site to site ipsec tunnel does not work -Perfect forward secrecy

  • Article

Consider a scenario you have configured a site to site vpn tunnel either between two ISA servers or ISA server and a third party VPN device. After you have configured the tunnel you are trying to connect to the remote end machines and it does not connect. From ISA server if you try to ping the remote end machines you get ping response as negotiating security.

 

In such scenario we can take Oakley logs and in Oakley logs if we see following

 

-- Policy mismatch on offer method 1 policy method 1

--Attribute Phase II Diffie-Hellman group descriptor

-- Expected: 2

-- Received: 0

-- Data Protection Mode (Quick Mode)

-- Source IP Address X.X.X.X Source IP Address Mask X.X.X.X Destination IP Address X.X.X.X Destination IP Address Mask X.X.X.X Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr X.X.X.X IKE Peer Addr X.X.X.X IKE Source Port 500 IKE Destination Port 500 Peer Private Addr

--Phase II Diffie-Hellman group descriptor

-- 2

-- 0

-- constructing ISAKMP Header

-- constructing HASH (null)

-- constructing NOTIFY 14

-- constructing HASH (Notify/Delete)

-- isadb_set_status sa:0014CB70 centry:000DFAC0 status 3606

-- ProcessFailure: sa:0014CB70 centry:000DFAC0 status:3606

-- Notify already constructed. Ignoring. Sa 0014CB70

 

 

During the SA(Security Association) negotiation phase Local and remote end points apart from negotiating other things also negotiate the PFS which is Perfect Forward secrecy. If it is enabled on a end point Then its value would be 2(non-zero) if its not then it would 0. In the above scenario since on remote end it was disabled so it send value as 0 and on ISA it was enabled(default) it expects value as 2. Since these two values do not match. SA negotiation fails and Tunnel does not work.

In such scenarios either we can enable PFS at both ends or disable it at both ends . Here we disabled PFS on the ISA server as shown below

 

In the properties window as shown below go to connections tab then go to IPsec settings.

 

We will get following window, here we will choose Phase 2 tab and then uncheck the Perfect Forward secrecy check box to disable it.

After disabling that Negotiation will pass as this value matches and tunnel comes up fine and we get our site-to-site tunnel connection between two sites.