Site to Site VPN using IPSec between Win2k3 Server and BEFVP41

03-07-2006, 04:32 PM

I'm trying to accomplish the following

Create a Site to Site VPN between a BEFVP41 and Windows 2003 using
IPSec.

I have gotten it to connect and I can ping the Win2k3 internal NIC
(192.168.1.1), however I can't ping any other devices on
192.168.1.0/24. And from 192.168.1.0/24 I can't ping anything on
10.0.0.0/24.

What's strange is if I configure the tunnel to go straight to a windows
machine (ex 192.168.1.103) on 192.168.1.0/24 I can't ping it, but can
open up netbios shares. However, I can't reach that same machine if
the tunnel is to subnet 192.168.1.0/24.

you can view a net diagram here: ftp://71.225.96.243/netmapv1.jpg

(I included 192.168.15.0/24 for informational purpose only, as that
subnet is working on both tunnel ends of 10.0.0.0/24 and
192.168.15.0/24. I have no plans to connect 192.168.1.0/24 and
192.168.15.0/24 yet)

03-07-2006, 05:03 PM

Check any errors in the log and post back with the error. This troubleshooting IPSec link may help,

IPSec Audit Policy: To troubleshoot IPSec when it does not behave the way that you expect it to, first check the results of the Phase One and Phase Two exchanges ...
www.chicagotech.net/ipsec.htm

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
<(E-Mail Removed)> wrote in message news:(E-Mail Removed) oups.com...
I'm trying to accomplish the following

Create a Site to Site VPN between a BEFVP41 and Windows 2003 using
IPSec.

I have gotten it to connect and I can ping the Win2k3 internal NIC
(192.168.1.1), however I can't ping any other devices on
192.168.1.0/24. And from 192.168.1.0/24 I can't ping anything on
10.0.0.0/24.

What's strange is if I configure the tunnel to go straight to a windows
machine (ex 192.168.1.103) on 192.168.1.0/24 I can't ping it, but can
open up netbios shares. However, I can't reach that same machine if
the tunnel is to subnet 192.168.1.0/24.

you can view a net diagram here: ftp://71.225.96.243/netmapv1.jpg

(I included 192.168.15.0/24 for informational purpose only, as that
subnet is working on both tunnel ends of 10.0.0.0/24 and
192.168.15.0/24. I have no plans to connect 192.168.1.0/24 and
192.168.15.0/24 yet)

03-08-2006, 01:09 AM

Got a real head scratcher here. The remote and local subnets match.
Here is the log

