[vpn-help] win2008r2 ike phase 1 fails, works on win7x64 sp1
Bjoern
b.snippe at lamping-reisig.de
Wed Jul 18 06:49:37 CDT 2012
Kevin VPN <kvpn at ...> writes:
>
> Hi Martin,
>
> Do you by any chance have DirectAccess enabled on the Win2008R2 server?
> If I understand DirectAccess correctly, it allows the establishment of
> IPsec tunnels from Win7 clients to Win2k8R2 servers. That would imply
> there's an IPsec process or service running on the OS.
>
> If you have DirectAccess enabled, maybe that service/component is
> intercepting the IPsec packets that should be destined for the Shrew
> client? That might explain why you are able to see the packets arrive
> on the OS, but that they don't make it to the Shrew process.
>
> On 03/07/2012 09:42 AM, Roper, Andrew wrote:
> > Martin,
> >
> > I have seen some other discussions on these lists where other people
> > have had trouble with getting Shrew to work on Win2K8R2 and on any OS
> > running in a VM. The suspicion is that Win2K8R2 is not supported and
> > that something in the Hypervisor might be preventing the connection
> > from establishing. I, personally, have not tried Shrew Client on an
> > OS in a VM so I don't have any advice there. I would check to make
> > sure that there aren't any firewall rules on the hypervisor that may
> > be preventing the tunnel from establishing.
> >
> > Regards, Andrew
> >
> > From: Forster Martin [mailto:Martin.Forster at ...] Sent: Friday,
> > March 02, 2012 10:19 AM To: Roper, Andrew Subject: RE: win2008r2 ike
> > phase 1 fails, works on win7x64 sp1
> >
> > HI Andrew,
> >
> > both machines win7 and win2008r2 are behind the same firewall.
> > (Watchguard) Both machines have their sw firewalls (onboard windows)
> > on. I have verified the arrival of answer packets with
> >
> > - a monitoring port.
> >
> > - A local installation of the Microsoft network monitor on the
> > win2008r2 box.
> >
> > The empty capture files I mentioned are from the Shrew Trace
> > utility. I appended them.
> >
> > Further Details. Both are vms on a esxi 4.1 host. The win2008r2 ist
> > running with a vmxnet3, the win7 box runs with e1000 adapter.
> >
> > The Firewall Server is some sort of cisco, i guess a ASA.
> >
> > Regards Martin
> >
>
Hi all,
sorry to dig out this old thread, but I'm running into this
exact problem right now.
The Win2k8r2 server (tried 2.1.7/2.2.0b2) does receive the IKE responses
(verified with WireShark running on the server), its firewall is off.
Also, there is no sign of anything called 'DirectAccess' on the server
(or I couldn't find it).
It seems the packets do not reach the iked process.
Using the native client tool (FritzBox) works, as does a ShrewSoft connection
from a Win7SP1x64 box to the same target (using the same configuration file
as on the server).
I'm not sure if this could be a 'session 0 isolation' problem
(since it's win2k8r2).
Any thoughts? Martin, have you been able to solve this problem?
Cheers,
Bjoern
More information about the vpn-help
mailing list