Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IPSec error "IKE SA deleted before establishment completed"

610 views
Skip to first unread message

Simon Geary

unread,
Aug 28, 2003, 4:34:23 AM8/28/03
to
I am trying to set up a simple IPSec test between two PC's to encrypt ICMP
traffic but keep getting the following error 547 in the security log

Event Type: Failure Audit
Event Source: Security
Event Category: System Event
Event ID: 547
Date: 28/08/2003
Time: 10:19:18
User: BUILTIN\Administrators
Computer: SGEARY
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address 134.32.58.141
Source IP Address Mask 255.255.255.255
Destination IP Address 134.32.58.113
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0

Failure Point:
Me

Failure Reason:
IKE SA deleted before establishment completed


My pings from the IPSec client to the IPSec server result in a never ending
reply of 'Negotiating IP Security' All other TCP traffic can get through so
it is just ICMP that is being blocked it seems.
I followed a very straightforward KB article to configure the Client and the
Secure Server so am pretty confident on the configuration and am using a
simple preshared key between the two. I can't find any reference to the
above error on TechNet, anyone have any ideas?


Louise Bowman [MSFT]

unread,
Sep 22, 2003, 10:44:53 AM9/22/03
to
Simon,

From what you are saying it seems that the main mode negotiotions are
failing.
This will happen if the preshared keys don't match or if the main mode
security methods don't match.
Check both of these.
In addition you may want to look at an oakley log. In case you don't know -
use the following command to set this up
netsh ipsec dynamic set config ikelogging 1.
The oakley.log file will be in the c:\windows\debug directory. This file
will show you where the failure is happening.


Louise Bowman [MSFT]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Simon Geary" <simon...@hotmail.com> wrote in message
news:OKwUK9Tb...@TK2MSFTNGP12.phx.gbl...

Stephen Cartwright [MSFT]

unread,
Sep 30, 2003, 2:27:11 PM9/30/03
to
Simon,

Are you using local polices? They need to be identical on each machine and
assigned.
If one machine is an AD and you are using that to derive IPSec policy for
the client to use, its not recommended to secure ICMP traffic as that
mechamism is used by group policy to obtain policy downloads. Secured ICMP
traffic will stop active policy getting assigned to the client. Likley you
are not in this scenario but mentioned just in case.

"Louise Bowman [MSFT]" <lbo...@microsoft.com> wrote in message
news:e0C88gR...@TK2MSFTNGP09.phx.gbl...

0 new messages