Trying to set up VPN tunnel from SBS/ISA2004 to Checkpoint FW1

Tech-Archive recommends: Fix windows errors by optimizing your registry

I have just added ISA 2004 onto my SBS server from the Premium Edition SP1
CD. I am looking at replacing my Checkpoint firewall with this, and when
using Checkpoint I had a VPN tunnel set up between my network and one of my
customers for providiing remote support. I am trying to do this with ISA and
am having lots of fun and games (I wish).

I have progressed to the point where I can now ping from my customers site
to my monitoring PC at my site, but I cant go back from here to their site.

I have tried following the document "Configuring IPSec Site-to-Site
Connections Between ISA Server 2004 and Third-Party Gatwayes" from the
Microsoft site, and the "Implementing Checkpoint NG R55 Firewall and
Microsoft ISA 2004 Firewall IPSec Site-toSite VPN" from the www.isaserver.org
site.

I am getting the following Remote Access (Event ID 20106) error when I
reboot the server:

Unable to add the interface {F8579413-6F88-4EFA-882E-2F048B6DC3CA} with the
Router Manager for the IP protocol. The following error occurred: Cannot
complete this function.

And these messages Security Messages (Event ID 547) when I try accessing my
customers LAN devices:

IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address 192.168.199.0
Source IP Address Mask 255.255.255.0
Destination IP Address 192.168.247.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 219.89.200.140
IKE Peer Addr 202.50.246.11
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Preshared key ID.
Peer IP Address: 202.50.246.11

Failure Point:
Me

Failure Reason:
IKE SA deleted before establishment completed

Extra Status:
Processed third (ID) payload
Initiator. Delta Time 63
0x0 0x0

It has taken me a day to get to this point, and I will continue to work
through these as well, but if someone has any ideas which lead to a Eureka
moment I will greatly appreciate it. Having to use dial up modem is soooooo
slow.


.

Relevant Pages

  • Re: ISA Server versus Checkpoint Firewall
    ... Also, there is more to "stateful" than you describe; it goes all the way to L7, something Checkpoint doesn't yet do. ... Checkpoint is only recently starting to realize the value of application-layer filtering; something ISA has had for years. ... ISA Server can be fairly easy to just plug in, ... Unfortunately that can often be a bad thing as it is very easy to misconfigure a firewall and the ...
    (microsoft.public.isa.enterprise)
  • Re: Firewall Info/Recommendations?
    ... Checkpoint is not a bad firewall for small data pipes and the easy GUI may ... If you're keeping your ISA server, you don't really 100% need a firewall ... all the traffic from your internal network to the internet... ...
    (comp.security.firewalls)
  • RE: Firewall recommendations?
    ... Hi at my current job we use checkpoint, and I personally love that firewall ... I am not a big fan of the pix and I have never played with the ISA ...
    (Security-Basics)
  • Re: Firewall Info/Recommendations?
    ... Checkpoint is not a bad firewall for small data pipes and the easy GUI may ... If you're keeping your ISA server, you don't really 100% need a firewall ... all the traffic from your internal network to the internet... ...
    (comp.security.firewalls)
  • Re: CEICW fails - several errors
    ... The firewall isn't used when ISA is installed. ... On the WAN NIC of your server the DNS has to point to the LAN IP. ... I immediately checked and ISA Server ...
    (microsoft.public.windows.server.sbs)