• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 782
  • Last Modified:

Problem with creating IPsec VPN tunnel

I am trying to set up an IPsec VPN tunnel to a provider of a data service. I am using a Windows 2003 Server as my gateway and I have set up the IPsec records correctly I think. My gateway has two network cards, one to the LAN ( and one public (213.888.555.155 "not the real one"). My provider has a VPN where I am going to reach a computer with the ip The external IP of the providers server is 65.888.555.254 "no the real one". From my gateway I am now trying to ping which as I understand it should automatically raise a VPN tunnel to 65.888.555.254 but this is not happening I think. I have also configured a statis route that says that should use my gateways public interface and the gateway 65.888.555.254. If I write tracert 65.888.55.254 on my windows 2003 gateway it traces that one correctly. If I write tracert it only sends to my ISP it seems and then of course stops. Am I missing something here?
  • 2
1 Solution
Sure ..

If you are encrypting the packet headers in the IPSec policy you will have a problem with the NAT. This is done automatically to prevent against Man in the Middle Attack .

So , make sure you encrypt the packet body only .

Test again and check if it works.
Steverino541Author Commented:
Ok, can you direct me to where I can change that?
mmc > IP Security Policies > 
On Server Policies (According to which one you used) :
rt click -> Properties :
in Rules Tab : Edit the rule ->
.  Tunnel Settings : Make your endpoint IP Address
. Filter Action : Edit your rule , Edit : Choose AH intead of ESP

Make sure u make the same configuration on both sides.

Make sure too , you write the original configuration aside before doing these tests in case the configuratoin gets corrupted.

Also, on your firewalls and routers , make sure you allow these for IPSec to work fine :

 IP Protocol ID of 51 : Both inbound and outbound filters should be set to pass AH traffic

UDP Port 500 : Both inbound and outbound filters should be set to pass ISAKMP traffic

, Also if you had to use ESP for whatever rease make sure u allow ID Protocl 50 .
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now