Site2Site IPSec VPN ASG110 - MS TMG 2010

FrankinBerlin · 11-09-2010, 01:14 PM

Hi All,

we have our Microsoft ISA 2004 ugraded to TMG 2010 (on a new machine). The Astaro FW is 7.507.

Now our Site2Site IPSec VPN (ASG110<--> TMG) have trouble in IPSEC Phase 2. We play around with the settings; but no success. Does anybody have an idea or the same problem?

Here are the log:

################################################## ############
:
: | NAT-T: new mapping 172.172.172.172:4500/500)
: "S_Unknown Object" #6027: pfkey_msg_build of Add SA esp.8eb8e95@172.20.109.20 failed, code -22
: "S_Unknown Object" #6026: pfkey_msg_build of Add SA esp.8eb8e94@172.20.109.20 failed, code -22
: "S_Unknown Object" #6030: NAT-Traversal: Result using RFC 3947: i am NATed
: "S_Unknown Object" #6030: Peer ID is ID_IPV4_ADDR: '172.172.172.172'
: | NAT-T: new mapping 172.172.172.172:500/4500)
: "S_Unknown Object" #6027: pfkey_msg_build of Add SA esp.8eb8e95@172.20.109.20 failed, code -22
: "S_Unknown Object" #6030: sent MR3, ISAKMP SA established
: "S_Unknown Object" #6030: cannot respond to IPsec SA request because no connection is known for 192.168.2.0/24===172.20.109.20:4500...172.172.172.172:4500
: "S_Unknown Object" #6030: sending encrypted notification INVALID_ID_INFORMATION to 172.172.172.172:4500
: "S_Unknown Object" #6031: responding to Quick Mode
: "S_Unknown Object" #6031: IPsec SA established {ESP=>0x162cef84 <0x08eb8e98 NATOA=0.0.0.0}
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6032: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6026 {using isakmp#6030}
: "S_Unknown Object" #6033: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6027 {using isakmp#6030}
: "S_Unknown Object" #6032: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6032: sent QI2, IPsec SA established {ESP=>0x14176a70 <0x08eb8e99 NATOA=0.0.0.0}
: "S_Unknown Object" #6033: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6033: sent QI2, IPsec SA established {ESP=>0xdeb7f205 <0x08eb8e9a NATOA=0.0.0.0}
: "S_Unknown Object" #6032: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6032: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
: "S_Unknown Object" #6032: sending encrypted notification INVALID_PAYLOAD_TYPE to 172.172.172.172:4500
: "S_Unknown Object" #6033: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6033: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
: "S_Unknown Object" #6033: sending encrypted notification INVALID_PAYLOAD_TYPE to 172.172.172.172:4500
: "S_Unknown Object" #6034: responding to Quick Mode
: "S_Unknown Object" #6034: IPsec SA established {ESP=>0x404a9d59 <0x08eb8e9b NATOA=0.0.0.0}
: "S_Unknown Object" #6030: received Delete SA(0x162cef84) payload: deleting IPSEC State #6031
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6030: received Delete SA payload: replace IPSEC State #6034 in 10 seconds
: "S_Unknown Object" #6030: received Delete SA payload: replace IPSEC State #6033 in 10 seconds
: "S_Unknown Object" #6030: received Delete SA payload: replace IPSEC State #6032 in 10 seconds
: "S_Unknown Object" #6030: received Delete SA payload: deleting ISAKMP State #6030
: packet from 172.172.172.172:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
: packet from 172.172.172.172:500: received Vendor ID payload [RFC 3947]
: packet from 172.172.172.172:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
: packet from 172.172.172.172:500: ignoring Vendor ID payload [FRAGMENTATION]
: packet from 172.172.172.172:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
: packet from 172.172.172.172:500: ignoring Vendor ID payload [Vid-Initial-Contact]
: packet from 172.172.172.172:500: ignoring Vendor ID payload [IKE CGA version 1]
: "S_Unknown Object" #6035: responding to Main Mode
: | NAT-T: new mapping 172.172.172.172:4500/500)
: "S_Unknown Object" #6032: pfkey_msg_build of Add SA esp.8eb8e99@172.20.109.20 failed, code -22
: "S_Unknown Object" #6035: NAT-Traversal: Result using RFC 3947: i am NATed
: "S_Unknown Object" #6035: Peer ID is ID_IPV4_ADDR: '172.172.172.172'
: | NAT-T: new mapping 172.172.172.172:500/4500)
: "S_Unknown Object" #6035: sent MR3, ISAKMP SA established
: "S_Unknown Object" #6035: cannot respond to IPsec SA request because no connection is known for 192.168.2.0/24===172.20.109.20:4500...172.172.172.172:4500
: "S_Unknown Object" #6035: sending encrypted notification INVALID_ID_INFORMATION to 172.172.172.172:4500
: "S_Unknown Object" #6035: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6035: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6035: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6035: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6035: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6035: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6036: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6032 {using isakmp#6035}
: "S_Unknown Object" #6037: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6033 {using isakmp#6035}
: "S_Unknown Object" #6038: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6034 {using isakmp#6035}
: "S_Unknown Object" #6036: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6036: sent QI2, IPsec SA established {ESP=>0xc7387f9a <0x08eb8e9c NATOA=0.0.0.0}
: "S_Unknown Object" #6037: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6037: sent QI2, IPsec SA established {ESP=>0x8a60ad5b <0x08eb8e9d NATOA=0.0.0.0}
: "S_Unknown Object" #6038: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6038: sent QI2, IPsec SA established {ESP=>0x1d2e88eb <0x08eb8e9e NATOA=0.0.0.0} ################################################## #########

