Announcement

Collapse
No announcement yet.

Site-to-Site VPN between Cisco 871 and Windows Server 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Site-to-Site VPN between Cisco 871 and Windows Server 2003

    Hi.

    I've been trying to create a Site-to-Site VPN between a Cisco 871 Router and a Windows Server 2003 acting as a NAT for another network.

    Here are my config files:

    http://pastebin.com/f30d61656 (Cisco 871 config)
    http://pastebin.com/f10f831f9 (Win2k3 IP security config)

    When I try pinging the cisco router from my W2k3 machine, I get Negotiating IP Security as a response.

    http://pastebin.com/f10e82144 (Crypto debug on the router when I ping)

    http://pastebin.com/f7137d9ed (Some event logs from the security log in Windows)

    I've been tackling with this problem for 3 days now. Can anyone figure out what I've done wrong or missed?

    Thanks for the help in advance!
    Last edited by wizzler; 20th March 2009, 20:43. Reason: Added more event logs

  • #2
    Re: Site-to-Site VPN between Cisco 871 and Windows Server 2003

    Hi wizzler.

    I have no experience with Windows VPN, but as far I can see on your Router config, you should not have the access-list for the interest traffic both ways like you have.

    Note that the interesting trafic ACL is only to determine which traffic should be forwarded over the tunnel, not for security.

    So you should remove the second line of the ACL below
    1. access-list 115 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
    2. access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

    and on the windows side you should have exactly the same as the second line ONLY. They should match EXACTILY on their opposites!

    Phase I is getting completed (debug):
    Mar 20 19:28:15.599: ISAKMP2064):atts are acceptable.

    But Phase II fails due to proxy identities are not matching (Cisco use the word "proxy identities" for the interesting traffic, or Encryption domain like the Check Point refers to it (Debug):
    Mar 20 19:28:15.599: IPSEC(ipsec_process_proposal): proxy identities not supported
    Mar 20 19:28:15.599: ISAKMP2064): IPSec policy invalidated proposal with error 32
    Mar 20 19:28:15.599: ISAKMP2064): phase 2 SA policy not acceptable! (local 213.101.208.105 remote 213.100.24.75)

    Hope it is clear,

    Niltinho

    Comment


    • #3
      Re: Site-to-Site VPN between Cisco 871 and Windows Server 2003

      Originally posted by niltinho View Post
      Hi wizzler.

      I have no experience with Windows VPN, but as far I can see on your Router config, you should not have the access-list for the interest traffic both ways like you have.

      Note that the interesting trafic ACL is only to determine which traffic should be forwarded over the tunnel, not for security.

      So you should remove the second line of the ACL below
      1. access-list 115 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
      2. access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
      and on the windows side you should have exactly the same as the second line ONLY. They should match EXACTILY on their opposites!

      Phase I is getting completed (debug):
      Mar 20 19:28:15.599: ISAKMP2064):atts are acceptable.

      But Phase II fails due to proxy identities are not matching (Cisco use the word "proxy identities" for the interesting traffic, or Encryption domain like the Check Point refers to it (Debug):
      Mar 20 19:28:15.599: IPSEC(ipsec_process_proposal): proxy identities not supported
      Mar 20 19:28:15.599: ISAKMP2064): IPSec policy invalidated proposal with error 32
      Mar 20 19:28:15.599: ISAKMP2064): phase 2 SA policy not acceptable! (local 213.101.208.105 remote 213.100.24.75)

      Hope it is clear,

      Niltinho

      Yea I understand now. But the change doesn't work.

      I've been following these stepps:http://www.cisco.com/en/US/tech/tk58...800b12b5.shtml

      The faulty thing i made before was the IP filter list. This is the same thing as ACL I believe. These must match which they didn't before because I entered the external IP's.

      Now it looks like this:

      The Cisco ACL:

      access-list 115 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255


      IP Filter list on Windows Machine.
      flf-ro01 to Hostage


      Hostage to flf-ro01:



      Now the tunnel isn't even trying to establish. What have I done wrong?

      Thanks for the help!
      Last edited by wizzler; 21st March 2009, 15:22.

      Comment


      • #4
        Re: Site-to-Site VPN between Cisco 871 and Windows Server 2003

        Umhn!

        Please on the router side, generate some traffic and send me a:
        1. Just after traffic generated send me the outpup of #sh crypto isakmp sa
        2. turn on # debug crypto isakmp (only, no ipsec)
        3. generate more traffic send me both outputs.

        After that # clear crypto sa

        and repeat steps 1,2,3 but with traffic generated from the windows server side.

        send me that info with some explanations on how you generate the traffic.

        Thank you,

        Niltinho

        Comment


        • #5
          Re: Site-to-Site VPN between Cisco 871 and Windows Server 2003

          http://pastebin.com/f67de1fb5 this is the debug @ cisco router

          http://pastebin.com/f16d935e this is the debug @ w2k3 server.

          It seems like Phase2 cannot establish and Windows reports that there is no policy configured:

          3-29: 23:12:56:566:ee8 Me
          3-29: 23:12:56:566:ee8 No policy configured

          What can be wrong?



          Data was generated by SDM.

          Comment

          Working...
          X