Issue/Scenario: Recently I worked on a Ipsec site to site Scenario between TMG and Cisco. Tunnel between these two end point was not getting established.
Troubleshooting approach
1. Checked the settings of the site to site IPsec tunnel.
2. In the addresses tab of the tunnel properties on the TMG server remote end point Ip address was not added, added it.
3. Tested the tunnel after applying the settings still issue persisted.
4. Checked all the settings, site to site settings, network rule and access rule they all look ok.(refer : http://technet.microsoft.com/en-us/library/dd441072.aspx)
5. Took TMG data packager with vpn template(refer : http://blogs.technet.com/b/sooraj-sec/archive/2010/04/10/instructions-for-isa-data-packager-to-collect-data-in-repro-mode.aspx) while trying to ping remote side address.
6. In the ikeetl logs found following
***************************************************************************
[0]035C.1214::04/14/2011-21:28:35.472 [ikeext] 0|204.236.32.11|QM localAddr: 2.5.9.46.0 Protocol 0
[0]035C.1214::04/14/2011-21:28:35.472 [ikeext] 0|204.236.32.11|QM peerAddr : 10.102.6.182.0 Mask 255.255.255.192 Protocol 0
[0]035C.1214::04/14/2011-21:28:35.472 [ikeext] 0|204.236.32.11|IF-Luid: 1688850061590528
[0]035C.1214::04/14/2011-21:28:35.472 [ikeext] 0|204.236.32.11|Profile ID: 3
[0]035C.1214::04/14/2011-21:28:35.472 [ikeext] 0|204.236.32.11|Acquire flags 1
[0]035C.1214::04/14/2011-21:28:35.476 [ikeext] 0|204.236.32.11|FwpmFilterEnum returned no matching filters
[0]035C.1214::04/14/2011-21:28:35.476 [user] |204.236.32.11|IkeMatchFwpmFilter failed with Windows error 13825(ERROR_IPSEC_IKE_NO_POLICY)
[0]035C.1214::04/14/2011-21:28:35.476 [user] |204.236.32.11|IkeMatchFwpmFilter failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
[0]035C.1214::04/14/2011-21:28:35.476 [user] |204.236.32.11|IkeFindQMPolicy failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
*********************************************************************************************************
Researched on it found http://technet.microsoft.com/en-us/library/bb794765.aspx
and following section in it.
Quick policy mode negotiation fails with a "No policy configured" error
Symptom: An event is logged in the system event log, which indicates that quick policy mode negotiation failed with a "No policy configured" error.
Cause: The IPsec network range combines several physical networks with adjacent ranges. If you configure a remote site network, which actually comprises two different networks with adjacent IP address ranges in the same subnet, connections cannot be initiated to either network.
Solution: To avoid this, create two remote site IPsec networks, one for each physical network. Then create appropriate network and access rules for each remote site. For example, suppose you have three networks:
To define remote site network connectivity from Network C to Network A and Network B, you must define two distinct remote networks (one for Network A and one for Network B), rather than combining the address ranges.
Also note that accurate network configuration is essential for IPsec site-to-site communications to work as expected. The VPN network on the local ISA Server computer (usually the default Internal network) must match the IP addresses of the network adapter associated with the network, and should include all subnets accessible from the adapter. Every time a network adapter receives a packet, ISA Server checks whether the source IP address of the packet is a valid address for the specific network adapter. If ISA Server does not consider it valid, an IP spoofing attack alert is issued. An IP address is considered valid if both of the following conditions are true:
7. Informed Admin to check the Cisco end for the address ranges used on that end and as well on TMG end , After the remote end subnet and host addresses were configured properly(i.e. Address ranges were defined without mixing adjacent ranges) , issue got resolved.