Windows – Problems with packets on IPSEC Tunnel for Windows 2008 R2


I have a network with a Windows 2008 R2 server with Routing and Remote Access installed on a cloud platform with a PUBLIC and PRIVATE IP address. I have successfully configured the Fortigate FW and the 2008 server to negotiate Phase 1 and Phase 2 of the connection. Everything looks fine up to that point.

When I try to ping from the LOCAL side of the Fortigate to the PRIVATE side of the 2008 R2 device I then run into problems. The tunnel comes up with phase 1 and phase 2 negotiating just fine, but the Windows Event Viewer shows the packets are getting blocked by the packet filter system under Windows.

Event viewer shows two error codes

Log Name: Security
Source: Microsoft Windows security
EventID: 5152
Task Category: Filtering Platform Packet Drop
  The Windows Filtering Platform has blocked a packet.

  Application Information:
Process ID:     0
Application Name:   -

  Network Information:
Direction:      Inbound
Source Address:
Source Port:        0
Destination Address:
Destination Port:       8
Protocol:       1

 Filter Information:  
Filter Run-Time ID: 74898
Layer Name:     Transport
Layer Run-Time ID:  12

The other event log entry is

Log Name: Security
Source: Microsoft Windows security
EventID: 4963
Task Category: IPsec Driver
  IPsec dropped an inbound clear text packet that should have been secured. 
  If the remote computer is configured with a Request Outbound IPsec policy, 
  this might be benign and expected.  This can also be caused by the remote 
  computer changing its IPsec policy without informing this computer. This 
  could also be a spoofing attack attempt.

  Remote Network Address:
  Inbound SA SPI:       0

I have gone as far as to turn off all filtering for each Windows FW domain for incoming connections with no luck. I continue to see these error messages repeated when I try to PING. I have also tested TELNET to the Windows Telnet server I had installed on the system as well with not luck either.

Has anyone dealt with the 2008 R2 Firewall for an IPSEC tunnel like this and had success? I find very spotty references elsewhere and none quite as deep in as this.

Best Answer

This question has gone unanswered and I thought I'd add what I came up with as a solution. First I was unable to use the MS VPN tunnel and could never get the routing to work properly. The tunnel always came up as expected, but the OS would never route an packets along the link.

As an alternative, I used the GreenBow VPN client which also allowed a VPN to be dynamically brought up when traffic was detected and provided the appropriate routing that was needed. Even though this wasn't an ideal solution, I was able to get it to work on the Windows 2008 R2 server, but I did need to keep a user account logged in. The only downside.