Showing results for 
Search instead for 
Did you mean: 

Forefront TMG to SRP527w


I ma trying to setup a IPSEC site to site VPN between MS Forefront TMG 2010 to a Cisco SRP527W router

I am running the latest firmware on the router

I cannot get the 2 to connect, I have matched as best as possible the settings on the SRP527W as are in Forefront

I can't see any logs to indicate why this is not working, but may need to turn on more logging in Forefront

If anyone has any ideas?

Below are the Settings From Forefront TMG:

Local Tunnel Endpoint: External IP Router

Remote Tunnel Endpoint: External IP TMG

IKE Phase I Parameters:

    Mode: Main mode

    Encryption: 3DES

    Integrity: SHA1

    Diffie-Hellman group: Group 2 (1024 bit)

    Authentication Method: Pre-shared secret (ThisIsAPreSharedKey2012)

    Security Association Lifetime: 86400 seconds

IKE Phase II Parameters:

    Mode: ESP tunnel mode

    Encryption: 3DES

    Integrity: SHA1

    Perfect Forward Secrecy: OFF

    Diffie-Hellman group: Group 2 (1024 bit)

    Time Rekeying: ON

    Security Association Lifetime: 28800 seconds

    Kbyte Rekeying: ON

    Rekey After Sending: 4608000 Kbytes

Site-to-Site Network IP Subnets:


2 Replies 2

Andrew Hickman
Cisco Employee
Cisco Employee

Hi Wayne,

Can I assume from your TMG settings above that this is installed behind a NAT gateway?  If so, ensure that you enable NAT-T on the SRP and configure the IKE policy "Remote ID" with the private address of the TMG.

Hope that helps,


Hi Andy,

The TMG is public facing, but is on a cloud based server

Supposly the firewall in front of it is not block anyports, at least that is what they tell us

I did try what you suggested anyway, but no luck


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: