Problem with Site-to-Site Tunnel (IPSec) with Amazon
-
Tuesday, February 12, 2013 6:14 PM
Hi, I have established a Site-to-Site IPSec tunnel between our TMG 2010 and our VPN at Amazon datacenters (where a couple of VMs were installed). The connection works fine while traffic from our side is being generated. However, when no traffic is being detected, technicians at the Amazon side claims that the tunnel goes down. TMG is not reporting any loss of connection for the tunnel (at least I cannot see any alert logged). A simple ping to any of the VMs at Amazon allows the tunnel to work again (technicians at Amazon side can see that).
Our TMG have Sp2 with update rollup 3 running over Windows server 2008 R2 with Sp2 and the latest windows updates. Any ideas would be much appreciated.
The tunnel is configured as below from our side:
Local Tunnel Endpoint: <<deleted for security>>Remote Tunnel Endpoint: <<deleted for security>>To allow HTTP proxy or NAT traffic to the remote site,the remote site configuration must contain the localsite tunnel end-point IP address.IKE Phase I Parameters:Mode: Main modeEncryption: AES128Integrity: SHA1Diffie-Hellman group: Group 2 (1024 bit)Authentication Method: Pre-shared secret <<deleted for security>>Security Association Lifetime: 28800 secondsIKE Phase II Parameters:Mode: ESP tunnel modeEncryption: AES128Integrity: SHA1Perfect Forward Secrecy: ONDiffie-Hellman group: Group 2 (1024 bit)Time Rekeying: ONSecurity Association Lifetime: 3600 secondsKbyte Rekeying: ONRekey After Sending: 100000 KbytesRemote Network 'AWS VPN Tunel 1' IP Subnets:Subnet: 10.0.0.0/255.255.0.0Subnet: <<deleted for security>>/255.255.255.255Local Network 'Internal' IP Subnets:Subnet: 192.168.0.0/255.255.248.0Routable Local IP Addresses:Subnet: 192.168.0.0/255.255.248.0
Xavier Villafuerte - http://preempalverec.blogspot.com
All Replies
-
Monday, February 18, 2013 3:56 PMModerator
Hi,
Thank you for the post.
“technicians at the Amazon side claims that the tunnel goes down. TMG is not reporting any loss of connection for the tunnel” – what do you mean that? Does the vpn tunnel really down? Do you receive any error message from Amazon side VPN server?
Regards,
Nick Gu - MSFT
-
Wednesday, February 20, 2013 4:52 PM
Hi Nick, sorry for the late response. Busy days. Well, no. As far as I can see in TMG, there is no error stating any problem with the tunnel. However, Amazon technicians told me that they see the tunnel goes down when no traffic is detected from our side . After that, if I start a ping from our side to any of the VMs at Amazon side, I can see that there is 3 failed attempts before the pings start to be successful. When the pings start to run with no problems, Amazon technicians told me that the tunnel is up again.
I was checking some documentation from Amazon and they mention that at their side IPSec Dead Peer Detection (DPD) will be enabled and it is recommended that the same is enabled at our side. However, TMG has no option to enable that and as far as I can see, Windows 2012 is the only server product from Microsoft that have that option as part of its network stack. But, as you know, TMG does not run in Windows 2012.
May be the problem is with DPD but I am not completely sure. If that is the problem, and TMG does not allow me to enable that, I have 2 options: keep a continuos ping from our side or connect to Amazon using a different product (may be a hardware appliance).If you have any other idea, please let me know.
Xavier Villafuerte - http://preempalverec.blogspot.com
.png)
