Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Microsoft ISA VPN 2006

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 9.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonnytabpni
      last edited by

      Can anyone help me get an IPSEC tunnel between pfSense and ISA 2006?

      I've set everything up identical (I think) but pfsense reports the following in the IPSEC logs (top is most recent):

      Sep 4 23:47:57 racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
      Sep 4 23:47:57 racoon: [Office VPN]: INFO: initiate new phase 2 negotiation: 78.33.xxx.113[500]<=>80.xxx.160.235[500]
      Sep 4 23:47:56 racoon: [Office VPN]: INFO: ISAKMP-SA established 78.33.xxx.113[500]-80.xxx.160.235[500] spi:fa54850f8cb23ed2:9ae4fbf92451e9fc
      Sep 4 23:47:56 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Sep 4 23:47:56 racoon: INFO: received Vendor ID: FRAGMENTATION
      Sep 4 23:47:56 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
      Sep 4 23:47:56 racoon: [Office VPN]: INFO: ISAKMP-SA deleted 78.33.xxx.113[500]-80.xxx.160.235[500] spi:f5e1675f1717c1ad:0000000000000000
      Sep 4 23:47:56 racoon: INFO: begin Identity Protection mode.
      Sep 4 23:47:56 racoon: [Office VPN]: INFO: initiate new phase 1 negotiation: 78.33.xxx.113[500]<=>80.xxx.160.235[500]
      Sep 4 23:47:56 racoon: [Office VPN]: INFO: IPsec-SA request for 80.xxx.160.235 queued due to no phase1 found.

      I've tried changing the phase 1 and phase 2 encryption however the same error happens..

      Any help would be appreciated

      Cheers

      1 Reply Last reply Reply Quote 0
      • P
        psylo
        last edited by

        Hello,

        As I can see, NAT-T (or NAT Traversal) is used: "racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02". So, I supposed that one of your VPN endpoints is NATTED (or perhaps both of them).

        If it is wrong, forget the following for your problem.
        By the way, I've already met some problems between an ISA 2004 server and another firewall (not a pfSense) also using racoon. Here is the conclusion made from a lab:
        with principal mode, when ISA server is translated, it sends a FQDN ID type and not an IPv4 as mentionned in the RFC 2409 (p15). As this ID type is not valid, racoon stops the negotiation.

        We also made a test without the NAT (and so without NAT-T) and everything works fine…

        The people using ISA has contacted Microsoft to know what is the problem. Microsoft has answered that ISA server was compliant with the RFC 3715. After taking a look to this RFC, we have seen that:
        1. RFC was a draft and written by Microsoft people
        2. The following was written in it:
        "Status of this Memo
        This memo provides information for the Internet community.  It does not specify an Internet standard of any kind.      
        Distribution of this memo is unlimited."

        Well… Quite weird behavior to use this RFC to say that ISA is compliant!

        Last, I don't say that your problem is coming from that but it's possible...

        Hope this helps.

        1 Reply Last reply Reply Quote 0
        • J
          juniper
          last edited by

          Hi

          i have a similar scenario and similar (or the same problem) connecting to ISA server with racoon, my error:

          Oct 28 20:18:23 keita racoon: DEBUG: HASH computed:
          Oct 28 20:18:23 keita racoon: DEBUG:  fdebf588 2a77040f 8edcf495 03be8209
          Oct 28 20:18:23 keita racoon: DEBUG: hash validated.
          Oct 28 20:18:23 keita racoon: DEBUG: begin.
          Oct 28 20:18:23 keita racoon: DEBUG: seen nptype=8(hash)
          Oct 28 20:18:23 keita racoon: DEBUG: seen nptype=11(notify)
          Oct 28 20:18:23 keita racoon: DEBUG: succeed.
          Oct 28 20:18:23 keita racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
          Oct 28 20:18:23 keita racoon: DEBUG: notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4).
          Oct 28 20:18:26 keita racoon: DEBUG: KA: 192.168.1.3[4500]->82.89.**.*[4500]

          Is related to RFC 3715 ISA compliancy?

          thanks in advance

          1 Reply Last reply Reply Quote 0
          • P
            psylo
            last edited by

            @juniper:

            Hi

            i have a similar scenario and similar (or the same problem) connecting to ISA server with racoon, my error:

            Oct 28 20:18:23 keita racoon: DEBUG: HASH computed:
            Oct 28 20:18:23 keita racoon: DEBUG:  fdebf588 2a77040f 8edcf495 03be8209
            Oct 28 20:18:23 keita racoon: DEBUG: hash validated.
            Oct 28 20:18:23 keita racoon: DEBUG: begin.
            Oct 28 20:18:23 keita racoon: DEBUG: seen nptype=8(hash)
            Oct 28 20:18:23 keita racoon: DEBUG: seen nptype=11(notify)
            Oct 28 20:18:23 keita racoon: DEBUG: succeed.
            Oct 28 20:18:23 keita racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
            Oct 28 20:18:23 keita racoon: DEBUG: notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4).
            Oct 28 20:18:26 keita racoon: DEBUG: KA: 192.168.1.3[4500]->82.89.**.*[4500]

            Is related to RFC 3715 ISA compliancy?

            thanks in advance

            It seems it's the same problem I had… Badly, the only solution is to avoid NAT between the 2 devices... But, just to be sure, is it possible to enable detailed debug to see more error message?

            1 Reply Last reply Reply Quote 0
            • J
              juniper
              last edited by

              For logging i use a debian box and racoon with "log debug2;"

              thi is the max logging level.

              BR

              1 Reply Last reply Reply Quote 0
              • P
                psylo
                last edited by

                OK.

                I don't know if you can make a lab to test IPSec between ISA and pfSense without NAT…

                Last but not least, I think NAT-T is supported since v1.3 on pfSense... Right?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.