locked
TMG To ISA - IPSec Site To Site VPN RRS feed

  • Question

  • Hi,

    I am experiencing an issue with an IPSec site to site VPN tunnel between a TMG 2010 Standard SP1 server and an ISA 2006 Standard SP1 server. There are no NLB or array configurations involved in this topology.

    The IPSec tunnel between the parent company (TMG) and the partner company (ISA 2006) establishes correctly. On the TMG server at the parent company I can successfully ping servers and workstations located at the partner company. On the ISA server at the partner company, I can successfully ping servers and workstations located at the parent company. Two way communication across the IPSec VPN works as expected when the connection attempt is made from either the TMG or ISA server.

    If I try and ping a server at the partner company from a parent company workstation I receive no response (Ping Timeout), and vise versa at the other end of the tunnel. If I attempt to use protocols such as FTP or SMTP across the tunnel from workstations, connection timeouts are also received. I have ran several monitoring logs filtered to workstation IP addresses and I cannot identify any traffic being dropped by either the TMG or ISA server.

    Has anyone experienced this issue, or has a TMG to ISA 2006 IPSec site to site VPN working in a production environment? Any feedback would be much appreciated.

    Kind Regards.

    Tuesday, August 31, 2010 7:03 PM

Answers

  • Hi Mohit,

    thank you for your reply. I raised a case with Microsoft Partner Support and we confirmed the settings I had in place for the IPSec VPN were correct. We resolved the issue by applying the hotfix described in KB article 980674. Even though my configuration does not utilise an NLB, it resolved the issue never the less.

    Thanks for everyone’s input.

    Kind Regards.


    http://www.b4z.co.uk
    • Marked as answer by Barry Byrne Thursday, September 16, 2010 8:00 PM
    Thursday, September 16, 2010 8:00 PM

All replies

  • Hi,

    if you cannot conenct from clients behind the booth VPN servers, it might be a problem with the Routing table or the network definition for the remote site networks. The network IP address ranges are different on both sites? Please have a look at the following documentation:
    http://technet.microsoft.com/en-us/library/bb794765.aspx
    http://www.isaserver.org/tutorials/Creating-VPN-ISA-2006-Firewall-Branch-Office-Connection-Wizard-Part1.html

     


    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    Tuesday, August 31, 2010 7:14 PM
  • Hi Marc,

    thank you very much for the reply. The IP address ranges are indeed different on both sites:

    Parent Company:

    Internal: 172.16.X.X / 255.255.0.0

    Partner Company:

    Internal: 10.X.X.X / 255.0.0.0

    DMZ: 192.168.0.X / 255.255.255.0

    I have been using the Site To Site summaries to ensure the corresponding VPN tunnel information is correct at both sides. I will work through the documentation you kindly provided tomorrow, and post any further information.

    I look forward to any other suggestions if possible.

    Kind Regards.

    Tuesday, August 31, 2010 7:22 PM
  • Hi,

     

    Thank you for the post.

     

    Do you have create static route in TMG and ISA? If not, please do it and see it works.

     

    Regards,


    Nick Gu - MSFT
    Thursday, September 2, 2010 8:00 AM
    Moderator
  • Hi Nick,

    thank you for the reply. I have created static routes on both the TMG and ISA server, however I am still experiencing this issue. An example of the static routes I have attempted are:

    route add 172.16.X.X mask 255.255.0.0 91.84.X.X -p

    I have tried several variations on the default gateway value, however I still experience the problem. I have also attempted disabling "Perfect Forward Secrecy" on both the TMG and ISA server, as recommended in a TechNet blog to no avail. I have verified all route, address assignment, and firewall policies on both end's of the tunnel and ensured these are correct. 

    I have a created a replica of the infrastructure in a virtual environment using fresh configurations:

    1 x ForeFront TMG SP1 Server

    1 x ISA 2006 SP1 Server

    1 x FreeSCO virtual router

    2 x Windows XP clients

    The tunnel establishes correctly, however I experience exactly the same issue as I do in the production environment. I have also gone to the extent of trying TMG on both Windows Server 2008 R2 and Windows Server 2008 SP2.

    Any further feedback would be much appreciated.

    Kind Regards.

    Thursday, September 2, 2010 7:35 PM
  • Hi,

    does anyone have any further thought's on this issue? Any feedback would be much appreciated.

    Kind Regards.

    Thursday, September 9, 2010 3:07 PM
  • HI Barry,

    Are you testing from a SNET client on either end? What I am trying to ask here is that what is the default gateway of the client you are using to ping from and what is the default gateway of the server you are pinging to?

    Thanks
    Mohet

    Monday, September 13, 2010 4:35 AM
    Moderator
  • Hi Mohit,

    thank you for your reply. I raised a case with Microsoft Partner Support and we confirmed the settings I had in place for the IPSec VPN were correct. We resolved the issue by applying the hotfix described in KB article 980674. Even though my configuration does not utilise an NLB, it resolved the issue never the less.

    Thanks for everyone’s input.

    Kind Regards.


    http://www.b4z.co.uk
    • Marked as answer by Barry Byrne Thursday, September 16, 2010 8:00 PM
    Thursday, September 16, 2010 8:00 PM