3-07: 20:47:12:11:6e8 Ports S:f401 D:f401
3-07: 20:48:27:600:6e8 CE Dead. sa:00138168 ce:000DE500 status:35f0
3-07: 20:54:38:683:cc8 QM Deleted. Notify from driver: Src 192.168.1.0
Dest 10.0.0.0 InSPI 3963732037 OutSpi 3479610974 Tunnel f360e147
TunnelFilter 0
3-07: 20:54:38:683:cc8 srcEncapPort=62465, dstEncapPort=62465
3-07: 20:54:38:683:cc8 Could not find the peer list entry
3-07: 20:54:38:683:cc8 constructing ISAKMP Header
3-07: 20:54:38:683:cc8 constructing HASH (null)
3-07: 20:54:38:683:cc8 Construct QM Delete Spi 3963732037
3-07: 20:54:38:683:cc8 constructing HASH (Notify/Delete)
3-07: 20:54:38:683:cc8 Not setting retransmit to downlevel client. SA
00138168 Centry 00000000
3-07: 20:54:38:683:cc8
3-07: 20:54:38:683:cc8 Sending: SA = 0x00138168 to 71.225.96.243:Type
1.500
3-07: 20:54:38:683:cc8 ISAKMP Header: (V1.0), len = 68
3-07: 20:54:38:683:cc8 I-COOKIE 1717ed4122bf3151
3-07: 20:54:38:683:cc8 R-COOKIE c9c761193c760182
3-07: 20:54:38:683:cc8 exchange: ISAKMP Informational Exchange
3-07: 20:54:38:683:cc8 flags: 1 ( encrypted )
3-07: 20:54:38:683:cc8 next payload: HASH
3-07: 20:54:38:683:cc8 message ID: ac2e26cb
3-07: 20:54:38:683:cc8 Ports S:f401 D:f401
3-07: 20:54:38:683:cc8 PrivatePeerAddr 0
3-07: 20:54:39:855:cc8
3-07: 20:54:39:855:cc8 Receive: (get) SA = 0x00000000 from
71.225.96.243.500
3-07: 20:54:39:855:cc8 ISAKMP Header: (V1.0), len = 192
3-07: 20:54:39:855:cc8 I-COOKIE 45726c99e2a96455
3-07: 20:54:39:855:cc8 R-COOKIE 0000000000000000
3-07: 20:54:39:855:cc8 exchange: Oakley Main Mode
3-07: 20:54:39:855:cc8 flags: 0
3-07: 20:54:39:855:cc8 next payload: SA
3-07: 20:54:39:855:cc8 message ID: 00000000
3-07: 20:54:39:855:cc8 Filter to match: Src 71.225.96.243 Dst
72.225.230.244
3-07: 20:54:39:855:cc8 MM PolicyName: 1
3-07: 20:54:39:855:cc8 MMPolicy dwFlags 2 SoftSAExpireTime 3600
3-07: 20:54:39:855:cc8 MMOffer[0] LifetimeSec 3600 QMLimit 0 DHGroup 2
3-07: 20:54:39:855:cc8 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
3-07: 20:54:39:855:cc8 MMOffer[1] LifetimeSec 3600 QMLimit 0 DHGroup 2
3-07: 20:54:39:855:cc8 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
3-07: 20:54:39:855:cc8 MMOffer[2] LifetimeSec 3600 QMLimit 0 DHGroup 2
3-07: 20:54:39:855:cc8 MMOffer[2] Encrypt: DES CBC Hash: SHA
3-07: 20:54:39:855:cc8 MMOffer[3] LifetimeSec 3600 QMLimit 0 DHGroup 2
3-07: 20:54:39:855:cc8 MMOffer[3] Encrypt: DES CBC Hash: MD5
3-07: 20:54:39:855:cc8 Auth[0]:PresharedKey KeyLen 14
3-07: 20:54:39:855:cc8 Responding with new SA 1384d0
3-07: 20:54:39:855:cc8 processing payload SA
3-07: 20:54:39:855:cc8 Received Phase 1 Transform 1
3-07: 20:54:39:855:cc8 Encryption Alg Triple DES CBC(5)
3-07: 20:54:39:855:cc8 Hash Alg MD5(1)
3-07: 20:54:39:855:cc8 Auth Method Preshared Key(1)
3-07: 20:54:39:855:cc8 Oakley Group 2
3-07: 20:54:39:855:cc8 Life type in Seconds
3-07: 20:54:39:855:cc8 Life duration of 28800
3-07: 20:54:39:855:cc8 Received Phase 1 Transform 2
3-07: 20:54:39:855:cc8 Encryption Alg DES CBC(1)
3-07: 20:54:39:855:cc8 Hash Alg MD5(1)
3-07: 20:54:39:855:cc8 Auth Method Preshared Key(1)
3-07: 20:54:39:855:cc8 Oakley Group 1
3-07: 20:54:39:855:cc8 Life type in Seconds
3-07: 20:54:39:855:cc8 Life duration of 28800
3-07: 20:54:39:855:cc8 Received Phase 1 Transform 3
3-07: 20:54:39:855:cc8 Encryption Alg Triple DES CBC(5)
3-07: 20:54:39:855:cc8 Hash Alg SHA(2)
3-07: 20:54:39:855:cc8 Auth Method Preshared Key(1)
3-07: 20:54:39:855:cc8 Oakley Group 2
3-07: 20:54:39:855:cc8 Life type in Seconds
3-07: 20:54:39:855:cc8 Life duration of 28800
3-07: 20:54:39:855:cc8 Received Phase 1 Transform 4
3-07: 20:54:39:855:cc8 Encryption Alg Triple DES CBC(5)
3-07: 20:54:39:855:cc8 Hash Alg MD5(1)
3-07: 20:54:39:855:cc8 Auth Method Preshared Key(1)
3-07: 20:54:39:855:cc8 Oakley Group 2
3-07: 20:54:39:855:cc8 Life type in Seconds
3-07: 20:54:39:855:cc8 Life duration of 28800
3-07: 20:54:39:855:cc8 Phase 1 SA accepted: transform=1
3-07: 20:54:39:855:cc8 SA - Oakley proposal accepted
3-07: 20:54:39:855:cc8 ClearFragList
3-07: 20:54:39:855:cc8 constructing ISAKMP Header
3-07: 20:54:39:855:cc8 constructing SA (ISAKMP)
3-07: 20:54:39:855:cc8 Constructing Vendor MS NT5 ISAKMPOAKLEY
3-07: 20:54:39:855:cc8 Constructing Vendor FRAGMENTATION
3-07: 20:54:39:855:cc8 Constructing Vendor
draft-ietf-ipsec-nat-t-ike-02
3-07: 20:54:39:855:cc8
3-07: 20:54:39:855:cc8 Sending: SA = 0x001384D0 to 71.225.96.243:Type
2.500
3-07: 20:54:39:855:cc8 ISAKMP Header: (V1.0), len = 148
3-07: 20:54:39:855:cc8 I-COOKIE 45726c99e2a96455
3-07: 20:54:39:855:cc8 R-COOKIE 4641a8354f816da1
3-07: 20:54:39:855:cc8 exchange: Oakley Main Mode
3-07: 20:54:39:855:cc8 flags: 0
3-07: 20:54:39:855:cc8 next payload: SA
3-07: 20:54:39:855:cc8 message ID: 00000000
3-07: 20:54:39:855:cc8 Ports S:f401 D:f401
3-07: 20:54:40:366:cc8
3-07: 20:54:40:366:cc8 Receive: (get) SA = 0x001384d0 from
71.225.96.243.500
3-07: 20:54:40:366:cc8 ISAKMP Header: (V1.0), len = 184
3-07: 20:54:40:366:cc8 I-COOKIE 45726c99e2a96455
3-07: 20:54:40:366:cc8 R-COOKIE 4641a8354f816da1
3-07: 20:54:40:366:cc8 exchange: Oakley Main Mode
3-07: 20:54:40:366:cc8 flags: 0
3-07: 20:54:40:366:cc8 next payload: KE
3-07: 20:54:40:366:cc8 message ID: 00000000
3-07: 20:54:40:366:cc8 processing payload KE
3-07: 20:54:40:466:cc8 processing payload NONCE
3-07: 20:54:40:466:cc8 ClearFragList
3-07: 20:54:40:466:cc8 constructing ISAKMP Header
3-07: 20:54:40:466:cc8 constructing KE
3-07: 20:54:40:466:cc8 constructing NONCE (ISAKMP)
3-07: 20:54:40:466:cc8
3-07: 20:54:40:466:cc8 Sending: SA = 0x001384D0 to 71.225.96.243:Type
2.500
3-07: 20:54:40:466:cc8 ISAKMP Header: (V1.0), len = 184
3-07: 20:54:40:466:cc8 I-COOKIE 45726c99e2a96455
3-07: 20:54:40:466:cc8 R-COOKIE 4641a8354f816da1
3-07: 20:54:40:466:cc8 exchange: Oakley Main Mode
3-07: 20:54:40:466:cc8 flags: 0
3-07: 20:54:40:466:cc8 next payload: KE
3-07: 20:54:40:466:cc8 message ID: 00000000
3-07: 20:54:40:466:cc8 Ports S:f401 D:f401
3-07: 20:54:40:516:224 retransmit: sa = 001384D0 centry 00000000 ,
count = 1
3-07: 20:54:40:516:224
3-07: 20:54:40:516:224 Sending: SA = 0x001384D0 to 71.225.96.243:Type
2.500
3-07: 20:54:40:516:224 ISAKMP Header: (V1.0), len = 184
3-07: 20:54:40:516:224 I-COOKIE 45726c99e2a96455
3-07: 20:54:40:516:224 R-COOKIE 4641a8354f816da1
3-07: 20:54:40:516:224 exchange: Oakley Main Mode
3-07: 20:54:40:516:224 flags: 0
3-07: 20:54:40:516:224 next payload: KE
3-07: 20:54:40:516:224 message ID: 00000000
3-07: 20:54:40:516:224 Ports S:f401 D:f401
3-07: 20:54:40:937:cc8
3-07: 20:54:40:937:cc8 Receive: (get) SA = 0x001384d0 from
71.225.96.243.500
3-07: 20:54:40:937:cc8 ISAKMP Header: (V1.0), len = 60
3-07: 20:54:40:947:cc8 I-COOKIE 45726c99e2a96455
3-07: 20:54:40:947:cc8 R-COOKIE 4641a8354f816da1
3-07: 20:54:40:947:cc8 exchange: Oakley Main Mode
3-07: 20:54:40:947:cc8 flags: 1 ( encrypted )
3-07: 20:54:40:947:cc8 next payload: ID
3-07: 20:54:40:947:cc8 message ID: 00000000
3-07: 20:54:40:947:cc8 processing payload ID
3-07: 20:54:40:947:cc8 processing payload HASH
3-07: 20:54:40:947:cc8 AUTH: Phase I authentication accepted
3-07: 20:54:40:947:cc8 ClearFragList
3-07: 20:54:40:947:cc8 constructing ISAKMP Header
3-07: 20:54:40:947:cc8 constructing ID
3-07: 20:54:40:947:cc8 MM ID Type 1
3-07: 20:54:40:947:cc8 MM ID 48e1e6f4
3-07: 20:54:40:947:cc8 constructing HASH
3-07: 20:54:40:947:cc8 MM established. SA: 001384D0
3-07: 20:54:40:947:cc8
3-07: 20:54:40:947:cc8 Sending: SA = 0x001384D0 to 71.225.96.243:Type
2.500
3-07: 20:54:40:947:cc8 ISAKMP Header: (V1.0), len = 60
3-07: 20:54:40:947:cc8 I-COOKIE 45726c99e2a96455
3-07: 20:54:40:947:cc8 R-COOKIE 4641a8354f816da1
3-07: 20:54:40:947:cc8 exchange: Oakley Main Mode
3-07: 20:54:40:947:cc8 flags: 1 ( encrypted )
3-07: 20:54:40:947:cc8 next payload: ID
3-07: 20:54:40:947:cc8 message ID: 00000000
3-07: 20:54:40:947:cc8 Ports S:f401 D:f401
3-07: 20:54:41:407:cc8
3-07: 20:54:41:407:cc8 Receive: (get) SA = 0x001384d0 from
71.225.96.243.500
3-07: 20:54:41:407:cc8 ISAKMP Header: (V1.0), len = 292
3-07: 20:54:41:407:cc8 I-COOKIE 45726c99e2a96455
3-07: 20:54:41:407:cc8 R-COOKIE 4641a8354f816da1
3-07: 20:54:41:407:cc8 exchange: Oakley Quick Mode
3-07: 20:54:41:407:cc8 flags: 1 ( encrypted )
3-07: 20:54:41:407:cc8 next payload: HASH
3-07: 20:54:41:407:cc8 message ID: 2dcdeb66
3-07: 20:54:41:407:cc8 processing HASH (QM)
3-07: 20:54:41:407:cc8 ClearFragList
3-07: 20:54:41:407:cc8 processing payload NONCE
3-07: 20:54:41:407:cc8 processing payload KE
3-07: 20:54:41:407:cc8 Quick Mode KE processed; Saved KE data
3-07: 20:54:41:407:cc8 processing payload ID
3-07: 20:54:41:407:cc8 processing payload ID
3-07: 20:54:41:407:cc8 processing payload SA
3-07: 20:54:41:407:cc8 Negotiated Proxy ID: Src 10.0.0.0.0 Dst
192.168.1.0.0
3-07: 20:54:41:407:cc8 Src id for subnet. Mask 255.255.255.0
3-07: 20:54:41:407:cc8 Dst id for subnet. Mask 255.255.255.0
3-07: 20:54:41:407:cc8 Checking Proposal 1: Proto= ESP(3), num trans=1
Next=0
3-07: 20:54:41:407:cc8 Checking Transform # 1: ID=Triple DES CBC(3)
3-07: 20:54:41:407:cc8 SA life type in seconds
3-07: 20:54:41:407:cc8 SA life duration 00000e10
3-07: 20:54:41:407:cc8 group description for PFS is 2
3-07: 20:54:41:407:cc8 tunnel mode is Tunnel Mode(1)
3-07: 20:54:41:407:cc8 HMAC algorithm is MD5(1)
3-07: 20:54:41:407:cc8 Finding Responder Policy for SRC=10.0.0.0.0000
DST=192.168.1.0.0000, SRCMask=255.255.255.0, DSTMask=255.255.255.0,
Prot=0 InTunnelEndpt f4e6e148 OutTunnelEndpt f360e147
3-07: 20:54:41:407:cc8 QM PolicyName: 3DES/SHA/PFS dwFlags 1
3-07: 20:54:41:407:cc8 QMOffer[0] LifetimeKBytes 0 LifetimeSec 3600
3-07: 20:54:41:407:cc8 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
3-07: 20:54:41:407:cc8 Algo[0] Operation: ESP Algo: Triple DES CBC
HMAC: MD5
3-07: 20:54:41:407:cc8 Phase 2 SA accepted: proposal=1 transform=1
3-07: 20:54:41:407:cc8 GetSpi: src = 10.0.0.0.0000, dst =
192.168.1.0.0000, proto = 00, context = 00000000, srcMask =
255.255.255.0, destMask = 255.255.255.0, TunnelFilter 1
3-07: 20:54:41:407:cc8 Setting SPI 95186398
3-07: 20:54:41:507:cc8 constructing ISAKMP Header
3-07: 20:54:41:507:cc8 constructing HASH (null)
3-07: 20:54:41:507:cc8 constructing SA (IPSEC)
3-07: 20:54:41:507:cc8 constructing QM KE
3-07: 20:54:41:507:cc8 constructing NONCE (IPSEC)
3-07: 20:54:41:507:cc8 constructing ID (proxy)
3-07: 20:54:41:507:cc8 constructing ID (proxy)
3-07: 20:54:41:507:cc8 constructing HASH (QM)
3-07: 20:54:41:507:cc8
3-07: 20:54:41:507:cc8 Sending: SA = 0x001384D0 to 71.225.96.243:Type
2.500
3-07: 20:54:41:507:cc8 ISAKMP Header: (V1.0), len = 292
3-07: 20:54:41:507:cc8 I-COOKIE 45726c99e2a96455
3-07: 20:54:41:507:cc8 R-COOKIE 4641a8354f816da1
3-07: 20:54:41:507:cc8 exchange: Oakley Quick Mode
3-07: 20:54:41:507:cc8 flags: 3 ( encrypted commit )
3-07: 20:54:41:507:cc8 next payload: HASH
3-07: 20:54:41:507:cc8 message ID: 2dcdeb66
3-07: 20:54:41:507:cc8 Ports S:f401 D:f401
3-07: 20:54:41:988:cc8
3-07: 20:54:41:988:cc8 Receive: (get) SA = 0x001384d0 from
71.225.96.243.500
3-07: 20:54:41:988:cc8 ISAKMP Header: (V1.0), len = 52
3-07: 20:54:41:988:cc8 I-COOKIE 45726c99e2a96455
3-07: 20:54:41:988:cc8 R-COOKIE 4641a8354f816da1
3-07: 20:54:41:988:cc8 exchange: Oakley Quick Mode
3-07: 20:54:41:988:cc8 flags: 1 ( encrypted )
3-07: 20:54:41:988:cc8 next payload: HASH
3-07: 20:54:41:988:cc8 message ID: 2dcdeb66
3-07: 20:54:41:988:cc8 processing HASH (QM)
3-07: 20:54:41:988:cc8 ClearFragList
3-07: 20:54:41:988:cc8 Adding QMs: src = 192.168.1.0.0000, dst =
10.0.0.0.0000, proto = 00, context = 000000D7, my tunnel =
72.225.230.244, peer tunnel = 71.225.96.243, SrcMask = 255.255.255.0,
DestMask = 255.255.255.0 Lifetime = 3600 LifetimeKBytes 100000 dwFlags
1 Direction 1 EncapType 1
3-07: 20:54:41:988:cc8 Algo[0] Operation: ESP Algo: Triple DES CBC
HMAC: MD5
3-07: 20:54:41:988:cc8 Algo[0] MySpi: 95186398 PeerSpi: 3223504580
3-07: 20:54:41:988:cc8 Encap Ports Src 500 Dst 500
3-07: 20:54:41:988:cc8 isadb_set_status sa:001384D0 centry:000DE500
status 0
3-07: 20:54:41:988:cc8 Constructing Commit Notify
3-07: 20:54:41:988:cc8 constructing ISAKMP Header
3-07: 20:54:41:988:cc8 constructing HASH (null)
3-07: 20:54:41:988:cc8 constructing NOTIFY 16384
3-07: 20:54:41:988:cc8 constructing HASH (QM)
3-07: 20:54:41:988:cc8
3-07: 20:54:41:988:cc8 Sending: SA = 0x001384D0 to 71.225.96.243:Type
4.500
3-07: 20:54:41:988:cc8 ISAKMP Header: (V1.0), len = 76
3-07: 20:54:41:988:cc8 I-COOKIE 45726c99e2a96455
3-07: 20:54:41:988:cc8 R-COOKIE 4641a8354f816da1
3-07: 20:54:41:988:cc8 exchange: Oakley Quick Mode
3-07: 20:54:41:988:cc8 flags: 3 ( encrypted commit )
3-07: 20:54:41:988:cc8 next payload: HASH
3-07: 20:54:41:988:cc8 message ID: 2dcdeb66
3-07: 20:54:41:988:cc8 Ports S:f401 D:f401
3-07: 20:55:57:667:cc8 CE Dead. sa:001384D0 ce:000DE500 status:35f0
3-07: 21:00:38:721:cc8 QM Deleted. Notify from driver: Src 192.168.1.0
Dest 10.0.0.0 InSPI 95186398 OutSpi 3223504580 Tunnel f360e147
TunnelFilter 0
3-07: 21:00:38:721:cc8 srcEncapPort=62465, dstEncapPort=62465
3-07: 21:00:38:721:cc8 Could not find the peer list entry
3-07: 21:00:38:721:cc8 constructing ISAKMP Header
3-07: 21:00:38:721:cc8 constructing HASH (null)
3-07: 21:00:38:721:cc8 Construct QM Delete Spi 95186398
3-07: 21:00:38:721:cc8 constructing HASH (Notify/Delete)
3-07: 21:00:38:721:cc8 Not setting retransmit to downlevel client. SA
001384D0 Centry 00000000
3-07: 21:00:38:721:cc8
3-07: 21:00:38:721:cc8 Sending: SA = 0x001384D0 to 71.225.96.243:Type
1.500
3-07: 21:00:38:721:cc8 ISAKMP Header: (V1.0), len = 68
3-07: 21:00:38:721:cc8 I-COOKIE 45726c99e2a96455
3-07: 21:00:38:721:cc8 R-COOKIE 4641a8354f816da1
3-07: 21:00:38:721:cc8 exchange: ISAKMP Informational Exchange
3-07: 21:00:38:721:cc8 flags: 1 ( encrypted )
3-07: 21:00:38:721:cc8 next payload: HASH
3-07: 21:00:38:721:cc8 message ID: 2dbd252a
3-07: 21:00:38:721:cc8 Ports S:f401 D:f401
3-07: 21:00:38:721:cc8 PrivatePeerAddr 0
3-07: 21:00:39:853:cc8
3-07: 21:00:39:853:cc8 Receive: (get) SA = 0x00000000 from
71.225.96.243.500
3-07: 21:00:39:853:cc8 ISAKMP Header: (V1.0), len = 192
3-07: 21:00:39:853:cc8 I-COOKIE c69595d48feb453f
3-07: 21:00:39:853:cc8 R-COOKIE 0000000000000000
3-07: 21:00:39:853:cc8 exchange: Oakley Main Mode
3-07: 21:00:39:853:cc8 flags: 0
3-07: 21:00:39:853:cc8 next payload: SA
3-07: 21:00:39:853:cc8 message ID: 00000000
3-07: 21:00:39:853:cc8 Filter to match: Src 71.225.96.243 Dst
72.225.230.244
3-07: 21:00:39:853:cc8 MM PolicyName: 1
3-07: 21:00:39:853:cc8 MMPolicy dwFlags 2 SoftSAExpireTime 3600
3-07: 21:00:39:853:cc8 MMOffer[0] LifetimeSec 3600 QMLimit 0 DHGroup 2
3-07: 21:00:39:853:cc8 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
3-07: 21:00:39:853:cc8 MMOffer[1] LifetimeSec 3600 QMLimit 0 DHGroup 2
3-07: 21:00:39:853:cc8 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
3-07: 21:00:39:853:cc8 MMOffer[2] LifetimeSec 3600 QMLimit 0 DHGroup 2
3-07: 21:00:39:853:cc8 MMOffer[2] Encrypt: DES CBC Hash: SHA
3-07: 21:00:39:853:cc8 MMOffer[3] LifetimeSec 3600 QMLimit 0 DHGroup 2
3-07: 21:00:39:853:cc8 MMOffer[3] Encrypt: DES CBC Hash: MD5
3-07: 21:00:39:853:cc8 Auth[0]:PresharedKey KeyLen 14
3-07: 21:00:39:853:cc8 Responding with new SA 138838
3-07: 21:00:39:853:cc8 processing payload SA
3-07: 21:00:39:853:cc8 Received Phase 1 Transform 1
3-07: 21:00:39:853:cc8 Encryption Alg Triple DES CBC(5)
3-07: 21:00:39:853:cc8 Hash Alg MD5(1)
3-07: 21:00:39:853:cc8 Auth Method Preshared Key(1)
3-07: 21:00:39:853:cc8 Oakley Group 2
3-07: 21:00:39:853:cc8 Life type in Seconds
3-07: 21:00:39:853:cc8 Life duration of 28800
3-07: 21:00:39:853:cc8 Received Phase 1 Transform 2
3-07: 21:00:39:853:cc8 Encryption Alg DES CBC(1)
3-07: 21:00:39:863:cc8 Hash Alg MD5(1)
3-07: 21:00:39:863:cc8 Auth Method Preshared Key(1)
3-07: 21:00:39:863:cc8 Oakley Group 1
3-07: 21:00:39:863:cc8 Life type in Seconds
3-07: 21:00:39:863:cc8 Life duration of 28800
3-07: 21:00:39:863:cc8 Received Phase 1 Transform 3
3-07: 21:00:39:863:cc8 Encryption Alg Triple DES CBC(5)
3-07: 21:00:39:863:cc8 Hash Alg SHA(2)
3-07: 21:00:39:863:cc8 Auth Method Preshared Key(1)
3-07: 21:00:39:863:cc8 Oakley Group 2
3-07: 21:00:39:863:cc8 Life type in Seconds
3-07: 21:00:39:863:cc8 Life duration of 28800
3-07: 21:00:39:863:cc8 Received Phase 1 Transform 4
3-07: 21:00:39:863:cc8 Encryption Alg Triple DES CBC(5)
3-07: 21:00:39:863:cc8 Hash Alg MD5(1)
3-07: 21:00:39:863:cc8 Auth Method Preshared Key(1)
3-07: 21:00:39:863:cc8 Oakley Group 2
3-07: 21:00:39:863:cc8 Life type in Seconds
3-07: 21:00:39:863:cc8 Life duration of 28800
3-07: 21:00:39:863:cc8 Phase 1 SA accepted: transform=1
3-07: 21:00:39:863:cc8 SA - Oakley proposal accepted
3-07: 21:00:39:863:cc8 ClearFragList
3-07: 21:00:39:863:cc8 constructing ISAKMP Header
3-07: 21:00:39:863:cc8 constructing SA (ISAKMP)
3-07: 21:00:39:863:cc8 Constructing Vendor MS NT5 ISAKMPOAKLEY
3-07: 21:00:39:863:cc8 Constructing Vendor FRAGMENTATION
3-07: 21:00:39:863:cc8 Constructing Vendor
draft-ietf-ipsec-nat-t-ike-02
3-07: 21:00:39:863:cc8
3-07: 21:00:39:863:cc8 Sending: SA = 0x00138838 to 71.225.96.243:Type
2.500
3-07: 21:00:39:863:cc8 ISAKMP Header: (V1.0), len = 148
3-07: 21:00:39:863:cc8 I-COOKIE c69595d48feb453f
3-07: 21:00:39:863:cc8 R-COOKIE f3a5b19a0569aafe
3-07: 21:00:39:863:cc8 exchange: Oakley Main Mode
3-07: 21:00:39:863:cc8 flags: 0
3-07: 21:00:39:863:cc8 next payload: SA
3-07: 21:00:39:863:cc8 message ID: 00000000
3-07: 21:00:39:863:cc8 Ports S:f401 D:f401
3-07: 21:00:40:363:cc8
3-07: 21:00:40:363:cc8 Receive: (get) SA = 0x00138838 from
71.225.96.243.500
3-07: 21:00:40:363:cc8 ISAKMP Header: (V1.0), len = 184
3-07: 21:00:40:363:cc8 I-COOKIE c69595d48feb453f
3-07: 21:00:40:363:cc8 R-COOKIE f3a5b19a0569aafe
3-07: 21:00:40:363:cc8 exchange: Oakley Main Mode
3-07: 21:00:40:363:cc8 flags: 0
3-07: 21:00:40:363:cc8 next payload: KE
3-07: 21:00:40:363:cc8 message ID: 00000000
3-07: 21:00:40:363:cc8 processing payload KE
3-07: 21:00:40:463:cc8 processing payload NONCE
3-07: 21:00:40:463:cc8 ClearFragList
3-07: 21:00:40:463:cc8 constructing ISAKMP Header
3-07: 21:00:40:463:cc8 constructing KE
3-07: 21:00:40:463:cc8 constructing NONCE (ISAKMP)
3-07: 21:00:40:463:cc8
3-07: 21:00:40:463:cc8 Sending: SA = 0x00138838 to 71.225.96.243:Type
2.500
3-07: 21:00:40:463:cc8 ISAKMP Header: (V1.0), len = 184
3-07: 21:00:40:463:cc8 I-COOKIE c69595d48feb453f
3-07: 21:00:40:463:cc8 R-COOKIE f3a5b19a0569aafe
3-07: 21:00:40:463:cc8 exchange: Oakley Main Mode
3-07: 21:00:40:463:cc8 flags: 0
3-07: 21:00:40:463:cc8 next payload: KE
3-07: 21:00:40:463:cc8 message ID: 00000000
3-07: 21:00:40:463:cc8 Ports S:f401 D:f401
3-07: 21:00:40:944:cc8
3-07: 21:00:40:944:cc8 Receive: (get) SA = 0x00138838 from
71.225.96.243.500
3-07: 21:00:40:944:cc8 ISAKMP Header: (V1.0), len = 60
3-07: 21:00:40:944:cc8 I-COOKIE c69595d48feb453f
3-07: 21:00:40:944:cc8 R-COOKIE f3a5b19a0569aafe
3-07: 21:00:40:944:cc8 exchange: Oakley Main Mode
3-07: 21:00:40:944:cc8 flags: 1 ( encrypted )
3-07: 21:00:40:944:cc8 next payload: ID
3-07: 21:00:40:944:cc8 message ID: 00000000
3-07: 21:00:40:944:cc8 processing payload ID
3-07: 21:00:40:944:cc8 processing payload HASH
3-07: 21:00:40:944:cc8 AUTH: Phase I authentication accepted
3-07: 21:00:40:944:cc8 ClearFragList
3-07: 21:00:40:944:cc8 constructing ISAKMP Header
3-07: 21:00:40:944:cc8 constructing ID
3-07: 21:00:40:944:cc8 MM ID Type 1
3-07: 21:00:40:944:cc8 MM ID 48e1e6f4
3-07: 21:00:40:944:cc8 constructing HASH
3-07: 21:00:40:944:cc8 MM established. SA: 00138838
3-07: 21:00:40:944:cc8
3-07: 21:00:40:944:cc8 Sending: SA = 0x00138838 to 71.225.96.243:Type
2.500
3-07: 21:00:40:944:cc8 ISAKMP Header: (V1.0), len = 60
3-07: 21:00:40:944:cc8 I-COOKIE c69595d48feb453f
3-07: 21:00:40:944:cc8 R-COOKIE f3a5b19a0569aafe
3-07: 21:00:40:944:cc8 exchange: Oakley Main Mode
3-07: 21:00:40:944:cc8 flags: 1 ( encrypted )
3-07: 21:00:40:944:cc8 next payload: ID
3-07: 21:00:40:944:cc8 message ID: 00000000
3-07: 21:00:40:944:cc8 Ports S:f401 D:f401
3-07: 21:00:41:455:cc8
3-07: 21:00:41:455:cc8 Receive: (get) SA = 0x00138838 from
71.225.96.243.500
3-07: 21:00:41:455:cc8 ISAKMP Header: (V1.0), len = 292
3-07: 21:00:41:455:cc8 I-COOKIE c69595d48feb453f
3-07: 21:00:41:455:cc8 R-COOKIE f3a5b19a0569aafe
3-07: 21:00:41:455:cc8 exchange: Oakley Quick Mode
3-07: 21:00:41:455:cc8 flags: 1 ( encrypted )
3-07: 21:00:41:455:cc8 next payload: HASH
3-07: 21:00:41:455:cc8 message ID: 7802174e
3-07: 21:00:41:455:cc8 processing HASH (QM)
3-07: 21:00:41:455:cc8 ClearFragList
3-07: 21:00:41:455:cc8 processing payload NONCE
3-07: 21:00:41:455:cc8 processing payload KE
3-07: 21:00:41:455:cc8 Quick Mode KE processed; Saved KE data
3-07: 21:00:41:455:cc8 processing payload ID
3-07: 21:00:41:455:cc8 processing payload ID
