Connecting to a Windows 2012 R2 RD Gateway server when you are behind a proxy server, especially one requiring authentication, may fail with the following errors:
‘Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to.’
‘Remote Desktop can’t connect to the remote computer for one of these reasons:
- Remote access to the server is not enabled
- The remote computer is turned off
- The remote computer is not available on the network’
Additionally, you will see the following event ID 4625 in the security log on the gateway server.
Log Name: Security
Date: 8/5/2013 4:20:00 PM
Event ID: 4625
Task Category: Logon
Keywords: Audit Failure
An account failed to log on.
This issue is documented here:
To fix it, set the EnforceChannelBinding registry value to 0 (zero) to ignore missing channel bindings on the Gateway server.
Value: 0 (Decimal)
Note By default, the EnforceChannelBinding value does not exist on the Gateway server. You must create this value. When you are done, reboot the server and it should work behind your proxy server.
Walkthrough for creating a site to site VPN from a Cisco ASA firewall to a Draytek router, using ADSM. The models used were a Cisco ASA 5505 running ADSM 7.4(2) and ASA 9.2(3)3, and a Draytek 2860 series firewall/router.
Note that there is a guide on the Draytek site here: http://www.draytek.com/index.php?option=com_k2&view=item&id=2027&Itemid=293&lang=en but I found this did not have quite enough information, and besides is for an older ASA and ADSM version.
- Choose Wizards>>IPsec VPN Wizard
- Peer IP address: Enter the WAN IP of your Draytek
- Local network: Choose the Network Object for your inside network
- Remote network: Choose or add a new Network Object for the remote network (inside the Draytek)
- Click Next
- Enter a Pre-shared key
- Click Next
- Check the box for NAT exempt (you will get asymmetric NAT errors if you do not choose this).
- When finished, edit the Connection profile, and under IKE v1 change the IPsec proposal to just ESP-3DES-SHA
- On IKE v2 choose 3DES
- On Access Rules, click Add:
- Interface: Inside
- Source: Choose your inside network
- Destination: Choose your remote network behind the Draytek
- Add another access rule:
- Interface: Outside
- Source: Choose your remote network behind the Draytek
- Destination: Choose your inside network
- Click on VPN and Remote Access
- Click Lan to Lan
- Click a free Index
- Enter a profile name
- Call direction Dial-Out
- Dial-Out settings: Ipsec tunnel
- Server IP: Enter the IP of the ASA
- IKE Authentication Method: enter the same key you used on the ASA
- IPsec Security Method: Click High, then Advanced, then choose:
- IKE phase 1 proposal: 3DES_SHA1_G2
- IKE phase 2 proposal: 3DES_SHA1
- Enter the remote network settings under TCP/IP Network Settings at the bottom.
That’s it! Then try pinging something on the other side and it should dial the tunnel. I would suggest using the logging on the ASA to troubleshoot issues, since it is more comprehensive that the syslog on the Draytek. The most common reasons for the tunnel not coming up are the phase 1 and phase 2 settings, so make sure that these match on both sides.