site. The 'Main Mode' session
is established successfully but the 'Quick Mode' does not get established
and therefore the two sites are unable to talk to each other. Configuration
extract and errors below:
Extract from Cisco Config:
-------------------------------------------------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key pass123 address 217.11.22.33
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to217.11.22.33
set peer 217.11.22.33
set transform-set ESP-3DES-SHA
match address 102
reverse-route remote-peer 217.11.22.33
!
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.10.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.10.10.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 103 permit ip 10.10.10.0 0.0.0.7 any
-------------------------------------------------------------
Event Log Entry on the ISA Server End:
-------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 05/03/2008
Time: 19:32:06
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVERS01
Description:
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)
Filter:
Source IP Address 217.11.22.33
Source IP Address Mask 255.255.255.255
Destination IP Address 10.10.10.2
Destination IP Address Mask 255.255.255.254
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 217.11.22.33
IKE Peer Addr 88.11.22.33
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Peer Identity:
Preshared key ID.
Peer IP Address: 88.11.22.33
Failure Point:
Me
Failure Reason:
Negotiation timed out
Extra Status:
Processed third (ID) payload
Initiator(Internal). Delta Time 63
0x0 0x0
-------------------------------------------------------------
IPsec Config Summary on ISA Server
-------------------------------------------------------------
Local Tunnel Endpoint: 217.11.22.33
Remote Tunnel Endpoint: 88.11.22.33
To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.
IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication method: Pre-shared secret (pass123)
Security Association lifetime: 28800 seconds
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time rekeying: ON
Security Association lifetime: 3600 seconds
Kbyte rekeying: OFF
Remote Network 'Remote Office' IP Subnets:
Subnet: 10.10.10.1/255.255.255.255
Subnet: 10.10.10.254/255.255.255.255
Subnet: 10.10.10.2/255.255.255.254
Subnet: 10.10.10.252/255.255.255.254
Subnet: 10.10.10.4/255.255.255.252
Subnet: 10.10.10.248/255.255.255.252
Subnet: 10.10.10.8/255.255.255.248
Subnet: 10.10.10.240/255.255.255.248
Subnet: 10.10.10.16/255.255.255.240
Subnet: 10.10.10.224/255.255.255.240
Subnet: 10.10.10.32/255.255.255.224
Subnet: 10.10.10.192/255.255.255.224
Subnet: 10.10.10.64/255.255.255.192
Subnet: 10.10.10.128/255.255.255.192
Local Network 'Internal' IP Subnets:
Subnet: 192.168.16.1/255.255.255.255
Subnet: 192.168.16.2/255.255.255.254
Subnet: 192.168.16.4/255.255.255.252
Subnet: 192.168.16.8/255.255.255.248
Subnet: 192.168.16.16/255.255.255.240
Subnet: 192.168.16.32/255.255.255.224
Subnet: 192.168.16.64/255.255.255.192
Subnet: 192.168.16.128/255.255.255.128
-------------------------------------------------------------
If anyone has any suggestions as to how to get the two sites to talk, they
would make me a very happy guy indeed!
Regards, Ade.
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
