[crowntech]

Greetings!

Hello everyone, I hope someone can help me out with this issue I've had for about a week now. Background info: I need to allow a few of our users to use a Cisco VPN client to connect to one of our customer's corporate network. We currently have Forefront TMG as our gateway for all of our users and I have added new rules to allow the traffic to pass through. However, the Cisco VPN client will constantly attempt to connect until it times out and when I look through the logs on the firewall, here is what I see:

Client IP: 192.168.x.x
Destination IP: 170.x.x.x
Action: Initiated Connection
Protocol: IKE Client
Destination port: 500
Result Code: 0x0 ERROR_SUCCESS
Source Network: Internal
Destination Network: External

Client IP: 192.168.x.x
Destination IP: 170.x.x.x
Action: Initiated Connection
Protocol: IPsec NAT-T Client
Destination port: 4500
Result Code: 0x0 ERROR_SUCCESS
Source Network: Internal
Destination Network: External

Client IP: 69.x.x.x (our outward facing IP)
Destination IP: 170.x.x.x
Action: Denied Connection
Protocol: IPsec NAT-T Client
Destination port: 4500
Result Code: 0xc004003e FWX_E_FW_IPSEC_DROPPED
Source Network: Local host
Destination Network: External

The interesting thing to note is that when client IP shows our internal address (192.168.x.x), it will show an action of "Initiated Connection" but eventually gets closed as it times out. I've looked into this and found the result code means: "A packet was dropped due to periodic inconsistency between the IPsec policy and the Forefront TMG's snapshot of the IPSsec policy."

Here are the resolutions that I've attempted:
* Removed from registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RemoteAccess\RouterManagers\Ipv6 (did nothing so I restored original keys)
* Ran command: netsh tmg set global name=BlockSecuredInDefaultState value=0 persistent (command not recognized, TMG 2010 only?)
* Added local host to the list of source networks on the access list
* Asked nicely for it to work

I tested the VPN connection without the firewall in place and it DOES work, there must be some setting that I'm missing. If it helps, we're using TMG version 6. Your help is greatly appreciated!

[cruachan]

For ISA 2004/6 from our own elmajdal, but should have the info you need.

http://elmajdal.net/isaserver/How_To...SA_Server.aspx

[crowntech]

Thank you for your reply. I have already taken the steps outlined in the link provided and I am still not able to get through. The result code I am receiving mentions something about the policy on Forefront not matching the existing IPSec policy. I've looked around but still no luck.

[crowntech]

I got it! After a week and a half of banging my head on this I finally got it to work thanks to a suggestion from another forum. Here is the solution to the problem:

Created a site-to-site VPN connection to a dummy site. First configured with actual target VPN endpoint then changed address to one of our own static IP addresses. Confirmed this does work when checking firewall logs and able to get a username/password dialog box. Creating this site-to-site connection allows TMG to create an IPSec rule which by default is undefined (and anything undefined is denied). Once the connection is created, the rule is also created which allows IPSec traffic to pass through.

Here are the steps followed: Opened Forefront TMG Management, select Virtual Private Networks, under the remote sites tab select "Create VPN site-to-site connection". Steps from here are pretty straightforward as ficitious IP addresses can be entered. The main goal is to create the rule so that IPSec traffic can pass. Hope this helps someone else!