Environment: 2 fresh TMG 2010 EE servers on Win2K8 R2 SP1. Both TMG and OS complete up to date with updates and patches (TMG SP2 with Rollup 1). The first TMG is placed at the edge (facing the Internet) and has the role as reverse proxy / publishing server. The second TMG is configured as a VPN server and has the back-end in the internal LAN. Only MS-CHAP-v2 and L2TP/IPSec with certificates is allowed for vpn clients. The edge TMG publishes the internal TMG VPN server (IKE and NAT-T). Global name BlockSecuredInDefaultState is set to 0 on the edge TMG. Radius (NPS (dedicated server)) is used for authentication, and the encryption setting in the radius policy is set to "strongest encryption (128-bit)".
VPN Clients is mostly XP SP3, and a few Windows 7. MS-CHAP-v2, L2TP/IPSec and "Require encryption (disconnect if server declines)" is set in their Dial-up connection.
So here we go:
Scenario 1 (fresh start, no active vpn connections): - XP client 1 connects successfully, encryption: IPSec ESP 3DES - XP client 2 connects successfully, encryption: IPSec ESP 3DES - - XP client x connects successfully, encryption: IPSec ESP 3DES - Win 7 client connects successfully, encryption: IPSec AES 128 - XP client y fails with error 741
Scenario 2 (fresh start, no active vpn connections): - Win 7 client tries to connect, but fails with error 629 - XP client y connects successfully, encryption: IPSec ESP 3DES - XP client 1 connects successfully, encryption: IPSec ESP 3DES - - XP client x connects successfully, encryption: IPSec ESP 3DES - Win 7 client connects successfully, encryption: IPSec AES 128 - XP client 2 fails with error 741
Error 741 is "The local computer does not support the required encryption type". Error 629 is "The connection was closed by the remote computer".
So what we see here is that a Win 7 client can't connect if it is the first client to connect. If there are active XP VPN clients (who has negotiated IPSec ESP 3DES), then the Win 7 client is able to connect (and ends up with AES 128 encryption). But - the connected Win 7 client mess up for all XP clients trying to connect afterwards!! They fail with error 741 as long as the Win 7 client is active.
This must be a serious bug in W2K8r2/RRAS, or maybe TMG? Anyone experienced the same?
My "workaround": Change the encryption setting in the dial-up connection on the Win 7 clients, to "Maximum strenght encryption (disconnect if server declines)". With this setting they end up with AES 256 encryption, they are able to connect as the first vpn client, and they dont mess up for XP clients connecting afterwards. It helps me out for now, because I have control over the few Win 7 clients, but its rather scary that one "misconfigured" Win 7 client can make the vpn solution unavailable for the XP clients.
I am going to open a support case if I dont get a better solution here.
< Message edited by Arild -- 14.Feb.2012 6:53:39 PM >