Not being an expert I have several ISA04/06 boxes running site vpns to cisco's, which ones I couldn't say Im not on the other end. I can say a couple of things to check.
#1. Check eventvwr for the error, there should be something there #2. Sometimes you have to add the IP of the gateway (public) and the internals (192.168.1.x) on the network connector #3. Make sure routing is enabled (not nat) on the network interface 'vpn' or whatever you called it #4. There is no one-one NAT on isa (one if its downfalls) so make sure you are listening on the cisco on the default IP of your ISA box not some secondary IP #5. technet has an article on doing this connecting ISA to Cisco VPN as Im looking for it I cannot find it through google, but it was on technet a few months ago I just don't have the link with me. -----Original Message----- From: Adrian P Wilkinson [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 2:44 PM To: NT System Admin Issues Subject: Cisco 857 to ISA Server 2004 - IPsec VPN Problem Hello, I'm having problems getting a Cisco 800 series router (the 857) to talk to a Microsoft ISA Server 2004 machine on a remote site. The 'Main Mode' session is established successfully but the 'Quick Mode' does not get established and therefore the two sites are unable to talk to each other. Configuration extract and errors below: Extract from Cisco Config: ------------------------------------------------------------- crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key pass123 address 217.11.22.33 crypto isakmp nat keepalive 10 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to217.11.22.33 set peer 217.11.22.33 set transform-set ESP-3DES-SHA match address 102 reverse-route remote-peer 217.11.22.33 ! access-list 102 remark IPSec Rule access-list 102 permit ip 10.10.10.0 0.0.0.255 192.168.16.0 0.0.0.255 access-list 103 remark SDM_ACL Category=2 access-list 103 remark IPSec Rule access-list 103 deny ip 10.10.10.0 0.0.0.255 192.168.16.0 0.0.0.255 access-list 103 permit ip 10.10.10.0 0.0.0.7 any ------------------------------------------------------------- Event Log Entry on the ISA Server End: ------------------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 547 Date: 05/03/2008 Time: 19:32:06 User: NT AUTHORITY\NETWORK SERVICE Computer: SERVERS01 Description: IKE security association negotiation failed. Mode: Data Protection Mode (Quick Mode) Filter: Source IP Address 217.11.22.33 Source IP Address Mask 255.255.255.255 Destination IP Address 10.10.10.2 Destination IP Address Mask 255.255.255.254 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr 217.11.22.33 IKE Peer Addr 88.11.22.33 IKE Source Port 500 IKE Destination Port 500 Peer Private Addr Peer Identity: Preshared key ID. Peer IP Address: 88.11.22.33 Failure Point: Me Failure Reason: Negotiation timed out Extra Status: Processed third (ID) payload Initiator(Internal). Delta Time 63 0x0 0x0 ------------------------------------------------------------- IPsec Config Summary on ISA Server ------------------------------------------------------------- Local Tunnel Endpoint: 217.11.22.33 Remote Tunnel Endpoint: 88.11.22.33 To allow HTTP proxy or NAT traffic to the remote site, the remote site configuration must contain the local site tunnel end-point IP address. IKE Phase I Parameters: Mode: Main mode Encryption: 3DES Integrity: SHA1 Diffie-Hellman group: Group 2 (1024 bit) Authentication method: Pre-shared secret (pass123) Security Association lifetime: 28800 seconds IKE Phase II Parameters: Mode: ESP tunnel mode Encryption: 3DES Integrity: SHA1 Perfect Forward Secrecy: ON Diffie-Hellman group: Group 2 (1024 bit) Time rekeying: ON Security Association lifetime: 3600 seconds Kbyte rekeying: OFF Remote Network 'Remote Office' IP Subnets: Subnet: 10.10.10.1/255.255.255.255 Subnet: 10.10.10.254/255.255.255.255 Subnet: 10.10.10.2/255.255.255.254 Subnet: 10.10.10.252/255.255.255.254 Subnet: 10.10.10.4/255.255.255.252 Subnet: 10.10.10.248/255.255.255.252 Subnet: 10.10.10.8/255.255.255.248 Subnet: 10.10.10.240/255.255.255.248 Subnet: 10.10.10.16/255.255.255.240 Subnet: 10.10.10.224/255.255.255.240 Subnet: 10.10.10.32/255.255.255.224 Subnet: 10.10.10.192/255.255.255.224 Subnet: 10.10.10.64/255.255.255.192 Subnet: 10.10.10.128/255.255.255.192 Local Network 'Internal' IP Subnets: Subnet: 192.168.16.1/255.255.255.255 Subnet: 192.168.16.2/255.255.255.254 Subnet: 192.168.16.4/255.255.255.252 Subnet: 192.168.16.8/255.255.255.248 Subnet: 192.168.16.16/255.255.255.240 Subnet: 192.168.16.32/255.255.255.224 Subnet: 192.168.16.64/255.255.255.192 Subnet: 192.168.16.128/255.255.255.128 ------------------------------------------------------------- If anyone has any suggestions as to how to get the two sites to talk, they would make me a very happy guy indeed! Regards, Ade. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