3-07: 21:00:41:455:cc8 processing payload SA
3-07: 21:00:41:455:cc8 Negotiated Proxy ID: Src 10.0.0.0.0 Dst
192.168.1.0.0
3-07: 21:00:41:455:cc8 Src id for subnet. Mask 255.255.255.0
3-07: 21:00:41:455:cc8 Dst id for subnet. Mask 255.255.255.0
3-07: 21:00:41:455:cc8 Checking Proposal 1: Proto= ESP(3), num trans=1
Next=0
3-07: 21:00:41:455:cc8 Checking Transform # 1: ID=Triple DES CBC(3)
3-07: 21:00:41:455:cc8 SA life type in seconds
3-07: 21:00:41:455:cc8 SA life duration 00000e10
3-07: 21:00:41:455:cc8 group description for PFS is 2
3-07: 21:00:41:455:cc8 tunnel mode is Tunnel Mode(1)
3-07: 21:00:41:455:cc8 HMAC algorithm is MD5(1)
3-07: 21:00:41:455:cc8 Finding Responder Policy for SRC=10.0.0.0.0000
DST=192.168.1.0.0000, SRCMask=255.255.255.0, DSTMask=255.255.255.0,
Prot=0 InTunnelEndpt f4e6e148 OutTunnelEndpt f360e147
3-07: 21:00:41:455:cc8 QM PolicyName: 3DES/SHA/PFS dwFlags 1
3-07: 21:00:41:455:cc8 QMOffer[0] LifetimeKBytes 0 LifetimeSec 3600
3-07: 21:00:41:455:cc8 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
3-07: 21:00:41:455:cc8 Algo[0] Operation: ESP Algo: Triple DES CBC
HMAC: MD5
3-07: 21:00:41:455:cc8 Phase 2 SA accepted: proposal=1 transform=1
3-07: 21:00:41:455:cc8 GetSpi: src = 10.0.0.0.0000, dst =
192.168.1.0.0000, proto = 00, context = 00000000, srcMask =
255.255.255.0, destMask = 255.255.255.0, TunnelFilter 1
3-07: 21:00:41:455:cc8 Setting SPI 3417528724
3-07: 21:00:41:555:cc8 constructing ISAKMP Header
3-07: 21:00:41:555:cc8 constructing HASH (null)
3-07: 21:00:41:555:cc8 constructing SA (IPSEC)
3-07: 21:00:41:555:cc8 constructing QM KE
3-07: 21:00:41:555:cc8 constructing NONCE (IPSEC)
3-07: 21:00:41:555:cc8 constructing ID (proxy)
3-07: 21:00:41:555:cc8 constructing ID (proxy)
3-07: 21:00:41:555:cc8 constructing HASH (QM)
3-07: 21:00:41:555:cc8
3-07: 21:00:41:555:cc8 Sending: SA = 0x00138838 to 71.225.96.243:Type
2.500
3-07: 21:00:41:555:cc8 ISAKMP Header: (V1.0), len = 292
3-07: 21:00:41:555:cc8 I-COOKIE c69595d48feb453f
3-07: 21:00:41:555:cc8 R-COOKIE f3a5b19a0569aafe
3-07: 21:00:41:555:cc8 exchange: Oakley Quick Mode
3-07: 21:00:41:555:cc8 flags: 3 ( encrypted commit )
3-07: 21:00:41:555:cc8 next payload: HASH
3-07: 21:00:41:555:cc8 message ID: 7802174e
3-07: 21:00:41:555:cc8 Ports S:f401 D:f401
3-07: 21:00:42:26:cc8
3-07: 21:00:42:26:cc8 Receive: (get) SA = 0x00138838 from
71.225.96.243.500
3-07: 21:00:42:26:cc8 ISAKMP Header: (V1.0), len = 52
3-07: 21:00:42:26:cc8 I-COOKIE c69595d48feb453f
3-07: 21:00:42:26:cc8 R-COOKIE f3a5b19a0569aafe
3-07: 21:00:42:26:cc8 exchange: Oakley Quick Mode
3-07: 21:00:42:26:cc8 flags: 1 ( encrypted )
3-07: 21:00:42:26:cc8 next payload: HASH
3-07: 21:00:42:26:cc8 message ID: 7802174e
3-07: 21:00:42:26:cc8 processing HASH (QM)
3-07: 21:00:42:26:cc8 ClearFragList
3-07: 21:00:42:26:cc8 Adding QMs: src = 192.168.1.0.0000, dst =
10.0.0.0.0000, proto = 00, context = 000000D8, my tunnel =
72.225.230.244, peer tunnel = 71.225.96.243, SrcMask = 255.255.255.0,
DestMask = 255.255.255.0 Lifetime = 3600 LifetimeKBytes 100000 dwFlags
1 Direction 1 EncapType 1
3-07: 21:00:42:26:cc8 Algo[0] Operation: ESP Algo: Triple DES CBC
HMAC: MD5
3-07: 21:00:42:26:cc8 Algo[0] MySpi: 3417528724 PeerSpi: 2158955071
3-07: 21:00:42:26:cc8 Encap Ports Src 500 Dst 500
3-07: 21:00:42:26:cc8 isadb_set_status sa:00138838 centry:000DE500
status 0
3-07: 21:00:42:26:cc8 Constructing Commit Notify
3-07: 21:00:42:26:cc8 constructing ISAKMP Header
3-07: 21:00:42:26:cc8 constructing HASH (null)
3-07: 21:00:42:26:cc8 constructing NOTIFY 16384
3-07: 21:00:42:26:cc8 constructing HASH (QM)
3-07: 21:00:42:26:cc8
3-07: 21:00:42:26:cc8 Sending: SA = 0x00138838 to 71.225.96.243:Type
4.500
3-07: 21:00:42:26:cc8 ISAKMP Header: (V1.0), len = 76
3-07: 21:00:42:26:cc8 I-COOKIE c69595d48feb453f
3-07: 21:00:42:26:cc8 R-COOKIE f3a5b19a0569aafe
3-07: 21:00:42:26:cc8 exchange: Oakley Quick Mode
3-07: 21:00:42:26:cc8 flags: 3 ( encrypted commit )
3-07: 21:00:42:26:cc8 next payload: HASH
3-07: 21:00:42:26:cc8 message ID: 7802174e
3-07: 21:00:42:26:cc8 Ports S:f401 D:f401
3-07: 21:01:57:715:cc8 CE Dead. sa:00138838 ce:000DE500 status:35f0

