Main mode SA stopped responding

microsoft-forefrontvpn

I'm having connection problems with a site to site VPN. My site uses Forefront TMG box, the remote site a Cisco VPN concentrator. The connection is dropping frequently.

The only entry that shows up in the logs is 4654 with the following text.

An IPsec quick mode negotiation failed.
…

Additional Information:
Protocol: 0
Keying Module Name: IKEv1
Virtual Interface Tunnel ID: 0
Traffic Selector ID: 0
Mode: Tunnel
Role: Initiator
Quick Mode Filter ID: 119435

Main Mode SA ID: 39
Failure Information:
State: Sent first (SA) payload
Message ID: 2147483651
Failure Point: Local computer
Failure Reason: Main mode SA assumed to be invalid because peer stopped responding.

What causes the entry described in failure reason?

Local phase 1: 86400 seconds Local phase 2: 28800 seconds, 4608000 kilobytes

Remote phase 1: 86400 seconds Remote phase 2: 28800 seconds, 4608000 kilobytes

There is no dead peer detection configured on either side of the tunnel.

An additional point of interest is the lifetime detected on the remote side for our tunnel is only 7200 seconds.

Best Answer

Based on the comments about the lifetime mismatch I managed to determine the underlying cause. Although the Forefront configuration indicates 86400 seconds the key lifetime that shows in the IP Security Monitor MMC shows 0KB / 7200 seconds, corresponding to the value our remote peer is detecting. It looks like I'll need to open a case with MS to determine why this value is being used.

Related Solutions

RV082 Gateway-Gateway VPN Won’t Connect

I have a site to site VPN beween two rv082's also. Checking my settings they show on both sides:

Local Security Gateway Type: IP Only
IP Address: external address
Local Security Group Type: Subnet
IP Address 192.168.188.0
Subnet Mask: 255.255.255.0

Remote Security Gateway Type: IP Only
IP Address: external address
Remote Security Group Type: Subnet
IP Address 192.168.166.0
Subnet Mask: 255.255.255.0

Keying Mode: IKE with Preshared key
Phase1 DH Group: Group 1
Phase1 Encryption: DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect Forward Secrecy: Enabled
Phase2 DH Group: Group 1
Phase2 Encryption: DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 3600

Aggressive Mode: Disabled
Dead Peer Detection (DPD): Enabled

The only difference I see is agressive mode, but you tried that. Obviously you have a matching preshared key. Interface is WAN1 on both. So you don't have anything glaring - but maybe disable aggressive mode. I also remember having to delete and recreate them a few times to get it connected. Have you tried that?

Cisco – Can’t establish site to site vpn connection between Cisco 3900 and strongSwan client

Finally i found solution for my problem, it was only configuration issue.

instead of auto=add there must be auto=start and esp=aes256-sha1 must be esp=aes256-sha1-modp1536

I also added db parameters, but for work it's optional. If you change just this two parameters, it will work.

Final working configuration is like this.

# ipsec.conf - strongSwan IPsec configuration file                                                                                                                             

# basic configuration                                                                                                                                                           

config setup
    charondebug="ike 4, knl 4, cfg 4, net 4, esp 4, dmn 4,  mgr 4"
        #uniqueids = no                                                                                                                                                         

conn %default
    ikelifetime=1440m
    keylife=60m
    rekeymargin=3m
    keyingtries=1
    mobike=no
    keyexchange=ikev1
    dpdaction=clear
    dpddelay=200s

conn "providerVPN"
    type=tunnel
    auto=start
    aggressive=no
    esp=aes256-sha1-modp1536
    ike=aes256-sha1-modp1536

    right=VpnGatewayIP
    rightsubnet=10.248.64.0/20
    rightid=VpnGatewayIP
    rightauth=psk

    left=MyServerIP
    leftsubnet=MyServerIP/32
    leftid=MyServerIP
    leftauth=psk

    dpddelay=30s
    dpdaction=hold
    dpdtimeout=120s
    ikelifetime=86400s
    lifetime=86400s

Related Topic

Connecting from an AWS Lambda function or service within a VPC to a customer’s private network over VPN tunnel