none
Trouble getting up an IPsec site-to-site between TMG and Cisco RV220W RRS feed

  • Общие обсуждения

  • 0

    Hi all!

    I'm having:

    Head Office:
    Windows 2008 r2 sp1 (VM, fully updated, runs under Hyper-V)
    Forefront TMG SP2 update rollup 2 (v7.0.9193.540)

    external ip without a NAT infront of it, several internal NICs with different subnets attached, from which i need to establish an IPsec VPN to 192.168.0.0/24

    Branch:
    Cisco RV220W (firmware 1.0.4.17 - latest to moment)

    external ip without a NAT infront, internal subnet 192.168.8.0/24

    TMG Site-to-site Summary:

    Local Tunnel Endpoint: xxx.xxx.xxx.xxx
    Remote Tunnel Endpoint: yyy.yyy.yyy.yyy
    
    To allow HTTP proxy or NAT traffic to the remote site, 
    the remote site configuration must contain the local 
    site tunnel end-point IP address.
    
    IKE Phase I Parameters:
        Mode: Main mode
        Encryption: 3DES
        Integrity: SHA1
        Diffie-Hellman group: Group 2 (1024 bit)
        Authentication Method: Pre-shared secret (zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz)
        Security Association Lifetime: 28800 seconds
    
    
    IKE Phase II Parameters:
        Mode: ESP tunnel mode
        Encryption: 3DES
        Integrity: SHA1
        Perfect Forward Secrecy: ON
        Diffie-Hellman group: Group 2 (1024 bit)
        Time Rekeying: ON
        Security Association Lifetime: 3600 seconds
    
        Kbyte Rekeying: OFF
    
    Remote Network 'Flymusic' IP Subnets:
        Subnet: yyy.yyy.yyy.yyy/255.255.255.255
        Subnet: 192.168.8.0/255.255.255.0
    
    Local Network 'Guest VLAN' IP Subnets:
        Subnet: 192.168.10.0/255.255.255.0
    
    Local Network 'SIP' IP Subnets:
        Subnet: 10.1.10.0/255.255.255.0
    
    Local Network 'Внутренняя' IP Subnets:
        Subnet: 192.168.0.0/255.255.255.0
    
    Local Network 'Демилитаризованная зона' IP Subnets:
        Subnet: 192.168.100.0/255.255.255.0
    
    Routable Local IP Addresses:
        Subnet: yyy.yyy.yyy.yyy/255.255.255.255
        Subnet: 192.168.0.0/255.255.255.0

    From CISCO side settings are absolutely the same (double and triple checked that), DPD (Dead Peer Detection) is off. Everything was checked like 50 times. IPsec profiles were wipes on both TMG and CISCO and than recreated to no success.

    The problem:

    Tunnel is being estabvlished successfully and from Cisco side i can see packets being sent, but nothing is being received.

    Here's what i see on Cisco log:

