Options

IKE negotiation

MikdillyMikdilly Member Posts: 309
in Net Infra 70-291
XP Machine setup with Client (Respond Only) policy thru GPO, can't connect to shared folder on 2003 server setup with Server (Request Sec.) policy. The client machine gets a 'IKE security asociation negotiation failed' in event viewer for Main Mode. Failure reason says 'negotiation timed out' . Failure point: me.

Both machines are on same subnet. What would cause this error?
· Share on FacebookShare on Twitter

Comments

  • Options
    UncleCidUncleCid Member Posts: 66 ■■□□□□□□□□
    Mikdilly wrote: »
    XP Machine setup with Client (Respond Only) policy thru GPO, can't connect to shared folder on 2003 server setup with Server (Request Sec.) policy. The client machine gets a 'IKE security asociation negotiation failed' in event viewer for Main Mode. Failure reason says 'negotiation timed out' . Failure point: me.

    Both machines are on same subnet. What would cause this error?

    Are the times in sync?
    · Share on FacebookShare on Twitter
  • Options
    MikdillyMikdilly Member Posts: 309
    Both machines' times are in sync, enabled logging of IKE, this is the last portion of the log, can anyone interpret this?

    5-04: 20:59:11:646:27c retransmit: sa = 000F26B8 centry 00000000 , count = 4
    5-04: 20:59:11:646:27c
    5-04: 20:59:11:646:27c Sending: SA = 0x000F26B8 to 192.168.1.15:Type 2.500
    5-04: 20:59:11:646:27c ISAKMP Header: (V1.0), len = 192
    5-04: 20:59:11:646:27c I-COOKIE 2ba9fd62cb3cb53d
    5-04: 20:59:11:646:27c R-COOKIE db0f99135ef1e6f6
    5-04: 20:59:11:646:27c exchange: Oakley Main Mode
    5-04: 20:59:11:646:27c flags: 0
    5-04: 20:59:11:646:27c next payload: SA
    5-04: 20:59:11:646:27c message ID: 00000000
    5-04: 20:59:11:646:27c Ports S:f401 D:f401
    5-04: 20:59:27:646:27c retransmit: sa = 000F26B8 centry 00000000 , count = 5
    5-04: 20:59:27:646:27c
    5-04: 20:59:27:646:27c Sending: SA = 0x000F26B8 to 192.168.1.15:Type 2.500
    5-04: 20:59:27:646:27c ISAKMP Header: (V1.0), len = 192
    5-04: 20:59:27:646:27c I-COOKIE 2ba9fd62cb3cb53d
    5-04: 20:59:27:646:27c R-COOKIE db0f99135ef1e6f6
    5-04: 20:59:27:646:27c exchange: Oakley Main Mode
    5-04: 20:59:27:646:27c flags: 0
    5-04: 20:59:27:646:27c next payload: SA
    5-04: 20:59:27:646:27c message ID: 00000000
    5-04: 20:59:27:646:27c Ports S:f401 D:f401
    5-04: 20:59:59:646:27c retransmit exhausted: sa = 000F26B8 centry 00000000, count = 6
    5-04: 20:59:59:646:27c SA Dead. sa:000F26B8 status:35ed
    5-04: 20:59:59:646:27c isadb_set_status sa:000F26B8 centry:00000000 status 35ed
    5-04: 20:59:59:646:27c Peer KerbID penny-2141dns$@DOMAIN1.LOCAL
    5-04: 20:59:59:646:27c Key Exchange Mode (Main Mode)
    5-04: 20:59:59:646:27c Source IP Address 192.168.1.16 Source IP Address Mask 255.255.255.255 Destination IP Address 192.168.1.15 Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr 192.168.1.16 IKE Peer Addr 192.168.1.15
    5-04: 20:59:59:646:27c Kerberos based Identity: penny-2141dns$@DOMAIN1.LOCAL Peer IP Address: 192.168.1.15
    5-04: 20:59:59:646:27c Me
    5-04: 20:59:59:646:27c Negotiation timed out
    5-04: 20:59:59:646:27c 0x0 0x0
    5-04: 20:59:59:646:27c constructing ISAKMP Header
    5-04: 20:59:59:646:27c constructing DELETE. MM 000F26B8
    5-04: 20:59:59:646:27c
    5-04: 20:59:59:646:27c Sending: SA = 0x000F26B8 to 192.168.1.15:Type 1.500
    5-04: 20:59:59:646:27c ISAKMP Header: (V1.0), len = 56
    5-04: 20:59:59:646:27c I-COOKIE 2ba9fd62cb3cb53d
    5-04: 20:59:59:646:27c R-COOKIE db0f99135ef1e6f6
    5-04: 20:59:59:646:27c exchange: ISAKMP Informational Exchange
    5-04: 20:59:59:646:27c flags: 0
    5-04: 20:59:59:646:27c next payload: DELETE
    5-04: 20:59:59:646:27c message ID: 2381f325
    5-04: 20:59:59:646:27c Ports S:f401 D:f401
    5-04: 21:00:35:68:2b0 ClearFragList
    · Share on FacebookShare on Twitter
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    It seems like this can happen if your policies aren't setup right. You might have a certificate, shared secret, or other configuration problem.
    · Share on FacebookShare on Twitter
  • Options
    MikdillyMikdilly Member Posts: 309
    dynamik wrote: »
    It seems like this can happen if your policies aren't setup right. You might have a certificate, shared secret, or other configuration problem.


    What if I had Certification Authority service running on the server, i forgot it was installed when I added the security policy on the server. In event viewer it shows errors about 'windows could not determine the user or computer name. The specified domain could not be contacted. Group policy processing aborted.'
    It looks like the server needs to be re-joined to the domain but it won't let you with CA service running on it.
    · Share on FacebookShare on Twitter
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Sounds like a DNS issue. I'd focus on resolving that as that seems to be the underlying problem.
    · Share on FacebookShare on Twitter
  • Options
    MikdillyMikdilly Member Posts: 309
    Moved to another server, windows 2000, ipsecmon shows security asociations when shared folder on server is opened from xp machine, when running 'ipseccmd show sas' on xp get

    Main Mode SAs
    IPSecEnumMMSAs failed with error 50
    The request is not supported.

    Quick Mode SAs
    EnumQMSAs failed with error 50



    Security log on xp shows:

    IKE security association established.
    Mode:
    Data Protection Mode (Quick Mode)

    Peer Identity:
    Kerberos based Identity: server2000-1$@DOMAIN1.LOCAL
    Peer IP Address: 192.168.2.25

    Filter:
    Source IP Address 192.168.1.16
    Source IP Address Mask 255.255.255.255
    Destination IP Address 192.168.2.25
    Destination IP Address Mask 255.255.255.255
    Protocol 0
    Source Port 0
    Destination Port 0
    IKE Local Addr 192.168.1.16
    IKE Peer Addr 192.168.2.25

    Parameters:
    ESP Algorithm Triple DES CBC
    HMAC Algorithm SHA
    AH Algorithm None
    Encapsulation Transport Mode
    InboundSpi 418428003 (0x18f0b463)
    OutBoundSpi 1867704610 (0x6f52e922)
    Lifetime (sec) 3600
    Lifetime (kb) 100000

    Why the error in ipseccmd?
    · Share on FacebookShare on Twitter
  • Options
    UncleCidUncleCid Member Posts: 66 ■■□□□□□□□□
    Did you RSOP the xp machine and/or server to ensure that the policies are applied? Sounds to me like the reason there are no SA's being setup is because of a mismatch in either key exchange method, authentication method, or security method.


    http://technet.microsoft.com/en-us/library/cc783041.aspx
    · Share on FacebookShare on Twitter
  • Options
    MikdillyMikdilly Member Posts: 309
    UncleCid wrote: »
    Did you RSOP the xp machine and/or server to ensure that the policies are applied? Sounds to me like the reason there are no SA's being setup is because of a mismatch in either key exchange method, authentication method, or security method.


    IPSec Troubleshooting: Internet Protocol Security (IPsec)

    I think there is an SA setup between the xp machine and the server as the security log on the xp machine shows:


    'IKE security association established.
    Mode:
    Data Protection Mode (Quick Mode)'

    Since the SA is setup between the 2 machines I don't understand why the errors show up in ipseccmd. Beginning to think that ipseccmd doesn't work, have seen other posts where people were getting the same errors in it but there was no fix to the errors.
    · Share on FacebookShare on Twitter
  • Options
    UncleCidUncleCid Member Posts: 66 ■■□□□□□□□□
    Have you tried using a simple shared key? If it still fails it is probably not an IPsec misconfiguration that is causing the issue.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.