Issue/Scenario: Recently  I worked on a Ipsec site to site Scenario between TMG and Cisco. Tunnel between these two end point was not getting established.

Troubleshooting approach

1. Checked the settings of the site to site IPsec tunnel.

2. In the addresses tab of the tunnel properties on the TMG server remote end point Ip address was not added, added it.

3. Tested the tunnel after applying the settings still issue persisted.

4. Checked all the settings, site to site settings, network rule and access rule they all look ok.(refer : http://technet.microsoft.com/en-us/library/dd441072.aspx)

5. Took TMG data packager with vpn template(refer : http://blogs.technet.com/b/sooraj-sec/archive/2010/04/10/instructions-for-isa-data-packager-to-collect-data-in-repro-mode.aspx) while trying to ping remote side address.

6. In the ikeetl logs found following

***************************************************************************

QM localAddr: x.x.x.x.0 Protocol 0

QM peerAddr : x.x.x.x.0 Mask x.x.x.x Protocol 0

IF-Luid: 1688850061590528

Profile ID: 3

Acquire flags 1

FwpmFilterEnum returned no matching filters

IkeMatchFwpmFilter failed with Windows error 13825(ERROR_IPSEC_IKE_NO_POLICY)

IkeMatchFwpmFilter failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)

IkeFindQMPolicy failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)

*********************************************************************************************************

Researched on it found http://technet.microsoft.com/en-us/library/bb794765.aspx

 and following section in it.

Quick policy mode negotiation fails with a "No policy configured" error

Symptom: An event is logged in the system event log, which indicates that quick policy mode negotiation failed with a "No policy configured" error.

Cause: The IPsec network range combines several physical networks with adjacent ranges. If you configure a remote site network, which actually comprises two different networks with adjacent IP address ranges in the same subnet, connections cannot be initiated to either network.

Solution: To avoid this, create two remote site IPsec networks, one for each physical network. Then create appropriate network and access rules for each remote site. For example, suppose you have three networks:

  • Network A with address range 10.1.0.0/24
  • Network B with address range 10.1.1.0/24
  • Network C with address range 10.1.2.0/24

To define remote site network connectivity from Network C to Network A and Network B, you must define two distinct remote networks (one for Network A and one for Network B), rather than combining the address ranges.

Also note that accurate network configuration is essential for IPsec site-to-site communications to work as expected. The VPN network on the local ISA Server computer (usually the default Internal network) must match the IP addresses of the network adapter associated with the network, and should include all subnets accessible from the adapter. Every time a network adapter receives a packet, ISA Server checks whether the source IP address of the packet is a valid address for the specific network adapter. If ISA Server does not consider it valid, an IP spoofing attack alert is issued. An IP address is considered valid if both of the following conditions are true:

  • The IP address resides in the network of the adapter through which it was received.
  • The routing table indicates that traffic destined to that address may be routed through the adapter belonging to that network.

 

7. Informed Admin to check the Cisco end for the address ranges used on that end and as well on TMG end ,  After the remote end subnet and host addresses were configured properly(i.e. Address ranges were defined without mixing adjacent ranges) , issue got resolved.