IKE negotiation
Mikdilly
Member Posts: 309
XP Machine setup with Client (Respond Only) policy thru GPO, can't connect to shared folder on 2003 server setup with Server (Request Sec.) policy. The client machine gets a 'IKE security asociation negotiation failed' in event viewer for Main Mode. Failure reason says 'negotiation timed out' . Failure point: me.
Both machines are on same subnet. What would cause this error?
Both machines are on same subnet. What would cause this error?
Comments
-
UncleCid Member Posts: 66 ■■□□□□□□□□XP Machine setup with Client (Respond Only) policy thru GPO, can't connect to shared folder on 2003 server setup with Server (Request Sec.) policy. The client machine gets a 'IKE security asociation negotiation failed' in event viewer for Main Mode. Failure reason says 'negotiation timed out' . Failure point: me.
Both machines are on same subnet. What would cause this error?
Are the times in sync? -
Mikdilly Member Posts: 309Both machines' times are in sync, enabled logging of IKE, this is the last portion of the log, can anyone interpret this?
5-04: 20:59:11:646:27c retransmit: sa = 000F26B8 centry 00000000 , count = 4
5-04: 20:59:11:646:27c
5-04: 20:59:11:646:27c Sending: SA = 0x000F26B8 to 192.168.1.15:Type 2.500
5-04: 20:59:11:646:27c ISAKMP Header: (V1.0), len = 192
5-04: 20:59:11:646:27c I-COOKIE 2ba9fd62cb3cb53d
5-04: 20:59:11:646:27c R-COOKIE db0f99135ef1e6f6
5-04: 20:59:11:646:27c exchange: Oakley Main Mode
5-04: 20:59:11:646:27c flags: 0
5-04: 20:59:11:646:27c next payload: SA
5-04: 20:59:11:646:27c message ID: 00000000
5-04: 20:59:11:646:27c Ports S:f401 D:f401
5-04: 20:59:27:646:27c retransmit: sa = 000F26B8 centry 00000000 , count = 5
5-04: 20:59:27:646:27c
5-04: 20:59:27:646:27c Sending: SA = 0x000F26B8 to 192.168.1.15:Type 2.500
5-04: 20:59:27:646:27c ISAKMP Header: (V1.0), len = 192
5-04: 20:59:27:646:27c I-COOKIE 2ba9fd62cb3cb53d
5-04: 20:59:27:646:27c R-COOKIE db0f99135ef1e6f6
5-04: 20:59:27:646:27c exchange: Oakley Main Mode
5-04: 20:59:27:646:27c flags: 0
5-04: 20:59:27:646:27c next payload: SA
5-04: 20:59:27:646:27c message ID: 00000000
5-04: 20:59:27:646:27c Ports S:f401 D:f401
5-04: 20:59:59:646:27c retransmit exhausted: sa = 000F26B8 centry 00000000, count = 6
5-04: 20:59:59:646:27c SA Dead. sa:000F26B8 status:35ed
5-04: 20:59:59:646:27c isadb_set_status sa:000F26B8 centry:00000000 status 35ed
5-04: 20:59:59:646:27c Peer KerbID penny-2141dns$@DOMAIN1.LOCAL
5-04: 20:59:59:646:27c Key Exchange Mode (Main Mode)
5-04: 20:59:59:646:27c Source IP Address 192.168.1.16 Source IP Address Mask 255.255.255.255 Destination IP Address 192.168.1.15 Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr 192.168.1.16 IKE Peer Addr 192.168.1.15
5-04: 20:59:59:646:27c Kerberos based Identity: penny-2141dns$@DOMAIN1.LOCAL Peer IP Address: 192.168.1.15
5-04: 20:59:59:646:27c Me
5-04: 20:59:59:646:27c Negotiation timed out
5-04: 20:59:59:646:27c 0x0 0x0
5-04: 20:59:59:646:27c constructing ISAKMP Header
5-04: 20:59:59:646:27c constructing DELETE. MM 000F26B8
5-04: 20:59:59:646:27c
5-04: 20:59:59:646:27c Sending: SA = 0x000F26B8 to 192.168.1.15:Type 1.500
5-04: 20:59:59:646:27c ISAKMP Header: (V1.0), len = 56
5-04: 20:59:59:646:27c I-COOKIE 2ba9fd62cb3cb53d
5-04: 20:59:59:646:27c R-COOKIE db0f99135ef1e6f6
5-04: 20:59:59:646:27c exchange: ISAKMP Informational Exchange
5-04: 20:59:59:646:27c flags: 0
5-04: 20:59:59:646:27c next payload: DELETE
5-04: 20:59:59:646:27c message ID: 2381f325
5-04: 20:59:59:646:27c Ports S:f401 D:f401
5-04: 21:00:35:68:2b0 ClearFragList -
dynamik Banned Posts: 12,312 ■■■■■■■■■□It seems like this can happen if your policies aren't setup right. You might have a certificate, shared secret, or other configuration problem.
-
Mikdilly Member Posts: 309It seems like this can happen if your policies aren't setup right. You might have a certificate, shared secret, or other configuration problem.
What if I had Certification Authority service running on the server, i forgot it was installed when I added the security policy on the server. In event viewer it shows errors about 'windows could not determine the user or computer name. The specified domain could not be contacted. Group policy processing aborted.'
It looks like the server needs to be re-joined to the domain but it won't let you with CA service running on it. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□Sounds like a DNS issue. I'd focus on resolving that as that seems to be the underlying problem.
-
Mikdilly Member Posts: 309Moved to another server, windows 2000, ipsecmon shows security asociations when shared folder on server is opened from xp machine, when running 'ipseccmd show sas' on xp get
Main Mode SAs
IPSecEnumMMSAs failed with error 50
The request is not supported.
Quick Mode SAs
EnumQMSAs failed with error 50
Security log on xp shows:
IKE security association established.
Mode:
Data Protection Mode (Quick Mode)
Peer Identity:
Kerberos based Identity: server2000-1$@DOMAIN1.LOCAL
Peer IP Address: 192.168.2.25
Filter:
Source IP Address 192.168.1.16
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.2.25
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.1.16
IKE Peer Addr 192.168.2.25
Parameters:
ESP Algorithm Triple DES CBC
HMAC Algorithm SHA
AH Algorithm None
Encapsulation Transport Mode
InboundSpi 418428003 (0x18f0b463)
OutBoundSpi 1867704610 (0x6f52e922)
Lifetime (sec) 3600
Lifetime (kb) 100000
Why the error in ipseccmd? -
UncleCid Member Posts: 66 ■■□□□□□□□□Did you RSOP the xp machine and/or server to ensure that the policies are applied? Sounds to me like the reason there are no SA's being setup is because of a mismatch in either key exchange method, authentication method, or security method.
http://technet.microsoft.com/en-us/library/cc783041.aspx -
Mikdilly Member Posts: 309Did you RSOP the xp machine and/or server to ensure that the policies are applied? Sounds to me like the reason there are no SA's being setup is because of a mismatch in either key exchange method, authentication method, or security method.
IPSec Troubleshooting: Internet Protocol Security (IPsec)
I think there is an SA setup between the xp machine and the server as the security log on the xp machine shows:
'IKE security association established.
Mode:
Data Protection Mode (Quick Mode)'
Since the SA is setup between the 2 machines I don't understand why the errors show up in ipseccmd. Beginning to think that ipseccmd doesn't work, have seen other posts where people were getting the same errors in it but there was no fix to the errors. -
UncleCid Member Posts: 66 ■■□□□□□□□□Have you tried using a simple shared key? If it still fails it is probably not an IPsec misconfiguration that is causing the issue.