Outlook + IPSEC

Hello

We are attempting to secure Outlook anywhere access via TMG (2010) and IPSec for external users of Exchange 2010. I have setup the TMG rule via instructions from MS.

IPSec has been setup to require authentication using our internal CA between "Any IP Address" and the external IP that TMG listens on. This has also been tested and I can verify that a Main Mode is created between the 2 systems (Authentication: cert, Encryption: 3DES, Integity: SHA1, Diffie: Madium 2).

Problem is that they don't seem to work together with Quick Mode.

TMG Logs:

event id 4651

An IPsec main mode security association was established. Extended mode was not enabled. A certificate was used for authentication.

Local Endpoint:

Principal Name: cas-a1.company.local

Network Address: 12.17.154.41

Keying Module Port: 500

Local Certificate:

SHA Thumbprint: af4253038110f736921065e4ac3f709adc5b7c6

Issuing CA: firma Certificate Authority

Root CA: C=PL, O=firma, OU=www.firma.com, CN=firma Root Certificate Authority

Remote Endpoint:

Principal Name: pc.firma.local

Network Address: 95.40.78.98

Keying Module Port: 500

Remote Certificate:

SHA thumbprint: 8fa55581e23d2afba500ed69904af3372d4c30854

Issuing CA: firma Certificate Authority

Root CA: C=PL, O=firma, OU=www.firma.com, CN=firma Root Certificate Authority

Cryptographic Information:

Cipher Algorithm: 3DES

Integrity Algorithm: SHA1

Diffie-Hellman Group: DH group 2

Security Association Information:

Lifetime (minutes): 480

Quick Mode Limit: 0

Main Mode SA ID: 128

Additional Information:

Keying Module Name: IKEv1

Authentication Method: Certificate

Role: Responder

Impersonation State: Not enabled

Main Mode Filter ID: 362858

next  event id 4655

An IPsec main mode security association ended.

Local Network Address: 12.17.154.41

Remote Network Address: 95.40.78.98

Keying Module Name: IKEv1

Main Mode SA ID: 128

event id 4653

An IPsec main mode negotiation failed.

Local Endpoint:

Local Principal Name: -

Network Address: 12.17.154.41

Keying Module Port: 500

Remote Endpoint:

Principal Name: -

Network Address: 95.40.78.98

Keying Module Port: 500

Additional Information:

Keying Module Name: AuthIP

Authentication Method: Unknown authentication

Role:

Responder Impersonation State: Not enabled

Main Mode Filter ID: 0

Failure Information:

Failure Point: Local computer

Failure Reason: No policy configured

State: No state

Initiator Cookie: c61882ea0dd6310c

Responder Cookie: f6bdd2d3235cf6e1

On TMG I have VPN with ipsec - that working fine (users from domain group, with certyficate can only authenticate). OWA is on separate listener and roule (users from domain, with certyficate can only authenticate).

Any ideas why Quick Mode/IPSEC for Outlook gets dropped (No policy configured - where ?) ?

Thanks a lot for help.