Announcement

Collapse
No announcement yet.

Forefront TMG cannot VPN using Cisco client

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forefront TMG cannot VPN using Cisco client

    Greetings!

    Hello everyone, I hope someone can help me out with this issue I've had for about a week now. Background info: I need to allow a few of our users to use a Cisco VPN client to connect to one of our customer's corporate network. We currently have Forefront TMG as our gateway for all of our users and I have added new rules to allow the traffic to pass through. However, the Cisco VPN client will constantly attempt to connect until it times out and when I look through the logs on the firewall, here is what I see:

    Client IP: 192.168.x.x
    Destination IP: 170.x.x.x
    Action: Initiated Connection
    Protocol: IKE Client
    Destination port: 500
    Result Code: 0x0 ERROR_SUCCESS
    Source Network: Internal
    Destination Network: External

    Client IP: 192.168.x.x
    Destination IP: 170.x.x.x
    Action: Initiated Connection
    Protocol: IPsec NAT-T Client
    Destination port: 4500
    Result Code: 0x0 ERROR_SUCCESS
    Source Network: Internal
    Destination Network: External

    Client IP: 69.x.x.x (our outward facing IP)
    Destination IP: 170.x.x.x
    Action: Denied Connection
    Protocol: IPsec NAT-T Client
    Destination port: 4500
    Result Code: 0xc004003e FWX_E_FW_IPSEC_DROPPED
    Source Network: Local host
    Destination Network: External

    The interesting thing to note is that when client IP shows our internal address (192.168.x.x), it will show an action of "Initiated Connection" but eventually gets closed as it times out. I've looked into this and found the result code means: "A packet was dropped due to periodic inconsistency between the IPsec policy and the Forefront TMG's snapshot of the IPSsec policy."

    Here are the resolutions that I've attempted:
    * Removed from registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RemoteAccess\RouterManagers\Ipv6 (did nothing so I restored original keys)
    * Ran command: netsh tmg set global name=BlockSecuredInDefaultState value=0 persistent (command not recognized, TMG 2010 only?)
    * Added local host to the list of source networks on the access list
    * Asked nicely for it to work

    I tested the VPN connection without the firewall in place and it DOES work, there must be some setting that I'm missing. If it helps, we're using TMG version 6. Your help is greatly appreciated!
    Last edited by crowntech; 6th June 2011, 23:14. Reason: Problem solved

  • #2
    Re: Forefront TMG cannot VPN using Cisco client

    For ISA 2004/6 from our own elmajdal, but should have the info you need.

    http://elmajdal.net/isaserver/How_To...SA_Server.aspx
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Forefront TMG cannot VPN using Cisco client

      Thank you for your reply. I have already taken the steps outlined in the link provided and I am still not able to get through. The result code I am receiving mentions something about the policy on Forefront not matching the existing IPSec policy. I've looked around but still no luck.

      Comment


      • #4
        Re: Forefront TMG cannot VPN using Cisco client

        I got it! After a week and a half of banging my head on this I finally got it to work thanks to a suggestion from another forum. Here is the solution to the problem:

        Created a site-to-site VPN connection to a dummy site. First configured with actual target VPN endpoint then changed address to one of our own static IP addresses. Confirmed this does work when checking firewall logs and able to get a username/password dialog box. Creating this site-to-site connection allows TMG to create an IPSec rule which by default is undefined (and anything undefined is denied). Once the connection is created, the rule is also created which allows IPSec traffic to pass through.

        Here are the steps followed: Opened Forefront TMG Management, select Virtual Private Networks, under the remote sites tab select "Create VPN site-to-site connection". Steps from here are pretty straightforward as ficitious IP addresses can be entered. The main goal is to create the rule so that IPSec traffic can pass. Hope this helps someone else!

        Comment

        Working...
        X