[vpn-help] win2008r2 ike phase 1 fails, works on win7x64 sp1

[Bjoern]

Kevin VPN <kvpn at ...> writes:

> 
> Hi Martin,
> 
> Do you by any chance have DirectAccess enabled on the Win2008R2 server? 
>   If I understand DirectAccess correctly, it allows the establishment of 
> IPsec tunnels from Win7 clients to Win2k8R2 servers. That would imply 
> there's an IPsec process or service running on the OS.
> 
> If you have DirectAccess enabled, maybe that service/component is 
> intercepting the IPsec packets that should be destined for the Shrew 
> client?  That might explain why you are able to see the packets arrive 
> on the OS, but that they don't make it to the Shrew process.
> 
> On 03/07/2012 09:42 AM, Roper, Andrew wrote:
> > Martin,
> >
> > I have seen some other discussions on these lists where other people
> > have had trouble with getting Shrew to work on Win2K8R2 and on any OS
> > running in a VM. The suspicion is that Win2K8R2 is not supported and
> > that something in the Hypervisor might be preventing the connection
> > from establishing. I, personally, have not tried Shrew Client on an
> > OS in a VM so I don't have any advice there. I would check to make
> > sure that there aren't any firewall rules on the hypervisor that may
> > be preventing the tunnel from establishing.
> >
> > Regards, Andrew
> >
> > From: Forster Martin [mailto:Martin.Forster at ...] Sent: Friday,
> > March 02, 2012 10:19 AM To: Roper, Andrew Subject: RE: win2008r2 ike
> > phase 1 fails, works on win7x64 sp1
> >
> > HI Andrew,
> >
> > both machines win7 and win2008r2 are behind the same firewall.
> > (Watchguard) Both machines have their sw firewalls (onboard windows)
> > on. I have verified the arrival of answer packets with
> >
> > -       a monitoring port.
> >
> > -       A local installation of the Microsoft network monitor on the
> > win2008r2 box.
> >
> > The empty capture files I mentioned are from the Shrew Trace
> > utility. I appended them.
> >
> > Further Details. Both are vms on a esxi 4.1 host. The win2008r2 ist
> > running with a vmxnet3, the win7 box runs with e1000 adapter.
> >
> > The Firewall Server is some sort of cisco, i guess a ASA.
> >
> > Regards Martin
> >
> 

Hi all,

sorry to dig out this old thread, but I'm running into this 
exact problem right now. 

The Win2k8r2 server (tried 2.1.7/2.2.0b2) does receive the IKE responses 
(verified with WireShark running on the server), its firewall is off. 
Also, there is no sign of anything called 'DirectAccess' on the server 
(or I couldn't find it).

It seems the packets do not reach the iked process.

Using the native client tool (FritzBox) works, as does a ShrewSoft connection
from a Win7SP1x64 box to the same target (using the same configuration file 
as on the server).

I'm not sure if this could be a 'session 0 isolation' problem 
(since it's win2k8r2).

Any thoughts? Martin, have you been able to solve this problem?

Cheers,
Bjoern