IPSec newbie needs urgent help ! - Network

This is a discussion on IPSec newbie needs urgent help ! - Network ; Hi there, I'm using ISA as my firewall and am trying to set up an IPSec tunnel to another company that supplies us with real-time market data. My internal network is 192.168.0.0/24 while theirs is 192.168.30.0/24. When ISA attempts to ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: IPSec newbie needs urgent help !

  1. IPSec newbie needs urgent help !

    Hi there,

    I'm using ISA as my firewall and am trying to set up an IPSec tunnel to
    another company that supplies us with real-time market data. My internal
    network is 192.168.0.0/24 while theirs is 192.168.30.0/24.

    When ISA attempts to connect, the negotiation between the two partys'
    external networks(Phase I) is successful. The negotiation between the two
    partys' internal networks (Phase 2) is *not* successful. The error message
    is:

    "IKE SA deleted before establishment completed."

    The I.T. guys at the other end of the tunnel tell me that the failure is
    due to the fact that my ISA box is broadcasting too wide of a source
    range -- an entire Class C. The error message in my event log seems to
    confirm this. See excerpt below:

    Source IP Address 192.168.0.0
    Source IP Address Mask 255.255.255.0
    Destination IP Address 192.168.30.0
    Destination IP Address Mask 255.255.255.0

    It is against the vendor's policy to allow a source range that wide. So
    here's what I did. I added a new IP range to ISA's internal network:
    192.168.14.0/28. This range is narrow enough to be allowed by the vendor's
    policy. I added the address 14.1 to ISA itself and 14.2 and 14.3 to some
    computers on the internal network that will be using the tunnel.

    All of the computers on my internal network can now ping each other
    using either of the internal network addresses (192.168.0.x or
    192.168.14.x)... but here's the problem: When ISA attempts to establish the
    IPSec tunnel with the vendor, it's still broadcasting the 192.168.0.0/24 as
    it's source network. I want it to broadcast 192.168.14.0/24. I can't figure
    out for the life of me how to tell ISA to broadcast that narrower address
    range during the Phase 2 negotiation of the IPSec tunnel. Any ideas?

    Thanks...



  2. Re: IPSec newbie needs urgent help !

    Which version of ISA are you using (2000, 2004, 2006?

    To what device is ISA connecting to on the other end?


    --
    Edward Ray
    CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE

    "Jules Winfield" wrote in message
    news:nJqdnX9lDuA4ru3YnZ2dnUVZ_tGdnZ2d@giganews.com ...
    > Hi there,
    >
    > I'm using ISA as my firewall and am trying to set up an IPSec tunnel to
    > another company that supplies us with real-time market data. My internal
    > network is 192.168.0.0/24 while theirs is 192.168.30.0/24.
    >
    > When ISA attempts to connect, the negotiation between the two partys'
    > external networks(Phase I) is successful. The negotiation between the two
    > partys' internal networks (Phase 2) is *not* successful. The error message
    > is:
    >
    > "IKE SA deleted before establishment completed."
    >
    > The I.T. guys at the other end of the tunnel tell me that the failure
    > is
    > due to the fact that my ISA box is broadcasting too wide of a source
    > range -- an entire Class C. The error message in my event log seems to
    > confirm this. See excerpt below:
    >
    > Source IP Address 192.168.0.0
    > Source IP Address Mask 255.255.255.0
    > Destination IP Address 192.168.30.0
    > Destination IP Address Mask 255.255.255.0
    >
    > It is against the vendor's policy to allow a source range that wide. So
    > here's what I did. I added a new IP range to ISA's internal network:
    > 192.168.14.0/28. This range is narrow enough to be allowed by the vendor's
    > policy. I added the address 14.1 to ISA itself and 14.2 and 14.3 to some
    > computers on the internal network that will be using the tunnel.
    >
    > All of the computers on my internal network can now ping each other
    > using either of the internal network addresses (192.168.0.x or
    > 192.168.14.x)... but here's the problem: When ISA attempts to establish
    > the
    > IPSec tunnel with the vendor, it's still broadcasting the 192.168.0.0/24
    > as
    > it's source network. I want it to broadcast 192.168.14.0/24. I can't
    > figure
    > out for the life of me how to tell ISA to broadcast that narrower address
    > range during the Phase 2 negotiation of the IPSec tunnel. Any ideas?
    >
    > Thanks...
    >
    >



  3. Re: IPSec newbie needs urgent help !

    ISA 2004 on my end... The remote end is using a Cisco ASA 5520 VPN.

    "Edward Ray" wrote in message
    news:E57C8C0E-AB2E-4FE6-824C-41F2F4D596D2@microsoft.com...
    > Which version of ISA are you using (2000, 2004, 2006?
    >
    > To what device is ISA connecting to on the other end?
    >
    >
    > --
    > Edward Ray
    > CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE
    >
    > "Jules Winfield" wrote in message
    > news:nJqdnX9lDuA4ru3YnZ2dnUVZ_tGdnZ2d@giganews.com ...
    >> Hi there,
    >>
    >> I'm using ISA as my firewall and am trying to set up an IPSec tunnel
    >> to
    >> another company that supplies us with real-time market data. My internal
    >> network is 192.168.0.0/24 while theirs is 192.168.30.0/24.
    >>
    >> When ISA attempts to connect, the negotiation between the two partys'
    >> external networks(Phase I) is successful. The negotiation between the two
    >> partys' internal networks (Phase 2) is *not* successful. The error
    >> message
    >> is:
    >>
    >> "IKE SA deleted before establishment completed."
    >>
    >> The I.T. guys at the other end of the tunnel tell me that the failure
    >> is
    >> due to the fact that my ISA box is broadcasting too wide of a source
    >> range -- an entire Class C. The error message in my event log seems to
    >> confirm this. See excerpt below:
    >>
    >> Source IP Address 192.168.0.0
    >> Source IP Address Mask 255.255.255.0
    >> Destination IP Address 192.168.30.0
    >> Destination IP Address Mask 255.255.255.0
    >>
    >> It is against the vendor's policy to allow a source range that wide.
    >> So
    >> here's what I did. I added a new IP range to ISA's internal network:
    >> 192.168.14.0/28. This range is narrow enough to be allowed by the
    >> vendor's
    >> policy. I added the address 14.1 to ISA itself and 14.2 and 14.3 to some
    >> computers on the internal network that will be using the tunnel.
    >>
    >> All of the computers on my internal network can now ping each other
    >> using either of the internal network addresses (192.168.0.x or
    >> 192.168.14.x)... but here's the problem: When ISA attempts to establish
    >> the
    >> IPSec tunnel with the vendor, it's still broadcasting the 192.168.0.0/24
    >> as
    >> it's source network. I want it to broadcast 192.168.14.0/24. I can't
    >> figure
    >> out for the life of me how to tell ISA to broadcast that narrower address
    >> range during the Phase 2 negotiation of the IPSec tunnel. Any ideas?
    >>
    >> Thanks...
    >>
    >>

    >




+ Reply to Thread