IPsec VPN... can't respond to ping?

Hi,

I have 2 machines set up,

system 1. SBS 2003 prem with ISA 2004
system 2. Win2003 Standard with ISA 2004 (nothing else)

I have each machine on its own internal network, and a second NIC connected
to the outside.

I have set up a site to site network using IPsec on these machines.
If I try to ping from system 2 to system 1's internal address, I get a ping
response of "Negotiating IP security" continually.
The security log of system 1, reports "IKE security association negotiation
failed. Mode: Data Protection Mode (Quick Mode), Failure Point: Me, Failure
reason: No policy configured.

SO. I found the IP security policies MMC, for both machines, and tried
applying the different policies that were listed. I still could not get past
"Negotiating IP security" and the security log message changed to "IKE
security association establishment failed because peer sent invalid
proposal. Mode: Data Protection Mode (Quick Mode) " "Attribute: Phase II
Diffie-Hellman group descriptor, Expected value: 0, Received value: 2


Any hints?
Shouldn't this be a lot easier?? ;-)

this page may help.
ipsec Negotiating IP Security and never receive Reply Other computers can't ping remote computers The ports need to open for IPSec ...
www.chicagotech.net/ipsec.htm


Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

"Casey" <(E-Mail Removed)> wrote in message news:42b0de1a$(E-Mail Removed)...
Hi,

I have 2 machines set up,

system 1. SBS 2003 prem with ISA 2004
system 2. Win2003 Standard with ISA 2004 (nothing else)

I have each machine on its own internal network, and a second NIC connected
to the outside.

I have set up a site to site network using IPsec on these machines.
If I try to ping from system 2 to system 1's internal address, I get a ping
response of "Negotiating IP security" continually.
The security log of system 1, reports "IKE security association negotiation
failed. Mode: Data Protection Mode (Quick Mode), Failure Point: Me, Failure
reason: No policy configured.

SO. I found the IP security policies MMC, for both machines, and tried
applying the different policies that were listed. I still could not get past
"Negotiating IP security" and the security log message changed to "IKE
security association establishment failed because peer sent invalid
proposal. Mode: Data Protection Mode (Quick Mode) " "Attribute: Phase II
Diffie-Hellman group descriptor, Expected value: 0, Received value: 2


Any hints?
Shouldn't this be a lot easier?? ;-)

Unfortunately this did not help in the slightest.
Its the policy that is having trouble. The Diffie-Hellman group descriptor can only have a value of 1 (Phase 1 768Bit) 2 (Phase 2 1024Bit) or 20 (Phase 2048, 2048Bit)

I'm trying to figure out why its expecting a value of "0" when I can't select that value. Or even why its expecting that as both ends of the tunnel are set the same (Phase 2, 1024Bit)


Turning off PFS stops its even trying to negotiate a connection.
"Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message news:OV7$(E-Mail Removed)...
this page may help.
ipsec Negotiating IP Security and never receive Reply Other computers can't ping remote computers The ports need to open for IPSec ...
www.chicagotech.net/ipsec.htm


Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

"Casey" <(E-Mail Removed)> wrote in message news:42b0de1a$(E-Mail Removed)...
Hi,

I have 2 machines set up,

system 1. SBS 2003 prem with ISA 2004
system 2. Win2003 Standard with ISA 2004 (nothing else)

I have each machine on its own internal network, and a second NIC connected
to the outside.

I have set up a site to site network using IPsec on these machines.
If I try to ping from system 2 to system 1's internal address, I get a ping
response of "Negotiating IP security" continually.
The security log of system 1, reports "IKE security association negotiation
failed. Mode: Data Protection Mode (Quick Mode), Failure Point: Me, Failure
reason: No policy configured.

SO. I found the IP security policies MMC, for both machines, and tried
applying the different policies that were listed. I still could not get past
"Negotiating IP security" and the security log message changed to "IKE
security association establishment failed because peer sent invalid
proposal. Mode: Data Protection Mode (Quick Mode) " "Attribute: Phase II
Diffie-Hellman group descriptor, Expected value: 0, Received value: 2


Any hints?
Shouldn't this be a lot easier?? ;-)