Phase 2 negotiation failing

[gbaughma]

I have a 2003 Small Business Server with VPN/Remote Access running.

I have a remote office with a NetGear FVS114 VPN router.

I'm trying to get the router to connect the remote office through our 2003 server.

It's TRYING to work... Phase 1 IKE connects using a shared key, but when Phase 2 initiates, I'm getting this:

IKE security association negotiation failed.
 Mode: 
Data Protection Mode (Quick Mode)

 Filter: 
Source IP Address 10.0.0.0
Source IP Address Mask 255.255.255.0
Destination IP Address 192.168.0.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 10.0.0.1
IKE Peer Addr xxx.xxx.xxx.xxx
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr 

 Peer Identity: 
Preshared key ID.
Peer IP Address: xxx.xxx.xxx.xxx

  Failure Point: 
Me

 Failure Reason: 
No policy configured

 Extra Status: 
Processed third (ID) payload
Responder.  Delta Time 0
 0x0 0x0

Just to clarify, the remote office is on 192.168.0.0/24 and the local server is on 10.0.0.1/24

I can't find the reason for "No policy configured"... like I said, phase 1 is connecting, then phase 2 fails.

The Oakley.log is showing:

5-05: 09:49:24:525:b8c Negotiated Proxy ID: Src 192.168.0.0.0 Dst 10.0.0.0.0
 5-05: 09:49:24:525:b8c Src id for subnet.  Mask 255.255.255.0
 5-05: 09:49:24:525:b8c Dst id for subnet.  Mask 255.255.255.0
 5-05: 09:49:24:525:b8c Checking Proposal 1: Proto= ESP(3), num trans=1 Next=0
 5-05: 09:49:24:525:b8c Checking Transform # 1: ID=Triple DES CBC(3)
 5-05: 09:49:24:525:b8c  HMAC algorithm is MD5(1)
 5-05: 09:49:24:525:b8c  tunnel mode is Tunnel Mode(1)
 5-05: 09:49:24:525:b8c  SA life type in seconds
 5-05: 09:49:24:525:b8c   SA life duration 00015180
 5-05: 09:49:24:525:b8c Finding Responder Policy for SRC=192.168.0.0.0000 DST=10.0.0.0.0000, SRCMask=255.255.255.0, DSTMask=255.255.255.0, Prot=0 InTunnelEndpt 100000a OutTunnelEndpt cd88d847
 5-05: 09:49:24:525:b8c Failed to get TunnelPolicy 13015
 5-05: 09:49:24:525:b8c Responder failed to match filter(Phase II) 13015
 5-05: 09:49:24:541:b8c Data Protection Mode (Quick Mode)
 5-05: 09:49:24:541:b8c Source IP Address 10.0.0.0  Source IP Address Mask 255.255.255.0  Destination IP Address 192.168.0.0  Destination IP Address Mask 255.255.255.0  Protocol 0  Source Port 0  Destination Port 0  IKE Local Addr 10.0.0.1  IKE Peer Addr xxx.xxx.xxx.xxx  IKE Source Port 500  IKE Destination Port 500  Peer Private Addr
 5-05: 09:49:24:541:b8c Preshared key ID.  Peer IP Address: 71.216.136.205
 5-05: 09:49:24:541:b8c Me
 5-05: 09:49:24:541:b8c No policy configured
 5-05: 09:49:24:541:b8c Processed third (ID) payload  Responder.  Delta Time 0   0x0 0x0

(Needless to say, I put xxx's where the identifying IP addresses are.....)

What do you think? What have I missed?

In SecPol, I followed instructions to the letter about having filters both ways, for the entire subnet at each end.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[burtsbees]

Not sure what is connecting to what---the Netgear at one end, what is at the other? Is the Windows SBS the VPN server, and the Netgear the client?

/

 

[gbaughma]

Yes... it's a netgear VPN router at the remote office, with PC's behind it on the 192.168.0.* network. At the near end is a Windows SBS Server running VPN, with ip 10.0.0.1.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[gbaughma]

Bump


Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[unclerico]

Are you 100% sure that EVERY setting on both devices matches for phase 2??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RCorrigan]

Greg

Just a thought , check that the exchange mode is set to aggresive ... seem to remeber this being an issue on a FVS318

Cheers

<Do I need A Signature or will an X do?>

 

[gbaughma]

Changing the mode to Aggressive just made Phase 1 fail.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[gbaughma]

Bump.


Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[gbaughma]

I think I may be on to something. (I had an epiphany)

In the 2003 SBS server when I am setting up the security policies, it's asking me for the remote endpoint of the tunnel.

I had that entered as the PUBLIC IP Address.

HOWEVER... there's a DSL Modem sitting there acting as a NAT router before the VPN router.

So...the tunnel endpoint would be the WAN address of the VPN Router, not the WAN address of the DSL.

I'm going to try that next....



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[gbaughma]

Meh.

That didn't seem to be it. Back to the drawing board.


Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[gbaughma]

Bump.

Still getting a "Policy not defined" error.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[Grenage]

Hi Greg,

Have you been able to check whether the DSL modem supports IPsec passthough? What's the model?

Russell.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[gbaughma]

I put the DSL in full bridge mode. So it is transparent to the router now.

I firmly believe that it's a Windows issue... Phase 1 negotiation is working fine. When it looks for the policy for the route (the filters) it's not finding it.

I'm just missing something.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[Grenage]

I've had some issues with VPN connections from netgear routers to non-netgear routers, but I've never had to setup a VPN endpoint on a windows server. I don't think I'm going to be much help here, I'm afraid.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[gbaughma]

Status Update:

I gave up.

I programmed up another DD-WRT Router and programmed the VPN tunnel through that. Came right up without issue.

Go figure. lol



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[zong8]

Hi Guys,
I think the policy at the other end is set incorrectly.
It should be reverse of the other end.
Your end is 10.0.0.0/24 and far end 192.168.0.0/24
now you got to set the policy at the far end as source: 192.168.0.0/24 and destination as 10.0.0.0/24.
This is what the debug is saying " responder policy failing" meaning it does not match the policy at the other end. So match this access-list and this should be opposite as above.
Let us know.

 

[gbaughma]

Nothing to let you know about. I gave up, and did a router-based solution instead.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com