Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1780
Views
0
Helpful
1
Replies

Site to Site VPN - TMG Server at Hub to Cisco

DHunter123
Level 1
Level 1

‎05-17-2012 07:38 AM

                   Hi,

i'm having trouble establishing a VPN between a TMG Server at our head office and a Cisco 850 series at the remote site, I'm new to Cisco products but I managed to setup an ADSL connection but now I need to setup a VPN connection to our head office Microsoft TMG gateway, I can't seem to get it to connect. I've installed the Cisco Configuration Professional tool to assist, it reports a mismatch between the router configurations.

I've included the running config of the cisco box and the config of the TMG server below, hoping someone can shed some light on the situation as I can't work out where the mismatch is.

the tunnel is supposed to be an Ipsec tunnel using a pre-shared key - I want to get this up and running before I worry about certificates.

Thanks

Cisco 850 series running config

Current configuration : 7013 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ********!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

no logging console

enable secret *****

enable password ********!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-2057839604

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2057839604

revocation-check none

rsakeypair TP-self-signed-2057839604

!

!

crypto pki certificate chain TP-self-signed-2057839604

certificate self-signed******

       quit

dot11 syslog

no ip dhcp use vrf connected

ip dhcp excluded-address x.x.x.x

ip dhcp excluded-address 192.168.x.x 192.168.x.x

ip dhcp excluded-address 192.168.x.x!

ip dhcp pool ccp-pool

   import all

   network x

   default-router x

   lease 0 2

!

ip dhcp pool 16n

   network 192.168.x.x 255.255.255.0

   default-router 192.168.x.x

   dns-server xxxx!

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

!

!

!

username xxxx privilege 15 secret 5 xxxxx.

username xxxx privilege 15 password 0 xxxxx!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key Password address x.x.x.x.!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set BH ah-sha-hmac esp-3des esp-sha-hmac

!

crypto ipsec profile ProfileName

set security-association lifetime seconds 3600

set transform-set BH

set pfs group2

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to x.x.x.x

set peer x.x.x.x

set security-association lifetime seconds 3600

set transform-set BH

set pfs group2

match address 100

!

archive

log config

hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.x.x 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

no cdp enable

ppp chap hostname xxxxx

ppp chap password 0 xxxxx

ppp pap sent-username xxxxxx password 0 xxxxx

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

!

access-list 1 remark CCP_ACL Category=16

access-list 1 permit 192.168.xxx

access-list 1 permit 192.xxxx.0 0.0.0.255

access-list 23 permit xxxxxxxxxx

access-list 23 permit xxxxxxxxxxxxxxxxxxx

access-list 23 permit any

access-list 80 permit any

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxx

access-list 100 deny   ip any any

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip xxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx

access-list 101 permit ip xxxxxxxxxxxxxxxxxxxxx

access-list 101 permit ip host xxxxxxxxxxxxxx xxx

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

control-plane

!

banner exec ^C

TMG settings

Local Tunnel Endpoint: yy.yy.yy.yy

Remote Tunnel Endpoint: xx.xx.xx.xx

To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.

IKE Phase I Parameters:
    Mode: Main mode
    Encryption: 3DES
    Integrity: SHA1
    Diffie-Hellman group: Group 2 (1024 bit)
    Authentication Method: Pre-shared secret (xxxxxxxx)
    Security Association Lifetime: 28800 seconds


IKE Phase II Parameters:
    Mode: ESP tunnel mode
    Encryption: 3DES
    Integrity: SHA1
    Perfect Forward Secrecy: ON
    Diffie-Hellman group: Group 2 (1024 bit)
    Time Rekeying: ON
    Security Association Lifetime: 3600 seconds

    Kbyte Rekeying: OFF

Remote Network xxxxx IP Subnets:
    Subnet: xx.x.xx.x.x./xxxx
    Subnet: xx.xx.xx.xx/xxx.xx.xxx.

Local Network 'xxxxxxxx' IP Subnets:
    Subnet: xxxxxxx.0

Local Network 'Internal' IP Subnets:
    Subnet: xxxxxxx.252
    Subnet: xxxxxxxxx.0

Local Network 'Perimeter' IP Subnets:
    Subnet: xxxxxxxx.0
    Subnet: xxxxxxxx.252

Routable Local IP Addresses:
    Subnet: xxxxxxxx.252
    Subnet: xxxxxxxx.255
    Subnet: xxxxxxxxxxx.0
    Subnet: xxxxxxxx.0

What the TMG server requires from the other end

Local Tunnel Endpoint: xx.xx.xx.xx

Remote Tunnel Endpoint: yy.yy.yy.yy

IKE Phase I Parameters:
    Mode: Main mode
    Encryption: 3DES
    Integrity: SHA1
    Diffie-Hellman group: Group 2 (1024 bit)
    Authentication Method: Pre-shared secret (xxxxxxxxx)
    Security Association Lifetime: 28800 seconds


IKE Phase II Parameters:
    Mode: ESP tunnel mode
    Encryption: 3DES
    Integrity: SHA1
    Perfect Forward Secrecy: ON
    Diffie-Hellman group: Group 2 (1024 bit)
    Time Rekeying: ON
    Security Association Lifetime: 3600 seconds

    Kbyte Rekeying: OFF

Site-to-Site Network IP Subnets:
    Subnet: xxxxxxx

    Subnet: xxxxxxx.255
    Subnet: xxxxxxxxx.0
    Subnet: xxxxxxxxx.0

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎05-25-2012 01:18 AM

Hello Darren,

one discrepancy between the 2 configs is the use of AH, i.e. the TMG does not seem to be configured to do AH, while the router is.

Try changing

  crypto ipsec transform-set BH ah-sha-hmac esp-3des esp-sha-hmac

to

  crypto ipsec transform-set BH esp-3des esp-sha-hmac

One other thing to check, since you removed the ip addresses I can't tell : make sure that the ip addresses to be encrypted match up.

I.e. on the router you have :

access-list 100 permit ip xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxx

but there seems to be lot more xxxxxx in the TMG config and I'm not too sure how that works.

Genericaly speaking, if the TMG is configured to encrypt traffic from A to B and from C to D (etc), then access-list 100 should permit traffic from B to A and from D to C (etc)

If on the other hand the TMG is configured to encrypt anything from (A and C) to (B and D) then acl 100 would need to have 4 lines : B to A, D to A, B to C, D to C.

I hope this is all not too cryptic let me know.

hth

Herbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents