L2TP + NAT-T

From: Angelo Aldrovandi (angelo_at_nextend.net)
Date: 08/18/04

• Next message: FE-FR: "Re: VPN Performance"
• Previous message: Chris: "RAS on SBS2000"
• Next in thread: David Beder [MSFT]: "Re: L2TP + NAT-T"
• Reply: David Beder [MSFT]: "Re: L2TP + NAT-T"
• Reply: Michael Thompson: "RE: L2TP + NAT-T"
• Messages sorted by: [ date ] [ thread ]

Date: Wed, 18 Aug 2004 10:06:48 -0700

Hi all!

I have the following problem.. my WinXP clients can
connect L2TP on our LAN, but they fail from the internet.
I'm talking about the same PCs with the same user account!

My configuration is like this:

   [client with private IP] -> [NAT] -> [internet] ->
[NAT/FW] -> [server]

and/or like this:

   [client with public IP] -> [internet] -> [NAT/FW] ->
[server]

I'm using L2TP/IPSec since PPTP does not work through NAT.
On my firewall ("NAT/FW" in the above schema) I have
opened all the needed ports from the internet to my
WS2003 "WAN" interface, as specified by Microsoft:
UDP/500, UDP/4500, ESP/IP50 and UPD/1701 (even if it's not
always said to be opened).

BTW, I have to admit I haven't understood the meaning and
usage of the "Internal interface" created by RRAS.. it has
a LAN address which is not accessible from the internet,
so, can this be the problem?

I have Windows Server 2003 and XP SP1 clients. I have a CA
and everything is OK with certificates -- I wouldn't
connect on the LAN otherwise, I assume.

Nevertheless, on the server I get the following two errors
(depending on the PC that connects). The first error comes
from a NATted client, the second one from a client having
a public IP address.

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
 Mode:
Key Exchange Mode (Main Mode)

 Filter:
Source IP Address <Server LAN IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client NATted public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client NATted public IP address>
IKE Source Port 500
IKE Destination Port 6159
Peer Private Addr

 Peer Identity:
Certificate based Identity.
Peer IP Address: <Client NATted public IP address>

  Failure Point:
Me

 Failure Reason:
Negotiation timed out

 Extra Status:
Processed second (KE) payload
Responder. Delta Time 64
 0x0 0x0

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
 Mode:
Data Protection Mode (Quick Mode)

 Filter:
Source IP Address <Firewall public IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 17
Source Port 0
Destination Port 1701
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client public IP address>
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

 Peer Identity:
Certificate based Identity.
.....
Peer IP Address: <public IP address>

  Failure Point:
Me

 Failure Reason:
No policy configured

***************************************************

What I notice is that on one case the error is in
the "Main mode" IKE negotiation, the second one on
the "Quick mode". The first one reveals the server LAN IP
address, the second one "stops" at the server's public IP
address. The first one is a "negotiation timeout" error,
the second one a "no policy configured" error (but since
the same PC connects if it's inside the LAN, I can assume
the RRAS policy is correctly defined).

It's already two days I'm making experiments, reading
stuff and trying to solve this problem, but with no
success! :( Thanx in advance for your help, it's
considered very precious!!

With my kindest regards,
* Angelo Aldrovandi

• Next message: FE-FR: "Re: VPN Performance"
• Previous message: Chris: "RAS on SBS2000"
• Next in thread: David Beder [MSFT]: "Re: L2TP + NAT-T"
• Reply: David Beder [MSFT]: "Re: L2TP + NAT-T"
• Reply: Michael Thompson: "RE: L2TP + NAT-T"
• Messages sorted by: [ date ] [ thread ]

Relevant Pages Re: NAT-T and L2TP ... L2TP on our LAN but they fail from the internet. ... the second one from a client having a public IP address. ... IKE security association negotiation failed. ... Destination Port 0 ... (microsoft.public.win2000.ras_routing) Re: RWW Issues When Connecting from WAN Side ... I understand that on LAN, no traffic was captured on TCP/UDP ports 3389. ... It can be a normal result on LAN, if you RWW from client A to client B. The ... connection between client A to SBS server will setup on port 4125. ... Obviously, it was not the SBS server blocked the 4125 port, as LAN works. ... (microsoft.public.windows.server.sbs) Re: L2TP + NAT-T ... please verify that the winxp client has the ipsec nat-t upgrade available ... > IKE security association negotiation failed. ... > Destination Port 0 ... > Peer Private Addr ... (microsoft.public.win2000.ras_routing) Re: Cant reach my machine using TCPClient ... connecting to a peer-to-peer server on some random port. ... But these behaviors are usually disabled when a client of the NAT router _initiates_ communication outbound. ... So, if this "new random application" is on your LAN but connecting to an IP address outside the LAN, the NAT router is handling that automatically, acting as a proxy between the client on your LAN and the outside address. ... (microsoft.public.dotnet.languages.csharp) Re: ISA simple question (hopefully) ... drop the Personal FW on your client if it's in your ... The alternative solution is to connect to your SBServer by VPN because ISA ... > workstations directly connected to your LAN, ... >> Defined an IP Packet filter to open the main port on the internal ... (microsoft.public.windows.server.sbs)

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint