Hello there,
We have been running a PPTP vpn for selected users for some years using TMG behind NAT provided by a Cisco ASA. As a result of a Security Audit, we have attempted to to change the vpn to use IPSEC. So far without success.
After a fair amount of research, I have got to the stage where I can see Main Mode and Quick Mode Security Associations are being formed (using the IP Security Monitor plugin on both the TMG2010 server, and a Windows 7 client). However, the vpn connection does not complete successfully, and after a minute or so, it times out with the Error 809.
Because the Main Mode and Quick mode associations are formed, I assume that the Certificates are correct?
The Cisco is performing NAT-T, and allows UDP 500, 4500, and 1701, as well as protocol 50 (ESP)
access-list outside_access_in extended permit udp any object <TMG server> eq isakmp
access-list outside_access_in extended permit udp any object <TMG server> eq 4500
access-list outside_access_in extended permit udp any object <TMG server> eq 1701
access-list outside_access_in extended permit esp any object <TMG server>
I also assume that access from the TMG to the internal LAN is OK, as all I am doing is adding IPSEC to the existing PPTP vpn, which is known to work.
My problem is that I don't know what should happen next - I can't see any failures in the logs for the Cisco ASA or for TMG. Can anyone give any clues as to what should happen next (or indeed whether this configuration should work?)
Many thanks