Site to Site VPN Between ISA 2006 and TMG -- Update Your IPsec Settings
While doing some site to site VPN testing between a Forefront TMG firewall and an ISA 2006 firewall, I found that that my IPsec tunnel mode VPN connections were failing. At first I thought the problem was that I didn't put a default gateway address on the external interfaces of both the ISA and Forefront TMG firewalls (since each of these external interfaces were on the same network ID on this test network). But that wasn't the problem. (although it would be a problem if I hadn't fixed this -- you do need to put a default gateway on the external interfaces of the ISA firewalls when doing IPsec tunnel mode).
The issue is related to the default settings on the TMG firewall for IPsec tunnel mode site to site VPN connections. You need to change the settings on the TMG to match those on the ISA firewall. You can find out the settings used by the IPsec tunnel mode connection by right clicking on the site to site VPN connection you created in the ISA and TMG firewall consoles. Change the settings on the TMG to match the settings on the ISA firewall, not the other way around. Then your IPsec tunnel mode site to site VPN will work nicely.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)