IPSec newbie needs urgent help !

  • Thread starter Thread starter Jules Winfield
  • Start date Start date
J

Jules Winfield

Hi there,

I'm using ISA as my firewall and am trying to set up an IPSec tunnel to
another company that supplies us with real-time market data. My internal
network is 192.168.0.0/24 while theirs is 192.168.30.0/24.

When ISA attempts to connect, the negotiation between the two partys'
external networks(Phase I) is successful. The negotiation between the two
partys' internal networks (Phase 2) is *not* successful. The error message
is:

"IKE SA deleted before establishment completed."

The I.T. guys at the other end of the tunnel tell me that the failure is
due to the fact that my ISA box is broadcasting too wide of a source
range -- an entire Class C. The error message in my event log seems to
confirm this. See excerpt below:

Source IP Address 192.168.0.0
Source IP Address Mask 255.255.255.0
Destination IP Address 192.168.30.0
Destination IP Address Mask 255.255.255.0

It is against the vendor's policy to allow a source range that wide. So
here's what I did. I added a new IP range to ISA's internal network:
192.168.14.0/28. This range is narrow enough to be allowed by the vendor's
policy. I added the address 14.1 to ISA itself and 14.2 and 14.3 to some
computers on the internal network that will be using the tunnel.

All of the computers on my internal network can now ping each other
using either of the internal network addresses (192.168.0.x or
192.168.14.x)... but here's the problem: When ISA attempts to establish the
IPSec tunnel with the vendor, it's still broadcasting the 192.168.0.0/24 as
it's source network. I want it to broadcast 192.168.14.0/24. I can't figure
out for the life of me how to tell ISA to broadcast that narrower address
range during the Phase 2 negotiation of the IPSec tunnel. Any ideas?

Thanks...
 
Which version of ISA are you using (2000, 2004, 2006?

To what device is ISA connecting to on the other end?
 
Back
Top