Re: Problem with ISA 2004 SP2 and Dlink HI-804HV in Site to Site V

No it actually made it worse to where no connection could be obtained. I am
really frustrated at this point.

"Johan Engdahl" wrote:

Actually, if you have selected a Diffie Hellman group in Phase 2 you
automatically enabled PFS.
Did it make any difference to enable Aggresive Mode ?

--
----------------------------------------------------------------------------------------------------------------------------
Johan Engdahl
CCSA, CCSE, CCA, MCP | johan AT firewall1 DOT nu | http://www.firewall1.nu

"Stellence" <Stellence@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:08C5F081-D135-4C61-868C-0780F49A2280@xxxxxxxxxxxxxxxx
John, I am able to enable Aggresive Mode, but not PFS in the Dlink router.
At least not in any way that I know of. The emulator is here -
http://support.dlink.com/emulators/di804hv/


"Johan Engdahl" wrote:

Try to enable Aggresive Mode in Phase 1 and PFS in Phase 2.

--
----------------------------------------------------------------------------------------------------------------------------
Johan Engdahl
CCSA, CCSE, CCA, MCP | johan AT firewall1 DOT nu |
http://www.firewall1.nu

"Stellence" <Stellence@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E2D86DBD-ACB0-42A4-9D4F-45F4757B4582@xxxxxxxxxxxxxxxx
ISA Experts,

My configuration:

192.168.2.0 (Corporate Office) <-> ISA 2004 <-> Internet <-> Actiontec
DSL
Router (Transparent Bridging) <-> DLink HI-804HV <-> 192.168.1.0
(Branch
Office)

The Dlink has the latest firmware (v1.44) and I have established a
connection per the instructions in the following article
http://www.isaserver.org/articles/2004isadlink.html

However, the connection drops repeatedly and is basically unacceptable.

These are the errors I am receiving in the event log at the ISA Server:

On the ISA server the events in the security log are:
12:04:23 547 Failure Quick Mode
12:04:23 543 Main Mode Ended
12:04:23 541 Main Mode Established
12:04:52 542 Quick Mode Ended
12:05:00 541 Quick Mode Established
12:05:26 547 Failure Quick Mode
12:05:26 543 Main Mode Ended
12:05:26 541 Main Mode Established
12:06:29 547 Failure Quick Mode
12:08:23 547 Failure Quick Mode
12:08:23 543 Main Mode Ended
12:08:23 541 Main Mode Established
12:09:26 547 Failure Quick Mode

And on and on.. re negotiating the SA every couple minutes rather than
hours.
The actual error is:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 9/7/2006
Time: 12:04:23 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: XXXX
Description:
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address xxx.xxx.xxx.40
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.17.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr xxx.xxx.xxx.40
IKE Peer Addr xx.x.xx.130
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Preshared key ID.
Peer IP Address: xx.x.xx.130

Failure Point:
Me

Failure Reason:
IKE SA deleted before establishment completed

Extra Status:
Processed third (ID) payload
Initiator. Delta Time 63
0x0 0x0

I would like to know if there are tweaks I can make or if this device
is
not
sufficient to support a solid site-to-site VPN deployment? I have
tried
switching from SHA to MD5 and had the same problem. The connection
stays
in
the Establishing state for several minutes then connects for a few
minutes
then drops and repeats the same process. I have modified the
SAIdleTime
to
3600 and have installed hotfix 281966 but still have the same errors.

Thanks in advance for the help!






.

Relevant Pages