    2012-11-21 10:28:04: [rv220w][IKE] INFO:  Adding IPSec configuration with identifier "Flymusic-to-VIRUS"
    2012-11-21 10:28:04: [rv220w][IKE] INFO:  Adding IKE configuration with identifier "Flymusic-to-VIRUS"
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  accept a request to establish IKE-SA: xxx.xxx.xxx.xxx
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  Configuration found for xxx.xxx.xxx.xxx.
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  Initiating new phase 1 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx.xxx.xxx.xxx[500]
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  Beginning Identity Protection mode.
    2012-11-21 10:31:04: [rv220w][IKE] INFO:   [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
    2012-11-21 10:31:04: [rv220w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 4
    2012-11-21 10:31:04: [rv220w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 8
    2012-11-21 10:31:04: [rv220w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 9
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  Received Vendor ID: MS NT5 ISAKMPOAKLEY
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  Received Vendor ID: RFC 3947
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  Received unknown Vendor ID
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  Received unknown Vendor ID
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  Received unknown Vendor ID
    2012-11-21 10:31:04: [rv220w][IKE] INFO:  For xxx.xxx.xxx.xxx[500], Selected NAT-T version: RFC 3947
    2012-11-21 10:31:05: [rv220w][IKE] INFO:  NAT-D payload matches for yyy.yyy.yyy.yyy[500]
    2012-11-21 10:31:05: [rv220w][IKE] INFO:  NAT-D payload matches for xxx.xxx.xxx.xxx[500]
    2012-11-21 10:31:05: [rv220w][IKE] INFO:  NAT not detected 
    2012-11-21 10:31:05: [rv220w][IKE] INFO:  ISAKMP-SA established for yyy.yyy.yyy.yyy[500]-xxx.xxx.xxx.xxx[500] with spi:a88c7adcdfe27f2d:821bd301e0ade708
    2012-11-21 10:31:05: [rv220w][IKE] INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]
    2012-11-21 10:31:06: [rv220w][IKE] INFO:  Initiating new phase 2 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx.xxx.xxx.xxx[0]
    2012-11-21 10:31:06: [rv220w][IKE] WARNING:  attribute has been modified.
    2012-11-21 10:31:06: [rv220w][IKE] WARNING:  Ignore CONNECTED notification from xxx.xxx.xxx.xxx[500].
    2012-11-21 10:31:06: [rv220w][IKE] INFO:  IPsec-SA established: ESP/Tunnel xxx.xxx.xxx.xxx->yyy.yyy.yyy.yyy with spi=122603761(0x74ec8f1)
    2012-11-21 10:31:06: [rv220w][IKE] INFO:  IPsec-SA established: ESP/Tunnel yyy.yyy.yyy.yyy->xxx.xxx.xxx.xxx with spi=628192148(0x25717394)
    From the TMG side i also i see that the tunnel has been established. 'netsh ipsec dynamic show all' shows 2 Quick Mode SA as it should. If i look at the authorisation process using Network Monitor i see Main Mode and Quick Mode passing as they should.

    After that branch (yyy.yyy.yyy.yyy) starts to send ESP packets with the right SPI, but TMG does not respond. After several seconds after connect 1 of the Quick Mode SAs just drops and 'netsh ipsec dynamic show all' now shows only 1 Security Association: 'Direction: Inbound' and TMG doesn't notify CISCO that it deletes the SA as there's no change on Cisco's log and no activity on Network Monitor.

    If i try connect to any ip behind Cisco from TMG side, i can clearly see that TMG starts a new Quick Mode negotiation, probably trying to get a new SPI, but Cisco does not respond as it probably thinks that the tunnel is already up and still no change on its log.

    What i have tried:

    updated TMG to latest Rollup (SP2 rollup 2)

    installed KB2523881 and KB980674

    Tried to change the cryptographic setting symmetrically on TMG and Cisco to 3DES/SHA1, 3DES/MD5, 3DES/SHA256, etc. Tried to turn off PFS.

    No luck.

    I can't fully trace the problem from TMG side, as win 2008 r2 lacks oakley.log and i can't wfpdiag.etl make human readble with tracemft.exe as well.

    Will be greatly appreciate for any ideas!

    26 ноября 2012 г. 8:11

Все ответы

  • Большая просьба к модераторам перенести эту тему в англоязычную часть форума, где я её и создавал, потому как это дубль моего русско-язычного поста. Не пойму почему он оказался в русском форуме :-/
    26 ноября 2012 г. 8:20
  • к сожалению, перенести в англоязычный форум нет возможности. Но сообщество и я будем очень благодарны за публикацию  решения проблемы в этой теме :)

    Мнения, высказанные здесь, являются отражением моих личных взглядов, а не позиции корпорации Microsoft. Вся информация предоставляется "как есть" без каких-либо гарантий

    3 декабря 2012 г. 9:59
  • Я опубликовал решение в оригинальной теме, думаю эту можно смело сносмить.
    3 декабря 2012 г. 11:54
  • Я опубликовал решение в оригинальной теме, думаю эту можно смело сносмить.

    поделитесь ссылкой на решение?

    Мнения, высказанные здесь, являются отражением моих личных взглядов, а не позиции корпорации Microsoft. Вся информация предоставляется "как есть" без каких-либо гарантий

    10 декабря 2012 г. 13:26
  • Тема переведена в разряд обсуждений по причине неактуальности

    Мнения, высказанные здесь, являются отражением моих личных взглядов, а не позиции корпорации Microsoft. Вся информация предоставляется "как есть" без каких-либо гарантий

    14 декабря 2012 г. 13:37