TMG 2010 - site to site ipsec tunnels with pfsense and watchguard appliances not connecting
-
4 มีนาคม 2553 5:15I am evaluating TMG 2010 (7.0.7734.100) but need to get site to site IPsec tunnels working. I have TMG installed on Windows 2008 w/sp2 - it's a virtual on VMware.
1 Internal Nic
1 Perimeter Nic
2 External Nics
The appliances I'm trying are a Watchguard x10 w/ version 10.2.x software and pfSense version 1.2.3
Logging on pfSense is better (than wg) and it keeps telling me that phase1 negotiation keeps failing
fatal No-Proposal-Chosen
I have checked, double-checked, triple-checked to make sure the phase1 & 2 settings are the same on TMG and the other appliances.
When I run a packet capture I see the remote site connecting to TMG, but I never see a response back.
Happy to provide logs or other info to troubleshoot. I really like TMG for the other features, but must get site-to-sites working.
Thanks,
~Tracie
ตอบทั้งหมด
-
14 มีนาคม 2553 10:10ผู้ดูแล
Hi,
I would like to suggest that you contact Microsoft Product Support Services via telephone so that a dedicated Support Professional can assist with this request.
To obtain the phone numbers for specific technology request please take a look at the web site listed below.
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
If you are outside the US please see http://support.microsoft.com for regional support phone numbers.
Thank you for your understanding.
Regards,
Nick Gu - MSFT- ทำเครื่องหมายเป็นคำตอบโดย Nick Gu - MSFTMicrosoft, Moderator 14 มีนาคม 2553 10:10
-
13 เมษายน 2553 14:06
Hi Tracie,
Did you find a solution for this allready? I have exact the same problem. TMG vs Watchguard. Only difference: the TMG is not on VmWare.
Thanx,
Maik
-
3 พฤษภาคม 2553 10:19
Hi Daystar IT,
This problem occurs because TMG 2010 incorrectly defines discretionary access control lists (DACLs) for the COM services that are exposed by TMG 2010. These DACLs prevent NLB WMI event notifications from being accepted by TMG services. Therefore, the internal NLB state of TMG is not updated, and subcomponents that depend on the NLB state, such as IPsec filter definitions, are not initialized correctly.
An IPsec VPN site-to-site tunnel or a PPTP VPN site-to-site tunnel does not work if you enable integrated NLB on a Forefront TMG 2010 array
http://support.microsoft.com/kb/980674
Catastrophic failure is a sudden and total failure of some system from which recovery is impossible...Thats me....!- เสนอเป็นคำตอบโดย Catastrophic Failure 3 พฤษภาคม 2553 10:19
-
3 พฤษภาคม 2553 10:46
Instructions for installation
Note: If you received from Microsoft Customer Support Services (CSS) a private update addressing this issue, please uninstall that update.
1. Click the Download button on this page to start the download of a component.
2. Save the download to your computer. Click Save and enter <path>\TMG-KB980674-GLB.msp
3. Open an elevated command prompt
4. Run the command:
msiexec /p <path>\TMG-KB980674-GLB.msp /L*v inst-KB980674.log
Catastrophic failure is a sudden and total failure of some system from which recovery is impossible...Thats me....!- เสนอเป็นคำตอบโดย Catastrophic Failure 3 พฤษภาคม 2553 10:46
.png)
