Last week I began an upgrade of our ISA 2006 Enterprise array. I have installed a TMG EMS 2010 SP2 on W2K8 R2 and then joined a TMG Array member (also W2K8 R2) and imported the config from the ISA 2006 array. All access is working perfectly except the IPSEC VPN to our ASA 5505 in our branch office. The config on the branch office has not been touched and when I re-activate the old ISA 2006 Array the VPN comes up immediately.
I have created a stand alone TMG on a fresh install to do further testing and recreated VPN tunnels from scratch but still no luck. I can see the IKE Phase 1 successfully connect but the phase II appears to be failing with mismatched IPSEC Policies - but they are correct.
-<item> <error>ERROR_IPSEC_IKE_POLICY_MATCH</error> <frequency>130</frequency> </item>
ikeQmFailure> <failureErrorCode>13868 (ERROR_IPSEC_IKE_POLICY_MATCH)</failureErrorCode> <failurePoint>IPSEC_FAILURE_ME</failurePoint> <keyingModuleType>IKEEXT_KEY_MODULE_IKE</keyingModuleType> <qmState>IKEEXT_QM_SA_STATE_INITIAL</qmState><saRole>IKEEXT_SA_ROLE_RESPONDER</saRole> <saTrafficType>IPSEC_TRAFFIC_TYPE_TUNNEL</saTrafficType> -<localSubNet> <type>FWP_V4_ADDR_MASK</type> -<v4AddrMask> <addr>192.168.150.0</addr> <mask>255.255.255.0</mask></v4AddrMask> </localSubNet> -<remoteSubNet> <type>FWP_V4_ADDR_MASK</type> -<v4AddrMask> <addr>192.168.100.0</addr> <mask>255.255.255.0</mask> </v4AddrMask> </remoteSubNet> <qmFilterId>75773</qmFilterId></ikeQmFailure>
I have followed this threads info http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeVPN/thread/d033a9d1-aff6-4098-a002-e5e15ee1834c/ but am having no luck.