none
IPSec between Windows Server 2008 R2 / Forefront TMG (traffic to gateway does not get detunneled)

    Question

  • I have set up two Windows Server 2008 R2 machines with Microsoft Forefront TMG SE SP2. I also deployed an IPsec tunnel between the two machines. Both machines have static, public addresses, and both have an internal network adapter that connects the machine to a local network.

    The tunnel runs fine, I can a) ping both public addresses from both sides, seeing with Network Monitor that traffic is encapsulated into ESP packets. I can b) ping the internal addresses from the other side, so again I see ESP traffic running between the machines, getting delivered to the destination machine in the local network, and the reply again gets encapsulated into the IPsec tunnel and reaches the other machine. What does not work is pinging the internal network address from the other machine.

    So in essence, the setup is:

    Machine A:
    Public IP: 12.34.56.78
    Internal IP: 172.20.0.1

    Machine B:
    Public IP: 76.54.32.10
    Internal IP: 10.0.0.1

    If I ping from Machine B (76.54.32.10) to 172.20.0.1, the Windows Event Viewer shows this audit warning:

    The Windows Filtering Platform has blocked a packet.

    Application Information:
        Process ID:        0
        Application Name:    -

    Network Information:
        Direction:        Inbound
        Source Address:        76.54.32.10
        Source Port:        0
        Destination Address:    172.20.0.1
        Destination Port:        8
        Protocol:        1

    Filter Information:
        Filter Run-Time ID:    361187
        Layer Name:        Transport
        Layer Run-Time ID:    12

    The associated filter ID items are as following (NetSh.exe WFP Show State):

    <item>
        <filterKey>{7e8d057c-e6e8-4304-9f4d-a43e1b025bce}</filterKey>
        <displayData>
            <name>ISA VPN S2S tunnel to network ATLAS</name>
            <description/>
        </displayData>
        <flags numItems="1">
            <item>FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT</item>
        </flags>
        <providerKey/>
        <providerData/>
        <layerKey>FWPM_LAYER_INBOUND_TRANSPORT_V4</layerKey>
        <subLayerKey>FWPM_SUBLAYER_IPSEC_TUNNEL</subLayerKey>
        <weight>
            <type>FWP_UINT8</type>
            <uint8>0</uint8>
        </weight>
        <filterCondition numItems="2">
            <item>
                <fieldKey>FWPM_CONDITION_IP_LOCAL_ADDRESS</fieldKey>
                <matchType>FWP_MATCH_EQUAL</matchType>
                <conditionValue>
                    <type>FWP_V4_ADDR_MASK</type>
                    <v4AddrMask>
                        <addr>172.20.0.0</addr>
                        <mask>255.255.0.0</mask>
                    </v4AddrMask>
                </conditionValue>
            </item>
            <item>
                <fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
                <matchType>FWP_MATCH_EQUAL</matchType>
                <conditionValue>
                    <type>FWP_V4_ADDR_MASK</type>
                    <v4AddrMask>
                        <addr>76.54.32.10</addr>
                        <mask>255.255.255.255</mask>
                    </v4AddrMask>
                </conditionValue>
            </item>
        </filterCondition>
        <action>
            <type>FWP_ACTION_CALLOUT_TERMINATING</type>
            <calloutKey>FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4</calloutKey>
        </action>
        <providerContextKey>{df911c7b-590a-40ea-a042-bb978f376352}</providerContextKey>
        <reserved/>
        <filterId>361187</filterId>
        <effectiveWeight>
            <type>FWP_UINT64</type>
            <uint64>864655944083046400</uint64>
        </effectiveWeight>
    </item>

    <transportFilter>
        <filterKey>{7e8d057c-e6e8-4304-9f4d-a43e1b025bce}</filterKey>
        <displayData>
            <name>ISA VPN S2S tunnel to network ATLAS</name>
            <description/>
        </displayData>
        <flags numItems="1">
            <item>FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT</item>
        </flags>
        <providerKey/>
        <providerData/>
        <layerKey>FWPM_LAYER_INBOUND_TRANSPORT_V4</layerKey>
        <subLayerKey>FWPM_SUBLAYER_IPSEC_TUNNEL</subLayerKey>
        <weight>
            <type>FWP_UINT8</type>
            <uint8>0</uint8>
        </weight>
        <filterCondition numItems="2">
            <item>
                <fieldKey>FWPM_CONDITION_IP_LOCAL_ADDRESS</fieldKey>
                <matchType>FWP_MATCH_EQUAL</matchType>
                <conditionValue>
                    <type>FWP_V4_ADDR_MASK</type>
                    <v4AddrMask>
                        <addr>172.20.0.0</addr>
                        <mask>255.255.0.0</mask>
                    </v4AddrMask>
                </conditionValue>
            </item>
            <item>
                <fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
                <matchType>FWP_MATCH_EQUAL</matchType>
                <conditionValue>
                    <type>FWP_V4_ADDR_MASK</type>
                    <v4AddrMask>
                        <addr>76.54.32.10</addr>
                        <mask>255.255.255.255</mask>
                    </v4AddrMask>
                </conditionValue>
            </item>
        </filterCondition>
        <action>
            <type>FWP_ACTION_CALLOUT_TERMINATING</type>
            <calloutKey>FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4</calloutKey>
        </action>
        <providerContextKey>{df911c7b-590a-40ea-a042-bb978f376352}</providerContextKey>
        <reserved/>
        <filterId>361187</filterId>
        <effectiveWeight>
            <type>FWP_UINT64</type>
            <uint64>864655944083046400</uint64>
        </effectiveWeight>
    </transportFilter>

    I am at loss at to what is actually happening that Windows decides to drop this single packet that is actually directed at the gateway machine's internal address. I tried different approaches, like changing the definition of the "Internal" network in TMG, excluding the local address from the other machine, and most of all, I am pretty sure this configuration worked with Windows Server 2003 with ISA.

    Any hints are appreciated.

    Regards, Alexander Gräf


    Tuesday, July 09, 2013 1:15 AM

Answers

  • This was very unhelpful. I called TechNet Support and the answer is:

    netsh tmg set global name=DontDropIPSECDetunneledTrafficToLocalhost value=1 persistent

    With this setting, traffic to the gateway machine also gets detunneled instead of dropped. It is explained in a KB article:

    http://support.microsoft.com/kb/2502685

    Regards, Alexander Gräf

    • Marked as answer by graealex Wednesday, July 31, 2013 9:07 AM
    Wednesday, July 31, 2013 9:07 AM

All replies