12-28-2009 02:42 AM - edited 02-21-2020 04:26 PM
Hi all,
We are connecting several sites to our customers HQ through ipsec tunnels. On the remote sites we use Cisco 87x routers and at the HQ we use an ISA 2006 server.
Vpn tunnels build themselves quickly and for 90% they are working very good. But now and then the tunnel drops its connection and we have a about 10 - 30 timeouts before the tunnel rebuilds itself. In the logging we receive the following messages:
%CRYPTO-4-IKMP_NO_SA: IKE message from x.x.x.x has no SA and is not an initialization offer
Our crypto settings on the Cisco routers are the following:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <removed> address x.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map XX_XX 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-3DES-SHA1
set pfs group2
match address 150
ISA IPSEC configuration:
Phase I:
Encryption algorithm: 3DES
Integrity algorithm: SHA1
Diffie-Hellman: Group 2
28800 seconds
Phase II:
Encryption algorithm: 3DES
Integrity algorithm: SHA1
Generate a new key every: 3600 seconds
Use Perfect Forward Secrecy (PFS):
Diffie Hellman: Group 2
We have made several similar IPSEC VPN connections before with Cisco and ISA (2004), using the same configuration and we have never experienced instable connections.
Many thanks in advance for your help.
Peter
12-30-2009 01:33 AM
Hi Peter,
Can you post your complete config? I'm trying to get a similar setup working with a Cisco 877-M and ISA 2006 but can't even get the tunnel to connect.
Thanks,
David
12-31-2009 07:06 AM
Hi David,
On the Cisco side you should be able to get it working with this (in my config the 10.x.16.0 is the local subnet, and the 128.x.x.0 is the remote subnet):
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map XX_XX 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-3DES-SHA1
set pfs group2
match address 150
!
interface Dialer0
...
crypto map XX_XX
...
!
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 deny ip 10.x.16.0 0.0.0.255 128.x.x.0 0.0.0.255
access-list 100 permit ip 10.x.16.0 0.0.0.255 any
access-list 150 permit ip 10.x.16.0 0.0.0.255 128.x.x.0 0.0.0.255
access-list 150 permit icmp 10.x.16.0 0.0.0.255 128.x.x.0 0.0.0.255
access-list 150 permit icmp 128.x.x.0 0.0.0.255 10.x.16.0 0.0.0.255
If you have your Cisco router configged like this, then the problem resides on your ISA side. Please check if it works with above config on your Cisco side, if not I can send you some screens from our ISA config.
Untill now I was not able to find a solution for the Dropouts on our VPN tunnels.
We use the following IOS on our routers: c870-advsecurityk9-mz.124-15.T9 is there any know bug on this version that can cause my dropouts?
Best regards and happy newyear!
Peter
01-03-2010 12:51 AM
Hi Peter,
Thanks for the config.
I'm still having problems and now I suspect that they are on the ISA end.
A bit of background - I also publish OWA via RPC over HTTPS and connect via Outlook 2007. I found several articles that say I should have the external ip address of the Cisco added into the properties for the Cisco network in ISA. As soon as I add this and apply the setting I am unable to access Exchange2007 OWA (via Internet Explorer or Outlook), unable to connect via PPTP vpn.
The interesting part is that once I add in that ip to the Cisco network object within ISA the session monitor tells me that the ipsec tunnel is connected to the branch. But I cannot ping from ISA to the Cisco network.
Can you send through some more details about how you have the ISA end configured?
Thanks,
David
01-04-2010 08:08 AM
Hi David,
We do not add the External IP of our Cisco router in the properties of ISA.
Properties on our ISA per VPN:
General:
Name, Description and enabled.
Addresses:
Start address - End Address
10.x.x.0 10.x.x.255
Connection:
Remote tunnel endpoint
"External ip from your Cisco"
Local VPN gateway address
"External ip from your ISA"
Ipsec Settings: see my first post on this topic.
Authentication:
Use pre-shared key for authenticaton
"pre shared key"
That makes it work on our side so I hope this helps.
You can check the status of your vpn tunnel on the Cisco site by "show crypto isakmp sa" and "show crypto ipsec sa".
Best regards,
Peter
02-01-2010 08:05 AM
Can anybody help me out on this one?
Thanks, Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: