IKE negotiation

XP Machine setup with Client (Respond Only) policy thru GPO, can't connect to shared folder on 2003 server setup with Server (Request Sec.) policy. The client machine gets a 'IKE security asociation negotiation failed' in event viewer for Main Mode. Failure reason says 'negotiation timed out' . Failure point: me.

Both machines are on same subnet. What would cause this error?

Find more posts tagged with

Comments

UncleCid

Mikdilly wrote: »

XP Machine setup with Client (Respond Only) policy thru GPO, can't connect to shared folder on 2003 server setup with Server (Request Sec.) policy. The client machine gets a 'IKE security asociation negotiation failed' in event viewer for Main Mode. Failure reason says 'negotiation timed out' . Failure point: me.

Both machines are on same subnet. What would cause this error?

Are the times in sync?

Mikdilly

Both machines' times are in sync, enabled logging of IKE, this is the last portion of the log, can anyone interpret this?

5-04: 20:59:11:646:27c retransmit: sa = 000F26B8 centry 00000000 , count = 4
5-04: 20:59:11:646:27c
5-04: 20:59:11:646:27c Sending: SA = 0x000F26B8 to 192.168.1.15:Type 2.500
5-04: 20:59:11:646:27c ISAKMP Header: (V1.0), len = 192
5-04: 20:59:11:646:27c I-COOKIE 2ba9fd62cb3cb53d
5-04: 20:59:11:646:27c R-COOKIE db0f99135ef1e6f6
5-04: 20:59:11:646:27c exchange: Oakley Main Mode
5-04: 20:59:11:646:27c flags: 0
5-04: 20:59:11:646:27c next payload: SA
5-04: 20:59:11:646:27c message ID: 00000000
5-04: 20:59:11:646:27c Ports S:f401 D:f401
5-04: 20:59:27:646:27c retransmit: sa = 000F26B8 centry 00000000 , count = 5
5-04: 20:59:27:646:27c
5-04: 20:59:27:646:27c Sending: SA = 0x000F26B8 to 192.168.1.15:Type 2.500
5-04: 20:59:27:646:27c ISAKMP Header: (V1.0), len = 192
5-04: 20:59:27:646:27c I-COOKIE 2ba9fd62cb3cb53d
5-04: 20:59:27:646:27c R-COOKIE db0f99135ef1e6f6
5-04: 20:59:27:646:27c exchange: Oakley Main Mode
5-04: 20:59:27:646:27c flags: 0
5-04: 20:59:27:646:27c next payload: SA
5-04: 20:59:27:646:27c message ID: 00000000
5-04: 20:59:27:646:27c Ports S:f401 D:f401
5-04: 20:59:59:646:27c retransmit exhausted: sa = 000F26B8 centry 00000000, count = 6
5-04: 20:59:59:646:27c SA Dead. sa:000F26B8 status:35ed
5-04: 20:59:59:646:27c isadb_set_status sa:000F26B8 centry:00000000 status 35ed
5-04: 20:59:59:646:27c Peer KerbID penny-2141dns$@DOMAIN1.LOCAL
5-04: 20:59:59:646:27c Key Exchange Mode (Main Mode)
5-04: 20:59:59:646:27c Source IP Address 192.168.1.16 Source IP Address Mask 255.255.255.255 Destination IP Address 192.168.1.15 Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr 192.168.1.16 IKE Peer Addr 192.168.1.15
5-04: 20:59:59:646:27c Kerberos based Identity: penny-2141dns$@DOMAIN1.LOCAL Peer IP Address: 192.168.1.15
5-04: 20:59:59:646:27c Me
5-04: 20:59:59:646:27c Negotiation timed out
5-04: 20:59:59:646:27c 0x0 0x0
5-04: 20:59:59:646:27c constructing ISAKMP Header
5-04: 20:59:59:646:27c constructing DELETE. MM 000F26B8
5-04: 20:59:59:646:27c
5-04: 20:59:59:646:27c Sending: SA = 0x000F26B8 to 192.168.1.15:Type 1.500
5-04: 20:59:59:646:27c ISAKMP Header: (V1.0), len = 56
5-04: 20:59:59:646:27c I-COOKIE 2ba9fd62cb3cb53d
5-04: 20:59:59:646:27c R-COOKIE db0f99135ef1e6f6
5-04: 20:59:59:646:27c exchange: ISAKMP Informational Exchange
5-04: 20:59:59:646:27c flags: 0
5-04: 20:59:59:646:27c next payload: DELETE
5-04: 20:59:59:646:27c message ID: 2381f325
5-04: 20:59:59:646:27c Ports S:f401 D:f401
5-04: 21:00:35:68:2b0 ClearFragList

dynamik

It seems like this can happen if your policies aren't setup right. You might have a certificate, shared secret, or other configuration problem.

Mikdilly

dynamik wrote: »

It seems like this can happen if your policies aren't setup right. You might have a certificate, shared secret, or other configuration problem.

What if I had Certification Authority service running on the server, i forgot it was installed when I added the security policy on the server. In event viewer it shows errors about 'windows could not determine the user or computer name. The specified domain could not be contacted. Group policy processing aborted.'
It looks like the server needs to be re-joined to the domain but it won't let you with CA service running on it.

dynamik

Sounds like a DNS issue. I'd focus on resolving that as that seems to be the underlying problem.

Mikdilly

Moved to another server, windows 2000, ipsecmon shows security asociations when shared folder on server is opened from xp machine, when running 'ipseccmd show sas' on xp get

Main Mode SAs

IPSecEnumMMSAs failed with error 50
The request is not supported.

Quick Mode SAs

EnumQMSAs failed with error 50

Security log on xp shows:

IKE security association established.
Mode:
Data Protection Mode (Quick Mode)

Peer Identity:
Kerberos based Identity: server2000-1$@DOMAIN1.LOCAL
Peer IP Address: 192.168.2.25

Filter:
Source IP Address 192.168.1.16
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.2.25
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.1.16
IKE Peer Addr 192.168.2.25

Parameters:
ESP Algorithm Triple DES CBC
HMAC Algorithm SHA
AH Algorithm None
Encapsulation Transport Mode
InboundSpi 418428003 (0x18f0b463)
OutBoundSpi 1867704610 (0x6f52e922)
Lifetime (sec) 3600
Lifetime (kb) 100000

Why the error in ipseccmd?

UncleCid

Did you RSOP the xp machine and/or server to ensure that the policies are applied? Sounds to me like the reason there are no SA's being setup is because of a mismatch in either key exchange method, authentication method, or security method.

http://technet.microsoft.com/en-us/library/cc783041.aspx

Mikdilly

UncleCid wrote: »

Did you RSOP the xp machine and/or server to ensure that the policies are applied? Sounds to me like the reason there are no SA's being setup is because of a mismatch in either key exchange method, authentication method, or security method.

IPSec Troubleshooting: Internet Protocol Security (IPsec)

I think there is an SA setup between the xp machine and the server as the security log on the xp machine shows:

'IKE security association established.
Mode:
Data Protection Mode (Quick Mode)'

Since the SA is setup between the 2 machines I don't understand why the errors show up in ipseccmd. Beginning to think that ipseccmd doesn't work, have seen other posts where people were getting the same errors in it but there was no fix to the errors.

UncleCid

Have you tried using a simple shared key? If it still fails it is probably not an IPsec misconfiguration that is causing the issue.