[ previous ] [ next ] [ threads ]
 
 From:  "Peter Storkey" <petst at oppy dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IPSec tunnel M0n0wall -> ISA Server
 Date:  Thu, 24 Mar 2005 09:56:15 -0800
I am working on a 2-firewall DMZ scenario, and need to setup an IPSec
tunnel from a remote site to the back firewall. The remote firewall and
the front firwall are both Soekris 4501's running M0n0wall, and the back
firewall is Microsoft ISA Server 2004, as follows:

Remote Site-->M0n0wall-->Internet-->M0n0wall-->ISA Server-->Local LAN
                   |_________IPSec Tunnel_________|

The remote M0n0wall is running version 1.1, and the local M0n0wall is
running version 1.2b7.

The DMZ uses a private address range, with the external M0n0wall NATing
connections to DMZ hosts and the back firewall as necessary.   I have
configured NAT for UDP port 500 and ESP to tha back firewall, with
appropriate rules. I confirmed this is working by putting another
M0n0wall box behind it and establishing an IPSec tunnel successfully.

The problem is when I try to establish an IPSec tunnel between the
remote M0n0wall and ISA Server. I just can't get them to connect. It
looks as though they are connected from the M0n0wall side, but the ISA
Server doesn't show a connection. 

Here is an excerpt from the remote M0n0wall logs:

Mar 24 11:22:14 xxx-firewall racoon: INFO:
isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
68.82.x.x[500]<=>204.50.x.x[500]
Mar 24 11:22:14 xxx-firewall racoon: INFO:
isakmp.c:813:isakmp_ph1begin_i(): begin Identity Protection mode.
Mar 24 11:22:14 xxx-firewall racoon: INFO:
vendorid.c:128:check_vendorid(): received Vendor ID: MS NT5 ISAKMPOAKLEY
Mar 24 11:22:15 xxx-firewall racoon: NOTIFY:
isakmp.c:267:isakmp_handler(): the packet is retransmitted by
204.50.x.x[500].
Mar 24 11:22:16 xxx-firewall racoon: NOTIFY:
isakmp.c:267:isakmp_handler(): the packet is retransmitted by
204.50.x.x[500].
Mar 24 11:22:16 xxx-firewall racoon: WARNING:
handler.c:721:check_recvdpkt(): the packet retransmitted in a short time
from 204.50.x.x[500]
Mar 24 11:22:16 xxx-firewall racoon: NOTIFY:
isakmp.c:267:isakmp_handler(): the packet is retransmitted by
204.50.x.x[500].
Mar 24 11:22:17 xxx-firewall racoon: WARNING:
ipsec_doi.c:3079:ipsecdoi_checkid1(): ID value mismatched.
Mar 24 11:22:17 xxx-firewall racoon: INFO:
isakmp.c:2459:log_ph1established(): ISAKMP-SA established
68.82.x.x[500]-204.50.x.x[500] spi:4b33dd7e69df063e:cfb5125706a48e4d
Mar 24 11:22:17 xxx-firewall racoon: INFO:
isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2 negotiation:
68.82.x.x[0]<=>204.50.x.x[0]
Mar 24 11:22:18 xxx-firewall racoon: WARNING:
ipsec_doi.c:919:cmp_aproppair_i(): attribute has been modified.
Mar 24 11:22:19 xxx-firewall racoon: WARNING:
isakmp_inf.c:1333:isakmp_check_notify(): ignore CONNECTED notification.
Mar 24 11:22:19 xxx-firewall racoon: INFO: pfkey.c:1197:pk_recvupdate():
IPsec-SA established: ESP/Tunnel 204.50.x.x->68.82.x.x
spi=22868878(0x15cf38e)
Mar 24 11:22:19 xxx-firewall racoon: INFO: pfkey.c:1420:pk_recvadd():
IPsec-SA established: ESP/Tunnel 68.82.x.x->204.50.x.x
spi=3396229434(0xca6e593a)

The encryption and authentication etc all match between the M0n0wall and
ISA Server. The shared secret is correct on both machines. The only
difference I can see is that the M0n0wall is configured to use it's
external IP address as the identifier, but ISA Server doesn't seem to
have anywhere to specify an identifier.

Has anyone successfully configured an IPSec tunnel between M0n0wall and
ISA Server 2004? 

I'd appreciate any suggestions.

Thanks,

Peter Storkey 
Senior Technical Analyst 
The Oppenheimer Group 
International Marketers of Fresh Produce 
http://www.oppyproduce.com