Microsoft ISA VPN 2006

jonnytabpni

Can anyone help me get an IPSEC tunnel between pfSense and ISA 2006?

I've set everything up identical (I think) but pfsense reports the following in the IPSEC logs (top is most recent):

Sep 4 23:47:57 racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
Sep 4 23:47:57 racoon: [Office VPN]: INFO: initiate new phase 2 negotiation: 78.33.xxx.113[500]<=>80.xxx.160.235[500]
Sep 4 23:47:56 racoon: [Office VPN]: INFO: ISAKMP-SA established 78.33.xxx.113[500]-80.xxx.160.235[500] spi:fa54850f8cb23ed2:9ae4fbf92451e9fc
Sep 4 23:47:56 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 4 23:47:56 racoon: INFO: received Vendor ID: FRAGMENTATION
Sep 4 23:47:56 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Sep 4 23:47:56 racoon: [Office VPN]: INFO: ISAKMP-SA deleted 78.33.xxx.113[500]-80.xxx.160.235[500] spi:f5e1675f1717c1ad:0000000000000000
Sep 4 23:47:56 racoon: INFO: begin Identity Protection mode.
Sep 4 23:47:56 racoon: [Office VPN]: INFO: initiate new phase 1 negotiation: 78.33.xxx.113[500]<=>80.xxx.160.235[500]
Sep 4 23:47:56 racoon: [Office VPN]: INFO: IPsec-SA request for 80.xxx.160.235 queued due to no phase1 found.

I've tried changing the phase 1 and phase 2 encryption however the same error happens..

Any help would be appreciated

Cheers

psylo

Hello,

As I can see, NAT-T (or NAT Traversal) is used: "racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02". So, I supposed that one of your VPN endpoints is NATTED (or perhaps both of them).

If it is wrong, forget the following for your problem.
By the way, I've already met some problems between an ISA 2004 server and another firewall (not a pfSense) also using racoon. Here is the conclusion made from a lab:
with principal mode, when ISA server is translated, it sends a FQDN ID type and not an IPv4 as mentionned in the RFC 2409 (p15). As this ID type is not valid, racoon stops the negotiation.

We also made a test without the NAT (and so without NAT-T) and everything works fine…

The people using ISA has contacted Microsoft to know what is the problem. Microsoft has answered that ISA server was compliant with the RFC 3715. After taking a look to this RFC, we have seen that:
1. RFC was a draft and written by Microsoft people
2. The following was written in it:
"Status of this Memo
This memo provides information for the Internet community.  It does not specify an Internet standard of any kind.      
Distribution of this memo is unlimited."

Well… Quite weird behavior to use this RFC to say that ISA is compliant!

Last, I don't say that your problem is coming from that but it's possible...

Hope this helps.

juniper

Hi

i have a similar scenario and similar (or the same problem) connecting to ISA server with racoon, my error:

Oct 28 20:18:23 keita racoon: DEBUG: HASH computed:
Oct 28 20:18:23 keita racoon: DEBUG:  fdebf588 2a77040f 8edcf495 03be8209
Oct 28 20:18:23 keita racoon: DEBUG: hash validated.
Oct 28 20:18:23 keita racoon: DEBUG: begin.
Oct 28 20:18:23 keita racoon: DEBUG: seen nptype=8(hash)
Oct 28 20:18:23 keita racoon: DEBUG: seen nptype=11(notify)
Oct 28 20:18:23 keita racoon: DEBUG: succeed.
Oct 28 20:18:23 keita racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
Oct 28 20:18:23 keita racoon: DEBUG: notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4).
Oct 28 20:18:26 keita racoon: DEBUG: KA: 192.168.1.3[4500]->82.89.**.*[4500]

Is related to RFC 3715 ISA compliancy?

thanks in advance

psylo

@juniper:

Hi

i have a similar scenario and similar (or the same problem) connecting to ISA server with racoon, my error:

Oct 28 20:18:23 keita racoon: DEBUG: HASH computed:
Oct 28 20:18:23 keita racoon: DEBUG:  fdebf588 2a77040f 8edcf495 03be8209
Oct 28 20:18:23 keita racoon: DEBUG: hash validated.
Oct 28 20:18:23 keita racoon: DEBUG: begin.
Oct 28 20:18:23 keita racoon: DEBUG: seen nptype=8(hash)
Oct 28 20:18:23 keita racoon: DEBUG: seen nptype=11(notify)
Oct 28 20:18:23 keita racoon: DEBUG: succeed.
Oct 28 20:18:23 keita racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
Oct 28 20:18:23 keita racoon: DEBUG: notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4).
Oct 28 20:18:26 keita racoon: DEBUG: KA: 192.168.1.3[4500]->82.89.**.*[4500]

Is related to RFC 3715 ISA compliancy?

thanks in advance

It seems it's the same problem I had… Badly, the only solution is to avoid NAT between the 2 devices... But, just to be sure, is it possible to enable detailed debug to see more error message?

juniper

For logging i use a debian box and racoon with "log debug2;"

thi is the max logging level.

BR

psylo

OK.

I don't know if you can make a lab to test IPSec between ISA and pfSense without NAT…

Last but not least, I think NAT-T is supported since v1.3 on pfSense... Right?