3

Has anybody successfully created an IPSec site-to-site tunnel between a Windows Server 2003 or 2008 and a Cisco router?

We tried the steps outlined at:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml

But no luck.

Thanks, Dejan

1 Answers1

2

No.

I spent two whole days last week trying to accomplish the exact same thing and failed. I found this to be a poorly documented topic, and after two days I just gave up.

I did get it to sort of work, but with various configurations on the Windows side, I could only get one side or the other to be able to create the tunnel, but never both. Once the tunnel was created both sides could communicate with each other through the tunnel, but only if for example, the Cisco router initiated the tunnel.

You can find my Cisco config from this post and maybe some other information that might help from this serverfault post I made, even though I said XP, I tried with 2003 as well. Here is a article on how to get some error logs for the Windows side. For the Cisco side, you can enable various crypto debugging with debug crypto ? where the question mark will show you the options.

From the windows side, if you see a failure with Main Mode, that would be the initial ike negotiation in the General -- Advanced portion of your policy. For quick mode, that would be the Negotiate security part of your filter action. For the cisco side, quick mode is the transform set, and Main mode is the crypto isakmp policy.

In that Cisco document you linked to, if you look at the filters, it shows there filters as being mirrored. According to Microsoft, mirrored filters and protocol specific filters are not supported with tunnel mode.

I also wrote the following for myself to help me get the windows settings:

There are 'IP Security Policies'. Each policy has a IKE settings (Phase 1, or Main Mode). Each policy also can have rules applied to it. A rule can have a single filter, a single filter action, a optional tunnel endpoint, and a authentication method. A filter chooses what traffic will be matched and have the rule applied to it. A filter can be described in terms of Source address, Destination Address, and/or protocols and ports.

The filters is where my test broke down I think, For the Microsoft to Cisco, if I used the Windows IP and the Cisco IP as the destination, it would not work, I had to put ANY IP for the destination and set the protocol for the filter to ICMP for my test (Even though those are not supposed to work).

So on the whole, I found it to be a spotty technology, poorly documented, and if you can't tell, frustrating. I have set up site-site VPN with Cisco to Cisco before without any problems. If you get to work reliably, please post what you did. Sorry if this post is a bit rambling, hopefully something in here might help you.

Community
  • 1
Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • I will try to check in on the post later, if you post more specific stuff in your question and I can help I will. But as I said, I never got it to reliably work. – Kyle Brandt Nov 18 '09 at 12:43
  • +1 - I wasted way too much of my time trying the same thing. My environment works fine with router to router, so that is what I do now. – Aaron Nov 18 '09 at 14:30
  • @Aaron: Ya, my goal was to secure Radius Traffic between the router and the IAS server. Although I just kind of gave up since that is all within my network. – Kyle Brandt Nov 18 '09 at 14:39
  • Thanks Kyle. I had the same frustrating experience and basically gave up, which is why I'm asking if there's somebody that was smarter about this than me. Windows-to-Windows works, Cisco-to-Cisco works, but the two ain't talking to each other. :( –  Nov 18 '09 at 16:56