Troubleshooting IPSec Tunnel Mode Scenarios

In this article we’ll take a look at how to troubleshoot a common site to site IPSec tunnel-mode VPN scenario.

Symptom

Receive “Negotiating IP Security” when testing connectivity from ISA Server across a Remote Site connection

Consider the following scenario : ISA-A has a Remote Site connection to ISA-B (or a 3rd party IPSec gateway) using IPSec Tunnel Mode.


Figure 1

After creating the Remote Site and creating the Firewall Rule to allow the Local Host Network (at the ISA firewall) access to the Remote Site, you are unable to establish a connection with any protocol. If you test connectivity with PING, you receive the Negotiating IP Security response indefinitely.

Solution

On each ISA Server (or 3rd party VPN gateway), add the external IP address of the opposing ISA firewall into the Addresses tab of the connection.

Description

If the ISA firewall is installed on Windows 2003, you can use netsh ipsec dynamic show qmfilters all command to see the filters referenced below.

SubnetA -- ISA-A -- Internet -- ISA-B -- SubnetB

ISA-A has a Remote Site for SubnetB containing the addresses of that subnet.

This results in ISA-A having an IPSec Filter List of:

A1   SubnetA > SubnetB

A3   ISA-A > SubnetB

A2   SubnetA < SubnetB

A4   ISA-A < SubnetB

ISA-B has a Remote Site for SubnetA containing the addresses of that subnet.

B1   SubnetB > SubnetA

B3   ISA-B > SubnetA

B2   SubnetB < SubnetA

B4   ISA-B < SubnetA

When you PING from ISA-A to SubnetB, the traffic sources from ISA-A's external IP address. Because of this, ISA-A has a matching filter for the traffic (A3 above) but ISA-B doesn't have a matching filter for this (B1 through B4 don't match the traffic). As a result, ISA-A continues trying to negotiate IP Security with ISA-B but this will never complete as there is not a match for the traffic on ISA-B.

To fix this, on ISA-A, you'll need to add ISA-B's external IP address into the Addresses tab of the Remote Site. On ISA-B, you'll need to add ISA-A's external IP address.

What happens is now ISA will now have the following filters...

ISA-A

A1 SubnetA > SubnetB

A3 ISA-A > SubnetB

A5 ISA-B > SubnetA

A2 SubnetA < SubnetB

A4 ISA-A < SubnetB

A6 ISA-B < SubnetA

ISA-B

B1 SubnetB > SubnetA

B3 ISA-B > SubnetA

B5 ISA-A > SubnetB

B2 SubnetB < SubnetA

B4 ISA-B < SubnetA

B6 ISA-A < SubnetB

With this setup, when ISA-A tries to communicate with SubnetB, A3 now matches B5 and A4 matches B6 and the Security Associations can come online.

About Clint Denham

Clint Denham formerly worked in Microsoft's Product Support Services for 5 years in the Networking specialty for Windows Server products where he was the Subject Matter Expert for the IP Security suite of protocols and ISA Server. Now he works at PepsiCo in Dallas in the Web Hosting group learning the Apache/Linux side of the house. In his personal life, Clint is married with 3 boys and enjoys watching the only real racing in the world, MotoGP, in his spare time.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center

Readers' Choice

Which is your preferred ISA Monitoring and Management solution?