Hi,
I think I found a problem with IPsec on server2008r2.
I have a customer that has a server in a datacenter. It has a public IP on the NIC. We are changing ISP and need our own Cisco appliances so I ordered ISA500W.
With the old ISP there are in Windows Firewall with Advanced Security (WFAS) connection security rules (CSR) for an IPSec tunnel to the old ISP's Cisco's. (type 861 I think) The IPSec tunnel works fine.
With our new ISA500W (behind NAT) the VPN builds/disconnects/builds/disconnects every few seconds. Actually more than once per second I think as the ISA500W log grows very quickly.
#1 It's not a problem with the new ISP's router as an old Linksys RVS4000 with same IP config behind their NAT connects fine. => No ISP or server config problem
#2 The ISA500W IPSec <-> Server 2008r2 works fine when Cisco has a public IP. => This might indicate a Cisco issue with NAT-T. But that was solved in latest firmware.
#3 The ISA500W IPsec <-> Other ISA500W: even behind NAT can they connect => So this confirms the Cisco NAT-T issue is solved in newest firmware.
I tested a bunch of things with virtual machines. Finally I tested a Windows Server 2012 machine with exact same WAN IP + Cisco behind NAT and that one establishes the tunnel in few seconds and keeps it stable.
#4 ISA500W IPSec <-> Server 2012 connects fine even behind NAT => This to me indicates a Server 2008r2 problem.
I know, in a way it's not a Server 2008 R2 issue as case #1 & #2 works. But case #4 is exact same config with Server 2012 and that one works.
I also opened a post on a Cisco forum as #1 same config, different vendor appliance, works.
https://supportforums.cisco.com/message/4007565
Can Microsoft & Cisco solve this together somehow?
Microsoft would say it's a Cisco issue as the Linksys works, and Cisco would say it's a Microsoft issue as Cisco <=> Server 2012 with NAT works...
best regards
David