Any Tip is welcome.

Frank

BAlfson · 11-09-2010, 02:12 PM

Hi, Frank, and welcome to the User BB!

Please show pics of the 'IPsec Connection' and the 'Remote Gateway' for this VPN. It looks like the problem occurs before the lines above. Can you show the log (no debugging selected yet) from the time you enable the IPsec connection? Also, be sure to change each IP consistently so that it's easy to tell one from another.

Cheers - Bob

FrankinBerlin · 11-10-2010, 07:33 AM

Hi Bob,

the ISA server is still in place. Only for this VPN. We do not change anything on the ASG. The ASG shows under Site-To-Site all green and down under IPSec is also all green when the TMG is connected.

Right now I cannot delivere any log with the TMG. TMG is not connected.

We have a case by Microsoft open and they agreed that there is a problem. So....
Are there someone out there that bring this two up and working together?

Frank

BAlfson · 11-10-2010, 12:29 PM

If this is currently working with ISA, then the issue likely is in the TMG, as it seems you suspect. However, I wasn't looking for the log from the TMG, rather from the Astaro. Also the pictures from the Astaro.

Cheers - Bob

admin@ethiq.net · 01-04-2011, 03:09 PM

I try to establish an IPSEC Tunnel between two astaro 110/120.
I've defined the 2 remote gateways with their protected Lan.
the 2 policies are identical. There is no NAT, no route.

No packet filter even defined yet.

The main mode runs but the quick mode not.
Logs are the same than the previous post:
INVALID Message_ID
INVALID_ID_INFORMATION
cannot respond to IPSEC SA request because no connection is known for @ASG_WAN1... @ASG_WAN2 === @LAN1

Any idea ?

BAlfson · 01-04-2011, 09:26 PM

Hi, and welcome to the User BB!

Please show pics from both devices of the 'IPsec Connection' and the 'Remote Gateway' for this VPN.

Cheers - Bob

admin@ethiq.net · 01-05-2011, 08:07 AM

I found my mistake.

In the ipsec connection of one of my devices, the local network was the remote network...

ESP runs now.

Sorry for these posts

cptkirc · 02:25 PM

Hi Frank,
did you get a solution to this Problem from Microsoft?
We are having the same problem here in Munich... TMG2010 <-> ASG => opened a thread in the German Forum: entfernter Proxy über IPSEC Site2Site nicht erreichbar

Christian

Astaro Security Gateway

Network Security

Web Security

Web Application Security

Mail Security

Information