Re: L2TP/IPSEC site to site problem

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

On Thu, 29 Mar 2007 00:45:46 +0200, "Arkady" <arkkar@xxxxxxxxx> wrote:
Trying configure L2TP site to site connection betwen two branch offices.
On my site ISA 2006 std, remote site - ISA 2004 std.
Following instructions trying configure already 3 times.
When pingin machine on remote site from client machine on my site following
events appear on my ISA server:

[snip]

Description: IKE security association negotiation failed.
Mode: Key Exchange Mode (Main Mode)

This tells you that the problem is with the IPsec connection, and that the
underlying problem is that IKE negotiations have failed. It also tells you
that the problem is with IKE Phase-1, and that your system is using Main
Mode for Phase-1.

IKE Phase-1 handles the negotiations of the transform attributes for the
IKE SA that will be used for Phase-2, and it also authenticates the peers.
Therefore IKE Phase-1 failures are typically caused by either
authentication failure (like wrong password or invalid certificate), or the
two ends not agreeing on which transform attributes to use.

For the transform attributes, there are four that matter for IKE Phase-1:
Encryption Algorithm, Hash Algorithm, Authentication Method and
Diffie-Hellman group. The two peers need to be able to agree on values for
all four of these attributes - typically both sides will support a number
of possible values.

My next step would be to sniff the IKE exchange between the two systems,
which will tell you what transform attributes your side is proposing. This
may also show the response from the remote peer. You could use wireshark
or similar for this, and just capture packets between the two peers with
UDP port 500.

You can also use ike-scan (a command line tool) to try to determine what
transform attributes the peer supports. Start by looking at the docs on
the wiki at
http://www.nta-monitor.com/wiki/index.php/Ike-scan_Documentation

Alternatively, you could look at the configurations for IKE Phase-1 on both
ends of the connection.

Roy Hills

.