ISA 2000, Server 2003, and IPSEC Tunnel

  • Thread starter Thread starter Wade Philley
  • Start date Start date
W

Wade Philley

I have a tunnel configured between a Cisco PIX and a
Windows Server 2003 machine. It works fine until I
install ISA 2000. I updated to SP2. I made sure I did
not install the Web Proxy piece because I had the stop me
2 years ago doing the same thing on a Windows 2000
Server. The tunnel will only partially come up, and I
cannot get any packets to go throught the tunnel.

Any help greatly appreciated.

Thanks!

Wade
 
What exactly do you mean by "the tunnel will only partially come up"? Can
you provide a more precise description of the problem

How have you configured the ISA 2000 server? Did you create any exceptions
for IKE (UDP 500) or NATT (UDP 4500)

On the Windows 2003 server, enable Oakley logging and repro the problem.
The oakley log may indicate what the issue are.

To enable Oakley Logging :Use Registry Editor to locate the following key in
the registry, and if it does not exist, create it:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
Add a REG_DWORD value named EnableLogging with a value of 1 to this key. The
Oakley.log file is created in the %systemroot%\debug folder.


Louise Bowman
Microsoft Windows Networking Division.
 
By saying the tunnel is partially coming up - I am
receiving encrypted and athenticated packets, but I am not
sending them. I did this very thing 2 years ago on a
Win2K and ISA 2000 setup. I dropped the Server 2003, and
re-installed Win2K. I am getting the same probelm.
Everything I read says that you cannot do this - but I
did. I am wondering if the hotfix that gave us the NAT-T
functionality killed this. How can I enable the logging
on a Win2K machine? I think the ISA server is NATing the
packet instead of the IPSEC filter picking up the packet
and encrypting it.

Thanks

Wade
 
I forgot to address opening the ports. I have all ports
open on the ISA firewall. I know that in the past I had
to install the ISA server in firewall only mode. If you
installed it as integrated or cache mode, it would not
work.

Wade
 
Back
Top