03-08-2006, 07:52 PM

No matter what I do. I can't seem to make this work. Is this just not
possible? Is there some additional config that must be done win2k3
other than the two rules, plus setting up, the two nic's (one with
public, and one private) and turning on nat?????????

03-08-2006, 07:56 PM

Here is one of the logs from the even view. And the local and remote
secure groups are correct, and have been checked and double checked.
Even when it manages to connect I can only ping 192.168.1.1 from
10.0.0.xx, and can't reach anything from 192 to 10

IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address 192.168.1.0
Source IP Address Mask 255.255.255.0
Destination IP Address 10.0.0.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.1.1
IKE Peer Addr 71.225.96.243
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Preshared key ID.
Peer IP Address: 71.225.96.243

Failure Point:
Me

Failure Reason:
No policy configured

Extra Status:
Processed third (ID) payload
Responder. Delta Time 1
0x0 0x0

For more information, see Help and Support Center at

03-08-2006, 07:57 PM

IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address 192.168.1.0
Source IP Address Mask 255.255.255.0
Destination IP Address 10.0.0.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.1.1
IKE Peer Addr 71.225.96.243
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Preshared key ID.
Peer IP Address: 71.225.96.243

Failure Point:
Me

Failure Reason:
No policy configured

Extra Status:
Processed third (ID) payload
Responder. Delta Time 1
0x0 0x0

For more information, see Help and Support Center at

03-08-2006, 10:05 PM

It may not be possible. All VPN implementations are to a certain degree
"proprietary" with whatever device you are using. RRAS (Windows Server)
uses two connections to create a Site-to-Site VPN. Each connection is one
direction, so it takes two connections to get two-way communication. So it
implies that you want an RRAS box at each end. I have doubts that a Linksys
box (whatever a BEFVP41 is) does it the same way.

Now ISA Server uses RRAS "under-the-hood" to perform its VPN tasks and there
are supposed to be ways to make it work with other devices. You can check
into these articles and see if they help any. That is the best I can tell
you.

Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and
Third-Party Gateways
http://www.microsoft.com/technet/pro...siteipsec.mspx

Establishing an IPSec site-to-site tunnel between an ISA 2004 Firewall and a
D-Link DI-804HV IPSec VPN Router
http://www.isaserver.org/articles/2004isadlink.html

Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Astaro
Security Linux
http://www.microsoft.com/technet/pro...elmodevpn.mspx

Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and SmoothWall
Express 2.0
http://www.microsoft.com/technet/pro...pnexpress.mspx

Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Netopia R9100
4.11.3
http://www.microsoft.com/technet/pro...n/netopia.mspx

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> No matter what I do. I can't seem to make this work. Is this just not
> possible? Is there some additional config that must be done win2k3
> other than the two rules, plus setting up, the two nic's (one with
> public, and one private) and turning on nat?????????
>

03-09-2006, 02:04 PM

Yeah, I'm beginning to come to that conclusion. My cohort, on the
other end of this tunnel, and I are going to give it one more shot. He
believes the reason I couldn't reach his other clients is that they may
have been getting the wrong default gateway. However next we'll try
ISA 2004.

03-09-2006, 04:48 PM

Default Gateways are only for the Internet ("unknown routes"). The Lan on
the opposite side of each VPN is "known",...so you have to use "specific"
Routes. It is done by placing Static Routes on the Device that acts as the
Clients Default Gateway so that traffic for those particular remote
destinations get properly passed over to the VPN Device.

However if the Device providing the Internet and the device providing the
VPN are the same device,...*and* if each respective LAN is a single
subnet,...then you just make that one device the Default Gateway and forget
it.

You also have to make sure that both of the LANs are not using the same IP#
Range.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Yeah, I'm beginning to come to that conclusion. My cohort, on the
> other end of this tunnel, and I are going to give it one more shot. He
> believes the reason I couldn't reach his other clients is that they may
> have been getting the wrong default gateway. However next we'll try
> ISA 2004.
>

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
SITE-To-SITE VPN using Windows Server 2003 Standard	S H A R I Q U E	Windows Networking	8	01-03-2009 04:25 PM
L2TP/IPSEC SITE TO SITE VPN Issues	JoeyG 2391	Windows Networking	4	10-17-2008 04:13 AM
W2k3 - Site to Site VPN using L2TP/IPSec and certificates	Ewald Bracko	Windows Networking	0	06-12-2008 05:09 PM
2003 Server RRAS Site-To-Site VPN Dropping	Russell Preece	Windows Networking	8	09-29-2005 09:23 AM
IPSec Site to Site VPN	T Bodie	Windows Networking	1	05-17-2005 08:44 PM