Tunnel mode IPSec in Win2k

From: Ben Hughes (not_at_on.usenet.sorry)
Date: 03/08/04


Date: Mon, 8 Mar 2004 16:32:24 +0000 (UTC)

I'm trying to set up a "client" win2k box to talk to a LAN over ipsec.
Something like this (cue bad ascii diagram)

 win2k box Interweb VPN box outside : inside
10.142.0.2/24 10.171.0.2/24 10.201.0.2/24

so that 10.142.0.2/32 can talk to 10.201.0.0/24, using tunnel mode
pointing at 10.171.0.2

The problem I'm having is nothing leaves the box, looking in event log
I'm getting:

"The IPSec driver failed the oakley negotiation with 10.201.0.2 since no
filter exists to protect packets to that destination..."

Which is a little barmy as the it wouldn't be trying to talk ipsec to it
if there wasn't a filter (which there is), so I'm a little confused.

If anyone has any light they could shed, that'd be fantastic, cheers.

My policy looks like this at present:

IP Security test . . . . . . . . . : Passed
    Local IPSec Policy Active: 'New IP Security Policy'
    IP Security Policy Path: SOFTWARE\Policies\Microsoft\Windows\IPSec\
Policy\Lo
cal\ipsecPolicy{24C0DBF1-D043-43F7-B2B3-6D6EE0B18412}

    There are 2 filters
    No Name
     Filter Id: {B505B39E-81EA-4CAA-9214-607ABC72F4EA}
     Policy Id: {C48B5875-9F73-40E3-AA0D-3A75F4D7FBF9}
        IPSEC_POLICY PolicyId = {C48B5875-9F73-40E3-AA0D-3A75F4D7FBF9}
                Flags: 0x0
                Tunnel Addr: 0.0.0.0
        PHASE 2 OFFERS Count = 1
                Offer #0:
        ESP[ DES MD5 HMAC]
        Rekey: 0 seconds / 0 bytes.
        AUTHENTICATION INFO Count = 1
                Method = Preshared key: cake
     Src Addr : 10.142.0.2 Src Mask : 255.255.255.255
     Dest Addr : 10.201.0.0 Dest Mask : 255.255.255.0
     Tunnel Addr : 10.171.0.2 Src Port : 0 Dest Port : 0
     Protocol : 0 TunnelFilter: Yes
     Flags : Outbound
    No Name
     Filter Id: {31362036-20E7-4F92-AA39-48A9D1919428}
     Policy Id: {C48B5875-9F73-40E3-AA0D-3A75F4D7FBF9}
        IPSEC_POLICY PolicyId = {C48B5875-9F73-40E3-AA0D-3A75F4D7FBF9}
                Flags: 0x0
                Tunnel Addr: 0.0.0.0
        PHASE 2 OFFERS Count = 1
                Offer #0:
        ESP[ DES MD5 HMAC]
        Rekey: 0 seconds / 0 bytes.
        AUTHENTICATION INFO Count = 1
                Method = Preshared key: cake
     Src Addr : 10.201.0.0 Src Mask : 255.255.255.0
     Dest Addr : 10.142.0.2 Dest Mask : 255.255.255.255
     Tunnel Addr : 10.171.0.2 Src Port : 0 Dest Port : 0
     Protocol : 0 TunnelFilter: Yes
     Flags : Outbound

The command completed successfully

-- 
Ben Hughes.