I was just wondering whether it is possible with TMG to route Client VPN traffic (e.g. L2TP) to another Site-2-Site VPN. I have tried to set this up in a demo environment but had not much luck as the traffic does not get re-encrypted. Is this supported at all and if, how can this be configured? I have tried to use the VPN Clients network object in the configuration (added a network rule and an access rule). Both VPNs on their own (Client VPN using L2TP and Site-2-Site VPN to another firewall) are working fine.
ThomasTuesday, June 15, 2010 9:48 PM
the VPN between the two LAN segements is working therefore the VPN configuration itself is fine. The L2TP Client VPN is also working. However the IP packets coming from the L2TP tunnel are not forwarded into the Site2Site Tunnel (Firewall and Routing rules are configured accordingly). What puzzles me is that in the Site-to-Site Settings Summary the L2TP Client VPN IP Pool does not get shown under Site-to-Site Network IP Subnets. Therefore I have a serious doubt about that this is supported (i.e. VPN routing) in general by TMG.
ThomasMonday, June 21, 2010 3:24 PM
"However the IP packets coming from the L2TP tunnel are not forwarded into the Site2Site Tunnel"
I understand that the network is somewhat as below:
Client A >> IPSEC L2TP >> TMG 1 >> SITE TO SITE >> TMG 2 >> Client B at Remote site.
What you want to achieve is send the traffic from Client to the Client B. Yes, this should work, given proper network rule. I do not see any reason of this to fail. I suggested to use PPTP all over so as to eliminate the psooibility of IPSEC IP policies. Once PPTP routing is fixed, we can fix the IPSEC too.
Now, I understand that traffic from client A destined for client b is getting dropped at TMG1. Am I correct? Could you please take a live log and let me know whats the error?
Regards, Amit Saxena. Keep Walking!Saturday, July 03, 2010 6:09 PM
If you have access rules and network rules for this and the other Site allow traffic from your VPN client this should work.
Have you give a route to the VPN client how to access the other site?
Trouble shoot the client and connect the VPN, check your new IP:
add a route:
route add <IP of your other site> MASK <Subnet MASK of the other site> <Your Client VPN IP>
Go in to Logs & Reports in TMG and edit the Log Filter and monitor everything from your "Client IP"
Go back to your VPN Client and try to Ping something at the other site.
Do you get through your TMG and do the server have a route back to your VPN client?
I think this could be a routing problem.
AndersMonday, July 12, 2010 11:21 AM