VPN Routing in TMG


  • Hi,

    I was just wondering whether it is possible with TMG to route Client VPN traffic (e.g. L2TP) to another Site-2-Site VPN. I have tried to set this up in a demo environment but had not much luck as the traffic does not get re-encrypted. Is this supported at all and if, how can this be configured? I have tried to use the VPN Clients network object in the configuration (added a network rule and an access rule). Both VPNs on their own (Client VPN using L2TP and Site-2-Site VPN to another firewall) are working fine.

    Best regards


    Tuesday, June 15, 2010 9:48 PM

All replies

  • Did you try creating a different VPN netowrk and then allow the traffic between those two VPN networks? Also, IPSEC needs the traffic IPs to be very specific. Try with PPTP VPN first for simplification.
    Regards, Amit Saxena
    Wednesday, June 16, 2010 10:32 PM
  • Hi,

    the VPN between the two LAN segements is working therefore the VPN configuration itself is fine. The L2TP Client VPN is also working. However the IP packets coming from the L2TP tunnel are not forwarded into the Site2Site Tunnel (Firewall and Routing rules are configured accordingly). What puzzles me is that in the Site-to-Site Settings Summary the L2TP Client VPN IP Pool does not get shown under Site-to-Site Network IP Subnets. Therefore I have a serious doubt about that this is supported (i.e. VPN routing) in general by TMG.

    Best regards


    Monday, June 21, 2010 3:24 PM
  • Hi Thomas,

    "However the IP packets coming from the L2TP tunnel are not forwarded into the Site2Site Tunnel"

    I understand that the network is somewhat as below:

    Client A >> IPSEC L2TP >> TMG 1 >> SITE TO SITE >> TMG 2 >> Client B at Remote site.

    What you want to achieve is send the traffic from Client to the Client B. Yes, this should work, given proper network rule. I do not see any reason of this to fail. I suggested to use PPTP all over so as to eliminate the psooibility of IPSEC IP policies. Once PPTP routing is fixed, we can fix the IPSEC too.

    Now, I understand that traffic from client A destined for client b is getting dropped at TMG1. Am I correct? Could you please take a live log and let me know whats the error?

    Regards, Amit Saxena. Keep Walking!
    Saturday, July 03, 2010 6:09 PM
  • Hi Thomas

    If you have access rules and network rules for this and the other Site allow traffic from your VPN client this should work.

    Have you give a route to the VPN client how to access the other site?

    Trouble shoot the client and connect the VPN, check your new IP:
    add a route:
    route add <IP of your other site> MASK <Subnet MASK of the other site> <Your Client VPN IP>

    Go in to Logs & Reports in TMG and edit the Log Filter and monitor everything from your "Client IP"
    Go back to your VPN Client and try to Ping something at the other site.

    Do you get through your TMG and do the server have a route back to your VPN client?
    I think this could be a routing problem.



    Monday, July 12, 2010 11:21 AM
  • Do you have the VPN client range added in the Remote site and local site to create proper Ipsec filters?

    Bala Natarajan [MSFT]| Sr. Support Escalation Engineer | CSS Security
    Friday, July 23, 2010 5:21 AM