Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
0
Helpful
2
Replies

Forefront TMG to SRP527w

admiralw12
Level 1
Level 1

‎08-29-2012 10:26 PM

I ma trying to setup a IPSEC site to site VPN between MS Forefront TMG 2010 to a Cisco SRP527W router

I am running the latest firmware on the router

I cannot get the 2 to connect, I have matched as best as possible the settings on the SRP527W as are in Forefront

I can't see any logs to indicate why this is not working, but may need to turn on more logging in Forefront

If anyone has any ideas?

Below are the Settings From Forefront TMG:

Local Tunnel Endpoint: External IP Router

Remote Tunnel Endpoint: External IP TMG

IKE Phase I Parameters:

    Mode: Main mode

    Encryption: 3DES

    Integrity: SHA1

    Diffie-Hellman group: Group 2 (1024 bit)

    Authentication Method: Pre-shared secret (ThisIsAPreSharedKey2012)

    Security Association Lifetime: 86400 seconds

IKE Phase II Parameters:

    Mode: ESP tunnel mode

    Encryption: 3DES

    Integrity: SHA1

    Perfect Forward Secrecy: OFF

    Diffie-Hellman group: Group 2 (1024 bit)

    Time Rekeying: ON

    Security Association Lifetime: 28800 seconds

    Kbyte Rekeying: ON

    Rekey After Sending: 4608000 Kbytes

Site-to-Site Network IP Subnets:

    Subnet: 10.10.10.0/255.255.255.0

Labels:
0 Helpful
2 Replies 2

Andrew Hickman
Cisco Employee
Cisco Employee

‎08-30-2012 01:02 AM

Hi Wayne,

Can I assume from your TMG settings above that this is installed behind a NAT gateway?  If so, ensure that you enable NAT-T on the SRP and configure the IKE policy "Remote ID" with the private address of the TMG.

Hope that helps,

Andy

0 Helpful

admiralw12
Level 1
Level 1
In response to Andrew Hickman

‎08-30-2012 03:58 PM

Hi Andy,

The TMG is public facing, but is on a cloud based server

Supposly the firewall in front of it is not block anyports, at least that is what they tell us

I did try what you suggested anyway, but no luck

Wayne

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents