[vpn-help] win2008r2 ike phase 1 fails, works on win7x64 sp1
Kevin VPN
kvpn at live.com
Wed Mar 7 20:47:01 CST 2012
Hi Martin,
Do you by any chance have DirectAccess enabled on the Win2008R2 server?
If I understand DirectAccess correctly, it allows the establishment of
IPsec tunnels from Win7 clients to Win2k8R2 servers. That would imply
there's an IPsec process or service running on the OS.
If you have DirectAccess enabled, maybe that service/component is
intercepting the IPsec packets that should be destined for the Shrew
client? That might explain why you are able to see the packets arrive
on the OS, but that they don't make it to the Shrew process.
On 03/07/2012 09:42 AM, Roper, Andrew wrote:
> Martin,
>
> I have seen some other discussions on these lists where other people
> have had trouble with getting Shrew to work on Win2K8R2 and on any OS
> running in a VM. The suspicion is that Win2K8R2 is not supported and
> that something in the Hypervisor might be preventing the connection
> from establishing. I, personally, have not tried Shrew Client on an
> OS in a VM so I don't have any advice there. I would check to make
> sure that there aren't any firewall rules on the hypervisor that may
> be preventing the tunnel from establishing.
>
> Regards, Andrew
>
> From: Forster Martin [mailto:Martin.Forster at kuenz.com] Sent: Friday,
> March 02, 2012 10:19 AM To: Roper, Andrew Subject: RE: win2008r2 ike
> phase 1 fails, works on win7x64 sp1
>
> HI Andrew,
>
> both machines win7 and win2008r2 are behind the same firewall.
> (Watchguard) Both machines have their sw firewalls (onboard windows)
> on. I have verified the arrival of answer packets with
>
> - a monitoring port.
>
> - A local installation of the Microsoft network monitor on the
> win2008r2 box.
>
> The empty capture files I mentioned are from the Shrew Trace
> utility. I appended them.
>
> Further Details. Both are vms on a esxi 4.1 host. The win2008r2 ist
> running with a vmxnet3, the win7 box runs with e1000 adapter.
>
> The Firewall Server is some sort of cisco, i guess a ASA.
>
> Regards Martin
>
More information about the vpn-help
mailing list